[Freeipa-devel] [PATCHES] 0558-0561 Read ACI fixes

Petr Viktorin pviktori at redhat.com
Thu May 29 09:04:52 UTC 2014 

On 05/29/2014 10:03 AM, Martin Kosek wrote:
> On 05/28/2014 03:40 PM, Petr Viktorin wrote:
>> Hello,
>> Some of IPA plugins assume that everyone has access to everything. Here are
>> some fixes for that.
>>
>> Patch 0560 adds a new permission for the UPG Definition, which is required to
>> add users correctly.
>
> 558:
>
> Crash is now removed, though I am thinking that the output may be confusing for
> users as there is no output:
>
> # ipa krbtpolicy-show
> # echo $?
> 0
>
> I need to use --all to see anything:
>
> # ipa krbtpolicy-show --all
>    dn: cn=MKOSEK-FEDORA20.TEST,cn=kerberos,dc=mkosek-fedora20,dc=test
>    cn: MKOSEK-FEDORA20.TEST
>    objectclass: krbrealmcontainer, top, krbticketpolicyaux
>
> Would it make sense to raise ACIError if user cannot any Kerberos policy
> attributes?

Hm, actually there's a bigger problem -- if the user policy is not 
readable, the command will actually lie.
I think we'll need to check attributelevelrights here to see if the 
attributes are really unset or just unreadable. And I'll go through all 
the other commands more carefully, to see if distinction between "not 
readable" and "not existing" makes significant difference.

I withdraw the patch for now.

> 559: ACK
> 560: ACK
> 561:
>
> functionally works fine, tested with migrate-ds. When looking at the code,
> would it make sense to replace this section:
>
> +        disable_attr = '(objectclass=disable)'
> +        org_filter = upg_entries[0].single_value['originfilter']
> +        return not re.search(r'%s' % disable_attr, org_filter)
>
> with
>
> +        origin_filter = upg_entries[0].single_value['originfilter']
> +        return '(objectclass=disable)' not in origin_filter
>
> I am not sure why RE is used in this case at all.

Good point, thanks. Update attached.


-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0559-aci-plugin-Fix-internal-error-when-ACIs-are-not-read.patch
Type: text/x-patch
Size: 915 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0560-Add-managed-read-permission-for-the-UPG-Definition.patch
Type: text/x-patch
Size: 1861 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0561-ldap2.has_upg-Raise-an-error-if-the-UPG-definition-i.patch
Type: text/x-patch
Size: 3539 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140529/5e6c2667/attachment-0002.bin>

More information about the Freeipa-devel mailing list