[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Petr Viktorin
pviktori at redhat.com
Fri May 16 14:33:15 UTC 2014
On 05/16/2014 01:54 PM, Martin Kosek wrote:
> On 04/29/2014 11:00 PM, Petr Viktorin wrote:
>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
>> [0].
>>
>> Patch 0541 is some minor refactoring for the next part.
>>
>> Patch 0542 sets the read acces to addressbook attributes to anonymous when
>> upgrading from pre-4.0.
>> I first this by checking if the update is run from ipa-server-install or not,
>> but then I realized the logic I want is simple: if the global anon read ACI
>> exists, we want to preserve its spirit by setting addressbook attribute ACI to
>> anonymous.
>>
>>
>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al.
>>
>
> 540:
>
> Looks good! The only attributes I am concerned about are special IPA attributes:
>
> - ipauniqueid
> - ipasshpubkey
> - ipauserauthtype
> - userclass
>
> I personally do not think they should be included in POSIX attributes
> permissions, they are far from POSIX definition...
>
> What about creating one more permission "System: Read User IPA Attributes" as
> these are specific to FreeIPA use and allowing that permission for all
> authenticated users?
Sounds reasonable. I assume we want this one to be also set to anonymous
when upgrading from old versions.
Attaching updated patches.
> 541, 542:
> ACK for both, works fine in both new installation and upgrade.
>
> Martin
>
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0540.2-Add-managed-read-permissions-to-user.patch
Type: text/x-patch
Size: 3998 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140516/9ab5e481/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0541.2-update_managed_permissions-Pass-around-anonymous-ACI.patch
Type: text/x-patch
Size: 4962 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140516/9ab5e481/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0542.2-Set-user-addressbook-IPA-attribute-read-ACI-to-anony.patch
Type: text/x-patch
Size: 4174 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140516/9ab5e481/attachment-0002.bin>
More information about the Freeipa-devel
mailing list