[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Martin Kosek
mkosek at redhat.com
Fri May 16 11:54:08 UTC 2014
On 04/29/2014 11:00 PM, Petr Viktorin wrote:
> Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
> [0].
>
> Patch 0541 is some minor refactoring for the next part.
>
> Patch 0542 sets the read acces to addressbook attributes to anonymous when
> upgrading from pre-4.0.
> I first this by checking if the update is run from ipa-server-install or not,
> but then I realized the logic I want is simple: if the global anon read ACI
> exists, we want to preserve its spirit by setting addressbook attribute ACI to
> anonymous.
>
>
> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al.
>
540:
Looks good! The only attributes I am concerned about are special IPA attributes:
- ipauniqueid
- ipasshpubkey
- ipauserauthtype
- userclass
I personally do not think they should be included in POSIX attributes
permissions, they are far from POSIX definition...
What about creating one more permission "System: Read User IPA Attributes" as
these are specific to FreeIPA use and allowing that permission for all
authenticated users?
541, 542:
ACK for both, works fine in both new installation and upgrade.
Martin
More information about the Freeipa-devel
mailing list