[Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden
rcritten at redhat.com
Tue Feb 1 17:12:35 UTC 2011
Jan Zelený wrote:
> Jan Zelený<jzeleny at redhat.com> wrote:
>> Rob Crittenden<rcritten at redhat.com> wrote:
>>> Jan Zelený wrote:
>>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>>> Jan Zelený wrote:
>>>>>> Recent change of DNS module to version caused that dns object type
>>>>>> was replaced by dnszone and dnsrecord. This patch corrects dns types
>>>>>> in permissions class.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/646
>>>>>
>>>>> Nack. These values need to be added as valid types to the aci plugin
>>>>> and the _type_map needs to be updated.
>>>>>
>>>>> rob
>>>>
>>>> I'm sending an updated patch.
>>>>
>>>> Jan
>>>
>>> Since dnszone and dnsrecord point to the same kind of entry what is the
>>> point of having two separate names for them? When we read the entry we
>>> aren't going to be able to differentiate between the two.
>>
>> I didn't take a look how the type thing works, so I'm kinda guessing here
>> (please ignore the comment if it is wrong):
>> Sure, object with idnszone class is always also in dnsrecord class, but
>> that's not the case backwards (idnsrecord object isn't always idnszone) -
>> so I think it is possible to set different ACIs for these two types.
>>
>>> Can the type be made more specific?
>>
>> If the mapping doesn't distinguish object classes and it can, maybe that's
>> the answer. Will investagate further. But if not, I still think this is
>> the way to go considering the underline issue which we tried to solve by
>> this change.
>
> From what I found I think that making changes necessary to distinguish
> dnsrecord and dnszone are not worth it, especially that user can use "filter"
> for that purpose. Since having both of them doesn't have any additional value,
> I'm sending new version of the patch, which is only adding dnsrecord type.
>
> Jan
Ack but this patch needs a rebase.
rob
More information about the Freeipa-devel
mailing list