[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Petr Viktorin
pviktori at redhat.com
Thu May 22 14:20:09 UTC 2014
On 05/21/2014 12:14 PM, Simo Sorce wrote:
> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
>> On 05/16/2014 04:33 PM, Petr Viktorin wrote:
>>> On 05/16/2014 01:54 PM, Martin Kosek wrote:
>>>> On 04/29/2014 11:00 PM, Petr Viktorin wrote:
>>>>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
>>>>> [0].
>>>>>
>>>>> Patch 0541 is some minor refactoring for the next part.
>>>>>
>>>>> Patch 0542 sets the read acces to addressbook attributes to anonymous when
>>>>> upgrading from pre-4.0.
>>>>> I first this by checking if the update is run from ipa-server-install or not,
>>>>> but then I realized the logic I want is simple: if the global anon read ACI
>>>>> exists, we want to preserve its spirit by setting addressbook attribute ACI to
>>>>> anonymous.
>>>>>
>>>>>
>>>>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et
>>>>> al.
>>>>>
>>>>
>>>> 540:
>>>>
>>>> Looks good! The only attributes I am concerned about are special IPA attributes:
>>>>
>>>> - ipauniqueid
>>>> - ipasshpubkey
>>>> - ipauserauthtype
>>>> - userclass
>>>>
>>>> I personally do not think they should be included in POSIX attributes
>>>> permissions, they are far from POSIX definition...
>>>>
>>>> What about creating one more permission "System: Read User IPA Attributes" as
>>>> these are specific to FreeIPA use and allowing that permission for all
>>>> authenticated users?
>>>
>>> Sounds reasonable. I assume we want this one to be also set to anonymous when
>>> upgrading from old versions.
>>> Attaching updated patches.
>>
>> Ok, looks good.
>>
>> I am now just pondering whether "System: Read User POSIX Attributes" is the
>> right name for the permission as there are not just POSIX attributes, but also
>> attributes from organizationalPerson or inetOrgPerson objectclasses.
>>
>> Maybe we should name it "System: Read User Core Attributes" or "System: Read
>> User Basic Attributes"? Simo, any preference?
>
> We could use: "System: Read User Standard Attributes"
I've used this one, then.
>
> but the 'posix' version is also ok to me.
On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
> Also, I just realized we forgot memberOf attribute - it needs to be available
> to authenticated users otherwise group membership will fall apart.
Good catch. Added.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0540.3-Add-managed-read-permissions-to-user.patch
Type: text/x-patch
Size: 4293 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/db74dd00/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0541.3-update_managed_permissions-Pass-around-anonymous-ACI.patch
Type: text/x-patch
Size: 4962 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/db74dd00/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0542.3-Set-user-addressbook-IPA-attribute-read-ACI-to-anony.patch
Type: text/x-patch
Size: 4174 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/db74dd00/attachment-0002.bin>
More information about the Freeipa-devel
mailing list