[Freeipa-devel] [PATCHES] 0562-0563 Fix internal error when global policy is not readable
Rob Crittenden
rcritten at redhat.com
Fri May 30 13:33:30 UTC 2014
Petr Viktorin wrote:
> On 05/30/2014 11:02 AM, Petr Viktorin wrote:
>> On 05/29/2014 07:13 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> When investigating this issue I became very annoyed by the star import
>>>> hiding where names come from, so I did some cleanup first.
>>>>
>>>>
>>>> In krbtpolicy, an ACIError is now raised if:
>>>> - the user doesn't have permission to read any one of the ticket policy
>>>> attributes on the requested entry
>>>> (checked using attribute-level rights)
>>>> - any ticket policy attribute from the default policy is not available
>>>> (either not readable, or not there at all)
>>>> (only checked if these are accessed, i.e. when the user entry
>>>> doesn't
>>>> override all of the defaults, or when requesting the global policy)
>>>>
>>>> That means if the user is not available at all, you get a NotFound, but
>>>> if global policy is not found it's assumed that it's just unreadable.
>>>
>>> That seems reasonable to me.
>>>
>>> I also noticed a typo, ddoesn't
>>
>> Fixed, thanks.
>>
>>> In the lower-level code, ldap2.py, we have some help
>>> can_[read|write|etc] for managing rights. Would doing something similar
>>> in baseldap be better than embedding the logic into each plugins?
>>>
>>> So instead of this:
>>>
>>> if rights is None:
>>> rights = baseldap.get_effective_rights(
>>> ldap, dn, self.obj.default_attributes)
>>> if 'r' not in rights.get(attrname.lower(), ''):
>>> raise errors.ACIError(
>>> info=_('Ticket policy for %s could not be
>>> read') %
>>> keys[-1])
>>>
>>> You'd have this:
>>>
>>> if not baseldap.can_read(ldap, dn, attrname):
>>> raise errors.ACIError(
>>> info=_('Ticket policy for %s could not be
>>> read') %
>>> keys[-1])
>>
>> The second is definitely better.
>>
>>> This may end up fetching the rights multiple times depending on how many
>>> things need to be read, so perhaps passing that in if you have it
>>> already.
>>
>> This however means doing the get_effective_rights call anyway to get all
>> the needed attrs, at which point most of the readability benefits are
>> gone.
>>
>> Actually I'd like to add some good attrlevelrights handling right into
>> ipaldap. Let's do this correctly rather than add a quick fix to the
>> helpers just so we can use them.
>> Issue here: https://fedorahosted.org/freeipa/ticket/4362
Sure, I'm ok with waiting and doing it right.
> Once more, with patches
ACK x2
rob
More information about the Freeipa-devel
mailing list