[Freeipa-devel] [RFE] Permissions V2
Petr Viktorin
pviktori at redhat.com
Thu Nov 7 11:45:11 UTC 2013
Hello,
I'm splitting up ACI work into several designs to make it more manageable.
This one is about
- Moving ACIs out of $SUFFIX
- Storing all ACI data in the permission entry
- Permission flag system for ensuring backwards compatibility
Summary of the backcompat story:
- Attributes, rights, etc. of new permissions may not be modified or
read on old servers (not possible since the ACIs aren't in $SUFFIX)
- Old permissions convert to new ones when they're modified on a new server
- Any server can assign (or remove) both old and new permissions to
privileges
There is a bit of shuffling in API/CLI option names, since the API
option name needs to match the LDAP attributeTypes.
The WIP design document is here:
http://www.freeipa.org/page/V3/Permissions_V2
--
Petr³
More information about the Freeipa-devel
mailing list