[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
Petr Vobornik
pvoborni at redhat.com
Mon Jun 15 07:53:17 UTC 2015
On 06/11/2015 07:49 PM, thierry bordaz wrote:
> On 06/11/2015 04:34 PM, David Kupka wrote:
>> Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
>>> On 06/11/2015 03:55 PM, David Kupka wrote:
>>>> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>>>>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>>>>> https://fedorahosted.org/freeipa/ticket/5057
>>>>> Hello David,
>>>>>
>>>>> The patch looks ok except it removes a permission to update 'uid' from
>>>>> an active user. This permission is required to delete(preserve) an
>>>>> active user.
>>>>>
>>>>> - # Active container
>>>>> - #
>>>>> - # Stage user administrators need write right on RDN when
>>>>> - # the active user is deleted (preserved)
>>>>> - 'System: Write Active Users RDN by administrators': {
>>>>> - 'ipapermlocation': DN(baseuser.active_container_dn,
>>>>> api.env.basedn),
>>>>> - 'ipapermbindruletype': 'permission',
>>>>> - 'ipapermtarget': DN('uid=*',
>>>>> baseuser.active_container_dn, api.env.basedn),
>>>>> - 'ipapermtargetfilter':
>>>>> {'(objectclass=posixaccount)'},
>>>>> - 'ipapermright': {'write'},
>>>>> - 'ipapermdefaultattr': {'uid'},
>>>>> - 'default_privileges': {'Stage User Administrators'},
>>>>> - },
>>>>> - #
>>>>>
>>>>> I prepared a new patch (attached) with that permission and it makes
>>>>> 'user-del --preserve' happy.
>>>>> Now I think the name would rather be something like: 'System: Preserve
>>>>> an active user (user-del --preserve)'
>>>>>
>>>>> I also added back this comment in two permissions 'Note:
>>>>> targetfilter is
>>>>> the target parent container'.
>>>>> This was to say that the targetfilter setting was intentional.
>>>>> If you think it is not the right place, you may remove those comments.
>>>>>
>>>>> Thanks
>>>>> thierry
>>>>>
>>>>
>>>> Hello Thierry,
>>>> Indeed, I accidentally removed these. Thank you for careful review.
>>>> Rebase is needed but it is due to change in VERSION and is useless
>>>> to do it
>>>> before push as there are too much patches going to master right now.
>>>> Martin, are you (as a reporter) OK with the patch?
>>>>
>>>
>>> Not entirely. I still see some weird permission in stageuser.py:
>>>
>>> #
>>> # Active container
>>> #
>>> # Stage user administrators need write right on RDN when
>>> # the active user is deleted (preserved)
>>> 'System: Write Active Users RDN by administrators': {
>>> 'ipapermlocation': DN(baseuser.active_container_dn,
>>> api.env.basedn),
>>> 'ipapermbindruletype': 'permission',
>>> 'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
>>> api.env.basedn),
>>> 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>>> 'ipapermright': {'write'},
>>> 'ipapermdefaultattr': {'uid'},
>>> 'default_privileges': {'Stage User Administrators'},
>>> },
>>>
>>> This was supposed to be ""System: Modify User RDN". When the name is
>>> also
>>> fixed, I am fine.
>>>
>> Updated patch attached.
>>
>>
> Hi David,
>
> All the tests are ok. The patch is fine for me. ACK
>
Pushed to master: 44cced658bde224957a605bfa083821d8fbf94c0
--
Petr Vobornik
More information about the Freeipa-devel
mailing list