[Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes

Martin Kosek mkosek at redhat.com
Wed Jan 26 16:29:36 UTC 2011 

On Wed, 2011-01-26 at 10:56 -0500, Rob Crittenden wrote:
> Dmitri Pal wrote:
> > Martin Kosek wrote:
> >> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote:
> >>
> >>> I took a quick look.
> >>>
> >>> Rob, I thought that there are different APIs for self and delegation. Is
> >>> this is the case?
> >>> ipa permission-... functions should never deal with self service or
> >>> delegation acis
> >>> They are just for the permission ACIs connected to the target groups.
> >>> I do not think this is the right approach.
> >>> The prefix is need but it should be automatically added if you use this
> >>> interface.
> >>>
> >>
> >> Well, this patch ensures that permission-* functions will not deal with
> >> selfservice od delegation ACIs. Each of these plugins has its own prefix
> >> (e.g. "permission:" or "delegation:") which is added to the underlying
> >> ACI name.
> >>
> >> Because of this, the Permission, Selfservice and Delegation plugins work
> >> only with ACIs with "their" prefix. Prefix is not visible for user, it
> >> is passed to ACI functions automatically by Permission, Delegation and
> >> Selfservice plugins.
> >>
> >>
> >
> >
> >    Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
> > -   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
> > +   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange
> >
> > This change exposes the prefix on the command line which means you can
> > manage ACIs with different prefixes.
> > Do i misread it?
> 
> The help changes are unneeded. The prefix is not configurable by the user.
> 
> rob

Ah, now I see the source of confusion. My bad. I fixed help in ACI
plugin (even though this plugin is not visible for CLI). There were
examples for using aci-add command and I wanted to add a new mandatory
parameter here, so that user is not prompted for it.

Unfortunately, I didn't notice there was one permission-add example -
--prefix attribute is not valid for this command. A patch #2 with fixed
permission-add example + rebase to current master is attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mkosek-freeipa-017-02-aci-plugin-supports-prefixes.patch
Type: text/x-patch
Size: 52068 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110126/eb410804/attachment.bin>

More information about the Freeipa-devel mailing list