[Freeipa-devel] [PATCH] 612 re-implimit permissions

Simo Sorce ssorce at redhat.com
Thu Dec 2 01:56:23 UTC 2010 

On Wed, 01 Dec 2010 16:01:46 -0500
Rob Crittenden <rcritten at redhat.com> wrote:

> Simo Sorce wrote:
> > On Thu, 18 Nov 2010 23:11:51 -0500
> > Rob Crittenden<rcritten at redhat.com>  wrote:
> >
> >> Re-implement access control using an updated model.
> >>
> >> The new model is based on permissions, privileges and roles. Most
> >> importantly it corrects the reverse membership that caused problems
> >> in the previous implementation. You add permission to privileges
> >> and privileges to roles, not the other way around (even though it
> >> works that way behind the scenes).
> >>
> >> A permission object is a combination of a simple group and an aci.
> >> The linkage between the aci and the permission is the description
> >> of the permission. This shows as the name/description of the aci.
> >>
> >> ldap:///self and groups granting groups (v1-style) are not
> >> supported by this model (it will be provided separately).
> >>
> >> ticket 445
> >>
> >> WARNING. The patch is humongous and changes a whole slew of stuff.
> >> It patches cleanly against the master right now but it is quite
> >> delicate so the sooner this is reviewed (without pushing anything
> >> else) the better.
> >>
> >> The self-tests all pass for me as well as some spot checking.
> >>
> >> Also note that I currently define a single role and it has no
> >> privileges. We will need to fill that in soon.
> >
> >
> > Sorry Rob, but before I can ACK a change of this proportion in the
> > Security model I want a wiki page with the model explained clearly
> > and in detail.
> >
> > I am vetoing this patch until we have that.
> >
> > Note, I am *not* saying the patch is wrong, only that reviewing it
> > w/o a reference model is basically impossible and it touches
> > sensitive security stuff so I can't just let it pass hoping we got
> > everything right.
> >
> > Simo.
> >
> 
> Adam found a bug when installing the DNS server. Updated patch
> attached.

Ack and pushed to master.

I noticed a small glitch in the output of ipa role-add-privilege, it
doesn't show the privilege just added, just the members.
I think this can be addressed separately.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list