[Freeipa-devel] [PATCH] 612 re-implimit permissions

Adam Young ayoung at redhat.com
Wed Dec 1 22:45:34 UTC 2010 

On 12/01/2010 05:07 PM, Adam Young wrote:
> The attached patch is required on top of the changes, as the admin 
> user no longer has any rolegroup, and thus would see the self service 
> api.  It should be pushed with this patch.
posted the wrong version.  THis one checks for presence of the group admins.
>
>
>
> On 12/01/2010 04:01 PM, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Thu, 18 Nov 2010 23:11:51 -0500
>>> Rob Crittenden<rcritten at redhat.com>  wrote:
>>>
>>>> Re-implement access control using an updated model.
>>>>
>>>> The new model is based on permissions, privileges and roles. Most
>>>> importantly it corrects the reverse membership that caused problems
>>>> in the previous implementation. You add permission to privileges and
>>>> privileges to roles, not the other way around (even though it works
>>>> that way behind the scenes).
>>>>
>>>> A permission object is a combination of a simple group and an aci.
>>>> The linkage between the aci and the permission is the description of
>>>> the permission. This shows as the name/description of the aci.
>>>>
>>>> ldap:///self and groups granting groups (v1-style) are not supported
>>>> by this model (it will be provided separately).
>>>>
>>>> ticket 445
>>>>
>>>> WARNING. The patch is humongous and changes a whole slew of stuff. It
>>>> patches cleanly against the master right now but it is quite delicate
>>>> so the sooner this is reviewed (without pushing anything else) the
>>>> better.
>>>>
>>>> The self-tests all pass for me as well as some spot checking.
>>>>
>>>> Also note that I currently define a single role and it has no
>>>> privileges. We will need to fill that in soon.
>>>
>>>
>>> Sorry Rob, but before I can ACK a change of this proportion in the
>>> Security model I want a wiki page with the model explained clearly and
>>> in detail.
>>>
>>> I am vetoing this patch until we have that.
>>>
>>> Note, I am *not* saying the patch is wrong, only that reviewing it w/o
>>> a reference model is basically impossible and it touches sensitive
>>> security stuff so I can't just let it pass hoping we got everything
>>> right.
>>>
>>> Simo.
>>>
>>
>> Adam found a bug when installing the DNS server. Updated patch attached.
>>
>> rob
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101201/1d4e2d81/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-admiyo-0107-2-admin-determination.patch
Type: text/x-patch
Size: 1594 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101201/1d4e2d81/attachment.bin>

More information about the Freeipa-devel mailing list