[Freeipa-devel] [PATCH] 695 rename permissions and privileges

Rob Crittenden rcritten at redhat.com
Mon Jan 31 18:18:02 UTC 2011 

Martin Kosek wrote:
> On Mon, 2011-01-31 at 11:03 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2011-01-28 at 18:48 -0500, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Rename permissions and privileges to more human-readable names. I'm also
>>>>> dropping description from permissions since it seems redundant.
>>>>>
>>>>> Note that the entitlement acis are left untouched here, they are changed
>>>>> in a pending patch (664).
>>>>>
>>>>> ticket 792
>>>>>
>>>>> rob
>>>>
>>>> I guess I should remove description from the pre-defined permission
>>>> entries too.
>>>>
>>>> rob
>>>
>>> NACK
>>>
>>> I have found some minor inconsistencies in LDIF (except the entitlements
>>> permission/priviledge naming you mentioned in log):
>>>
>>> 1) A description is still present for several permissions:
>>> Retrieve Certificates from the CA
>>> Request Certificate
>>> Request Certificates from a different host
>>> Get Certificates status from the CA
>>> Revoke Certificate
>>> Certificate Remove Hold
>>>
>>> 2) Priviledge cn=admins,cn=privileges,cn=pbac,$SUFFIX does not exists. I
>>> know this was not changed by your patch, but I noticed it during the
>>> review and now may be a good opportunity to fix it:
>>>
>>> dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
>>> changetype: add
>>> objectClass: top
>>> objectClass: groupofnames
>>> cn: Manage service keytab
>>> member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
>>> member: cn=admins,cn=privileges,cn=pbac,$SUFFIX<==
>>>
>>>
>>>
>>> permission.py:
>>>
>>> 1) This uncommon number order may rise questions :-)
>>>
>>> 1. The name of the permission.
>>> 3. The target of the permission.
>>> 4. The permissions granted by the permission.
>>>
>>> 2) I would change default permission-add examples to follow our new
>>> permission-naming format (more verbose one), i.e. instead of
>>>
>>>    Add a permission that grants the creation of users:
>>>      ipa permission-add --type=user --permissions=add adduser
>>>
>>> I would like something like this:
>>>
>>>    Add a permission that grants the creation of users:
>>>      ipa permission-add --type=user --permissions=add "Add Users"
>>>
>>>
>>>
>>> Other changes seems OK.
>>>
>>> Martin
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> Updated patch attached
>
> ACK.

pushed to master

More information about the Freeipa-devel mailing list