[Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Rob Crittenden
rcritten at redhat.com
Tue Feb 1 16:58:53 UTC 2011
Martin Kosek wrote:
> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> 2) In delegation.ldif: ipapermission object class is missing for
>>> removeentitlements and modifyentitlements (it has been added for
>>> addentitlements though)
>>
>> This was on purpose, I should have been clearer. Patch 664 makes major
>> changes to these and I'm trying to make the merge easier. I'll fix them
>> up when 664 gets pushed.
>
> I thought so. I was confused by addentitlements permission which
> objectclass was updated. We just have to make sure, that the
> entitlements patch includes this new objectClass.
>
>>
>>>
>>>
>>> QUESTION:
>>> In this patch you add READONLY flag to Replica permissions. However it
>>> is not actually used and stays as just an informative flag. It won't
>>> prevent user from modifying/removing READONLY permissions.
>>>
>>> I guess enhancing permission-mod and permission-del of READONLY check
>>> will be a subject of another ticket?
>>
>> Ok, interesting point. I considered the aci itself to be read-only. The
>> only thing a user could do is rename the permission, right? I think that
>> would maintain consistency so it shouldn't be a problem. It would
>> probably be easy to really make these read-only but that would have a UI
>> impact as well, perhaps a problematic one. I suppose if they could
>> handle any read-only exceptions we'd raise that would be adequate.
>>
>> rob
>
> Yes, user could rename or delete permission. In both cases it won't have
> any effect to the ACI as ACI plugin does not see it. But I think it
> would be nice to prevent modifications to these permissions when we have
> this new and shiny READONLY flag. Read-only exception may be a way to
> achieve this...
>
> Martin
>
I think I got everything. Simo suggested using SYSTEM instead of
READONLY so I switched to that. I also renamed the attribute to
ipapermissiontype and added enforcement over mod/del.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-697-3-permissions.patch
Type: text/x-patch
Size: 19659 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110201/d327a028/attachment.bin>
More information about the Freeipa-devel
mailing list