[Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
Petr Viktorin
pviktori at redhat.com
Mon May 26 10:15:56 UTC 2014
On 05/23/2014 02:26 PM, Martin Kosek wrote:
> On 05/22/2014 04:03 PM, Petr Viktorin wrote:
>> On 05/21/2014 08:08 AM, Martin Kosek wrote:
>>> On 05/19/2014 03:27 PM, Petr Viktorin wrote:
>>>> On 05/16/2014 02:00 PM, Martin Kosek wrote:
>>>>> On 04/29/2014 11:02 PM, Petr Viktorin wrote:
>>>>>> I didn't test this as much as I'd like to, but it might come in handy when
>>>>>> testing my earlier patches.
>>>>>>
>>>>>> The ACI is removed in the managed permissions plugin because I want to make
>>>>>> sure it's done after all the managed permission updates, which query it.
>>>>>
>>>>> It worked in my case (I tested upgrade from 3.3.5). What do we do about other
>>>>> permissions we will want to remove? I am talking about following ACIs:
>>>>>
>>>>> - no anonymous access to roles
>>>>> - no anonymous access to sudo
>>>>> - no anonymous access to hbac
>>>>> - no anonymous access to member information
>>>>>
>>>>> I would like to remove them in 544 as well as otherwise they would bias the
>>>>> testing.
>>>>
>>>> Right. Here is the updated patch.
>>>
>>> I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs
>>> left:
>>>
>>> (targetattr = "*")(target =
>>> "ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test")(version 3.0;
>>> acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
>>> "ldap:///all";)
>>>
>>> (targetattr = "*")(target =
>>> "ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test")(version 3.0; acl "No
>>> anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
>>>
>>> The problem is that you used your testing suffix instead of suffix variable.
>>
>> Shame on me. I've updated & rebased the patch.
>>
>> I've also made a git hook yell at me when I commit something containing "BRQ",
>> hopefully this won't happen again.
>
> Would it make sense to publish your FreeIPA git hooks somewhere on
> http://www.freeipa.org/page/Contribute/Code or your github and link it? I think
> it already contains couple gems that may help other people prevent basic errors
> like this one.
Sure, I'll document it a bit and publish.
> Otherwise, the patch worked fine - ACK!
>
> I would like it to be pushed as soon as user ACI patch is pushed so that we
> have some time to find issues.
Thanks!
Pushed to master: 193ced0bd7a9a26e7b25f08b023ee21302acaac7
--
Petr³
More information about the Freeipa-devel
mailing list