[Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't
Petr Viktorin
pviktori at redhat.com
Fri Sep 12 08:06:38 UTC 2014
On 09/12/2014 09:48 AM, Alexander Bokovoy wrote:
> On Fri, 12 Sep 2014, Martin Kosek wrote:
>>>>>> Operational Attributes)
>>>
>>> Removing a default ACI is difficult (read: new code that could go
>>> wrong) if we
>>> want to handle 4.0.2 properly, since installing/upgrading to 4.0.2
>>> will always
>>> add it back.
>>> Perhaps we should just say in the release notes that people should
>>> remove it
>>> manually if they're upgrading from 4.0.2?
>>
>> Well, I am not convinced that everyone reads the release notes, so I
>> would rather delete this permission in 4.0.3. Hopefully, there won't
>> be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
>> clients broken.
> If we are going to replace other ACIs by adding to them a right to read
> these attributes, then removing a separate default ACI is not a problem,
> isn't it?
It's not much of a policy problem, it's just adding new code this late
in the cycle: The permission updater doesn't yet have a mechanism to
remove a permission, so I'm writing it now.
--
Petr³
More information about the Freeipa-devel
mailing list