[Freeipa-devel] [PATCHES] 0558-0561 Read ACI fixes
Petr Viktorin
pviktori at redhat.com
Thu May 29 09:04:52 UTC 2014
On 05/29/2014 10:03 AM, Martin Kosek wrote:
> On 05/28/2014 03:40 PM, Petr Viktorin wrote:
>> Hello,
>> Some of IPA plugins assume that everyone has access to everything. Here are
>> some fixes for that.
>>
>> Patch 0560 adds a new permission for the UPG Definition, which is required to
>> add users correctly.
>
> 558:
>
> Crash is now removed, though I am thinking that the output may be confusing for
> users as there is no output:
>
> # ipa krbtpolicy-show
> # echo $?
> 0
>
> I need to use --all to see anything:
>
> # ipa krbtpolicy-show --all
> dn: cn=MKOSEK-FEDORA20.TEST,cn=kerberos,dc=mkosek-fedora20,dc=test
> cn: MKOSEK-FEDORA20.TEST
> objectclass: krbrealmcontainer, top, krbticketpolicyaux
>
> Would it make sense to raise ACIError if user cannot any Kerberos policy
> attributes?
Hm, actually there's a bigger problem -- if the user policy is not
readable, the command will actually lie.
I think we'll need to check attributelevelrights here to see if the
attributes are really unset or just unreadable. And I'll go through all
the other commands more carefully, to see if distinction between "not
readable" and "not existing" makes significant difference.
I withdraw the patch for now.
> 559: ACK
> 560: ACK
> 561:
>
> functionally works fine, tested with migrate-ds. When looking at the code,
> would it make sense to replace this section:
>
> + disable_attr = '(objectclass=disable)'
> + org_filter = upg_entries[0].single_value['originfilter']
> + return not re.search(r'%s' % disable_attr, org_filter)
>
> with
>
> + origin_filter = upg_entries[0].single_value['originfilter']
> + return '(objectclass=disable)' not in origin_filter
>
> I am not sure why RE is used in this case at all.
Good point, thanks. Update attached.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0559-aci-plugin-Fix-internal-error-when-ACIs-are-not-read.patch
Type: text/x-patch
Size: 915 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0560-Add-managed-read-permission-for-the-UPG-Definition.patch
Type: text/x-patch
Size: 1861 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0561-ldap2.has_upg-Raise-an-error-if-the-UPG-definition-i.patch
Type: text/x-patch
Size: 3539 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment-0002.bin>
More information about the Freeipa-devel
mailing list