[Freeipa-devel] [PATCHES] 0562-0563 Fix internal error when global policy is not readable
Petr Viktorin
pviktori at redhat.com
Fri May 30 09:03:23 UTC 2014
On 05/30/2014 11:02 AM, Petr Viktorin wrote:
> On 05/29/2014 07:13 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> When investigating this issue I became very annoyed by the star import
>>> hiding where names come from, so I did some cleanup first.
>>>
>>>
>>> In krbtpolicy, an ACIError is now raised if:
>>> - the user doesn't have permission to read any one of the ticket policy
>>> attributes on the requested entry
>>> (checked using attribute-level rights)
>>> - any ticket policy attribute from the default policy is not available
>>> (either not readable, or not there at all)
>>> (only checked if these are accessed, i.e. when the user entry doesn't
>>> override all of the defaults, or when requesting the global policy)
>>>
>>> That means if the user is not available at all, you get a NotFound, but
>>> if global policy is not found it's assumed that it's just unreadable.
>>
>> That seems reasonable to me.
>>
>> I also noticed a typo, ddoesn't
>
> Fixed, thanks.
>
>> In the lower-level code, ldap2.py, we have some help
>> can_[read|write|etc] for managing rights. Would doing something similar
>> in baseldap be better than embedding the logic into each plugins?
>>
>> So instead of this:
>>
>> if rights is None:
>> rights = baseldap.get_effective_rights(
>> ldap, dn, self.obj.default_attributes)
>> if 'r' not in rights.get(attrname.lower(), ''):
>> raise errors.ACIError(
>> info=_('Ticket policy for %s could not be
>> read') %
>> keys[-1])
>>
>> You'd have this:
>>
>> if not baseldap.can_read(ldap, dn, attrname):
>> raise errors.ACIError(
>> info=_('Ticket policy for %s could not be
>> read') %
>> keys[-1])
>
> The second is definitely better.
>
>> This may end up fetching the rights multiple times depending on how many
>> things need to be read, so perhaps passing that in if you have it
>> already.
>
> This however means doing the get_effective_rights call anyway to get all
> the needed attrs, at which point most of the readability benefits are gone.
>
> Actually I'd like to add some good attrlevelrights handling right into
> ipaldap. Let's do this correctly rather than add a quick fix to the
> helpers just so we can use them.
> Issue here: https://fedorahosted.org/freeipa/ticket/4362
Once more, with patches
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0562.2-krbtpolicy-plugin-Code-cleanup.patch
Type: text/x-patch
Size: 3203 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140530/33744c26/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0563.2-krbtpolicy-plugin-Fix-internal-error-when-global-pol.patch
Type: text/x-patch
Size: 3216 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140530/33744c26/attachment-0001.bin>
More information about the Freeipa-devel
mailing list