[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Simo Sorce
ssorce at redhat.com
Wed May 21 10:14:02 UTC 2014
On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
> On 05/16/2014 04:33 PM, Petr Viktorin wrote:
> > On 05/16/2014 01:54 PM, Martin Kosek wrote:
> >> On 04/29/2014 11:00 PM, Petr Viktorin wrote:
> >>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
> >>> [0].
> >>>
> >>> Patch 0541 is some minor refactoring for the next part.
> >>>
> >>> Patch 0542 sets the read acces to addressbook attributes to anonymous when
> >>> upgrading from pre-4.0.
> >>> I first this by checking if the update is run from ipa-server-install or not,
> >>> but then I realized the logic I want is simple: if the global anon read ACI
> >>> exists, we want to preserve its spirit by setting addressbook attribute ACI to
> >>> anonymous.
> >>>
> >>>
> >>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et
> >>> al.
> >>>
> >>
> >> 540:
> >>
> >> Looks good! The only attributes I am concerned about are special IPA attributes:
> >>
> >> - ipauniqueid
> >> - ipasshpubkey
> >> - ipauserauthtype
> >> - userclass
> >>
> >> I personally do not think they should be included in POSIX attributes
> >> permissions, they are far from POSIX definition...
> >>
> >> What about creating one more permission "System: Read User IPA Attributes" as
> >> these are specific to FreeIPA use and allowing that permission for all
> >> authenticated users?
> >
> > Sounds reasonable. I assume we want this one to be also set to anonymous when
> > upgrading from old versions.
> > Attaching updated patches.
>
> Ok, looks good.
>
> I am now just pondering whether "System: Read User POSIX Attributes" is the
> right name for the permission as there are not just POSIX attributes, but also
> attributes from organizationalPerson or inetOrgPerson objectclasses.
>
> Maybe we should name it "System: Read User Core Attributes" or "System: Read
> User Basic Attributes"? Simo, any preference?
We could use: "System: Read User Standard Attributes"
but the 'posix' version is also ok to me.
Simo.
More information about the Freeipa-devel
mailing list