[Freeipa-devel] [RFE] Permissions V2
Petr Viktorin
pviktori at redhat.com
Fri Dec 6 14:46:51 UTC 2013
On 12/06/2013 03:28 PM, Simo Sorce wrote:
> On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote:
>> On 12/02/2013 02:48 PM, Petr Viktorin wrote:
>>> On 12/02/2013 02:29 PM, Simo Sorce wrote:
>
>>>> It would be very nice if you can add the resulting LDAP objects in the
>>>> example, that will allow me to reason on the correctness of the
>>>> translation.
>>>
>>> OK, I'll work on that.
>>
>> I've added the resulting LDAP objects to the tests here:
>> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests
>
> Thank you Petr,
> I was looking at them and I see we often use target=ldap://<dn> type for
> selecting which objects this apply to.
>
> This was sort of necessary when the permissions were all in the base and
> we wanted to limit to specific entries in subtrees.
>
> However I was wondering if we shouldn't transition/allow to user
> targetfilter or targetattrfilter (this would be needed to have
> add/delete permissions).
>
> For example, instead of:
> (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
> We could have:
> (targetfilter = "(objectclass=ipaUser)")
>
> It also occurs to me we could do very neat things like allowing manager
> access with (targetfilter = "(managedby=<dn>)"), and similar.
>
> In general using targetfilter and targetattrfilter is more flexible and
> allow for applying different permission depending exacly on the object
> type or even specific sets of objects of a common type. Something the
> simple target filter cannot do.
>
> What do you think ?
+1
I don't think this should block the framework patches that are on list
now, though. I'll file a RFE for tuning how the default and "type"
permissions look. Would that be fine?
--
Petr³
More information about the Freeipa-devel
mailing list