[Freeipa-devel] [PATCH] 695 rename permissions and privileges

Martin Kosek mkosek at redhat.com
Mon Jan 31 18:09:49 UTC 2011 

On Mon, 2011-01-31 at 11:03 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-01-28 at 18:48 -0500, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Rename permissions and privileges to more human-readable names. I'm also
> >>> dropping description from permissions since it seems redundant.
> >>>
> >>> Note that the entitlement acis are left untouched here, they are changed
> >>> in a pending patch (664).
> >>>
> >>> ticket 792
> >>>
> >>> rob
> >>
> >> I guess I should remove description from the pre-defined permission
> >> entries too.
> >>
> >> rob
> >
> > NACK
> >
> > I have found some minor inconsistencies in LDIF (except the entitlements
> > permission/priviledge naming you mentioned in log):
> >
> > 1) A description is still present for several permissions:
> > Retrieve Certificates from the CA
> > Request Certificate
> > Request Certificates from a different host
> > Get Certificates status from the CA
> > Revoke Certificate
> > Certificate Remove Hold
> >
> > 2) Priviledge cn=admins,cn=privileges,cn=pbac,$SUFFIX does not exists. I
> > know this was not changed by your patch, but I noticed it during the
> > review and now may be a good opportunity to fix it:
> >
> > dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
> > changetype: add
> > objectClass: top
> > objectClass: groupofnames
> > cn: Manage service keytab
> > member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
> > member: cn=admins,cn=privileges,cn=pbac,$SUFFIX<==
> >
> >
> >
> > permission.py:
> >
> > 1) This uncommon number order may rise questions :-)
> >
> > 1. The name of the permission.
> > 3. The target of the permission.
> > 4. The permissions granted by the permission.
> >
> > 2) I would change default permission-add examples to follow our new
> > permission-naming format (more verbose one), i.e. instead of
> >
> >   Add a permission that grants the creation of users:
> >     ipa permission-add --type=user --permissions=add adduser
> >
> > I would like something like this:
> >
> >   Add a permission that grants the creation of users:
> >     ipa permission-add --type=user --permissions=add "Add Users"
> >
> >
> >
> > Other changes seems OK.
> >
> > Martin
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> Updated patch attached

ACK.

Martin

More information about the Freeipa-devel mailing list