[Freeipa-devel] [PATCH] 0040 certprofile: prevent rename (modrdn)
Simo Sorce
simo at redhat.com
Tue Aug 25 14:19:05 UTC 2015
On Tue, 2015-08-25 at 21:49 +1000, Fraser Tweedale wrote:
> On Tue, Aug 25, 2015 at 01:39:42PM +0300, Alexander Bokovoy wrote:
> > On Tue, 25 Aug 2015, Petr Vobornik wrote:
> > >On 08/25/2015 07:37 AM, Alexander Bokovoy wrote:
> > >>On Tue, 25 Aug 2015, Fraser Tweedale wrote:
> > >>>The attached patch fixes
> > >>>https://fedorahosted.org/freeipa/ticket/5247.
> > >>>
> > >>>Thanks,
> > >>>Fraser
> > >>
> > >>>From 2cb4ab6eeedccc3471ed9bf983add4687ecd5c1a Mon Sep 17 00:00:00 2001
> > >>>From: Fraser Tweedale <ftweedal at redhat.com>
> > >>>Date: Mon, 24 Aug 2015 20:25:10 -0400
> > >>>Subject: [PATCH] certprofile: prevent rename (modrdn)
> > >>>
> > >>>Fixes: https://fedorahosted.org/freeipa/ticket/5247
> > >>>---
> > >>>ipalib/plugins/certprofile.py | 5 +++--
> > >>>1 file changed, 3 insertions(+), 2 deletions(-)
> > >>>
> > >>>diff --git a/ipalib/plugins/certprofile.py
> > >>>b/ipalib/plugins/certprofile.py
> > >>>index
> > >>>007cc543406b7e5705fd7474f3685cd6a9ce6aca..a0ffa38608400860994c771e4eba81304ead27be
> > >>>100644
> > >>>--- a/ipalib/plugins/certprofile.py
> > >>>+++ b/ipalib/plugins/certprofile.py
> > >>>@@ -323,8 +323,9 @@ class certprofile_mod(LDAPUpdate):
> > >>> def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
> > >>>**options):
> > >>> ca_enabled_check()
> > >>> # Once a profile id is set it cannot be changed
> > >>>- if 'cn' in entry_attrs:
> > >>>- raise errors.ACIError(info=_('cn is immutable'))
> > >>>+ if 'rename' in options or 'cn' in entry_attrs:
> > >>>+ raise errors.ProtectedEntryError(label='certprofile',
> > >>>key=keys[0],
> > >>>+ reason=_('Certificate profiles cannot be renamed'))
> > >>> if 'file' in options:
> > >>> with self.api.Backend.ra_certprofile as profile_api:
> > >>> profile_api.disable_profile(keys[0])
> > >>ACK
> > >
> > >can't we fix it by removing `rdn_is_primary_key = True`?
> > >
> > >That would also remove the --rename option. Yes it's an API change but if
> > >rename is forbidden than the option should not be even there, just the
> > >result error will different.
> > Well, that is another option, yes. Perhaps even a better one -- we have
> > plenty of places where rdn_is_primary_key is not actually used.
> >
> I filed a ticket for this: https://fedorahosted.org/freeipa/ticket/5254
>
> There are a bunch of commands that have this situation - not just
> certprofile - so if we're going to break API in one place IMO we
> should do them all at once.
Why do we need to break the API ?
Just deny it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list