[Freeipa-devel] [PATCHES] 0558-0561 Read ACI fixes

Petr Viktorin pviktori at redhat.com
Thu May 29 14:22:51 UTC 2014 

On 05/29/2014 03:35 PM, Martin Kosek wrote:
> On 05/29/2014 11:04 AM, Petr Viktorin wrote:
>> On 05/29/2014 10:03 AM, Martin Kosek wrote:
>>> On 05/28/2014 03:40 PM, Petr Viktorin wrote:
>>>> Hello,
>>>> Some of IPA plugins assume that everyone has access to everything. Here are
>>>> some fixes for that.
>>>>
>>>> Patch 0560 adds a new permission for the UPG Definition, which is required to
>>>> add users correctly.
>>>
>>> 558:
>>>
>>> Crash is now removed, though I am thinking that the output may be confusing for
>>> users as there is no output:
>>>
>>> # ipa krbtpolicy-show
>>> # echo $?
>>> 0
>>>
>>> I need to use --all to see anything:
>>>
>>> # ipa krbtpolicy-show --all
>>>     dn: cn=MKOSEK-FEDORA20.TEST,cn=kerberos,dc=mkosek-fedora20,dc=test
>>>     cn: MKOSEK-FEDORA20.TEST
>>>     objectclass: krbrealmcontainer, top, krbticketpolicyaux
>>>
>>> Would it make sense to raise ACIError if user cannot any Kerberos policy
>>> attributes?
>>
>> Hm, actually there's a bigger problem -- if the user policy is not readable,
>> the command will actually lie.
>> I think we'll need to check attributelevelrights here to see if the attributes
>> are really unset or just unreadable. And I'll go through all the other commands
>> more carefully, to see if distinction between "not readable" and "not existing"
>> makes significant difference.
>>
>> I withdraw the patch for now.
>>
>>> 559: ACK
>>> 560: ACK
>>> 561:
>>>
>>> functionally works fine, tested with migrate-ds. When looking at the code,
>>> would it make sense to replace this section:
>>>
>>> +        disable_attr = '(objectclass=disable)'
>>> +        org_filter = upg_entries[0].single_value['originfilter']
>>> +        return not re.search(r'%s' % disable_attr, org_filter)
>>>
>>> with
>>>
>>> +        origin_filter = upg_entries[0].single_value['originfilter']
>>> +        return '(objectclass=disable)' not in origin_filter
>>>
>>> I am not sure why RE is used in this case at all.
>>
>> Good point, thanks. Update attached.
>>
>>
>
> Thanks, works fine. ACK for all these 3 patches.
>
> Martin
>

Thanks, pushed to master: 4f89decc9a6020cbacbfa4406f32ce5465d49a72

-- 
Petr³

More information about the Freeipa-devel mailing list