[Freeipa-devel] Sudorule schema inconsistencies

Tomas Babej tbabej at redhat.com
Mon May 12 09:56:28 UTC 2014 

Hi fellow developers,

while working on https://fedorahosted.org/freeipa/ticket/4263 I found
some inconsistencies in the attribute naming:

There are the following attributes in the schema:

* ipasudorunas_user : RunAs Users
* ipasudorunas_group : Groups of RunAs Users (and not groups you can
RunAsGroup as)

This implies that ipasudorunas prefix implicitly talks about RunAsUser
and not RunAsGroup. This hypothesis is confirmed by attribute:

* ipasudorunasgroup_group : Run with the gid of a specified POSIX group

since here the prefix is ipasudorunas*group*.

However,

* ipasudorunasextuser : RunAs External User (consistent)
* ipasudorunasextgroup : RunAs External Group (*inconsistent*, since
ipasudorunas prefix means RunAsUser in other attributes. This attribute
naming implies semantics of "External Groups of RunAs Users" and not
"External group you can RunAsGroup as.").

The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for
implementation of precisely this "External Groups of RunAs Users". Since
ipasudorunasextgroup attribute is taken, we have the following alternatives:

1.) Create new attribute ipasudorunasgroup_extgroup and move semantics
of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the
4263's use case. (painful)
2.) Create new attribute with incosistent name, such as
ipasudorunasextgroupmembers or ipasudorunasextusergroup.
3.) Do not create new attributes, but use a workaround which adds failed
groups as users with % prefix (patch attached).

What do you think?

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140512/02721799/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0999-sudorules-Allow-specifing-RunAsUser-as-external-grou.patch
Type: text/x-patch
Size: 2255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140512/02721799/attachment.bin>

More information about the Freeipa-devel mailing list