[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions
Petr Viktorin
pviktori at redhat.com
Tue Apr 8 09:03:26 UTC 2014
Patch 0508:
This documents the inputs for the permission updater in the module
itself. This is taken from the design page. I expect it'll need an
addition now and then, so I think it's better to have this near the code
it corresponds to.
Patch 0509:
So far the new default permissions have been tied to an Object plugin,
and took the ACI location and objectclass filter from the object.
However there are some permissions that are not tied to an IPA object,
for instance ones dealing with a compat tree. However, these permissions
should behave similarly to the Object-based ones, so it makes sense to
use the same updater with them.
A question is where the non-Object permissions should be stored. I can
think of several alternatives:
a) in a special data file, like .update files
b) in a new plugin type
c) somewhere in the code
I went for c) for simplicity, but feel free to discuss. (CCing Rob since
he had some strong opinions in this area.)
This patch makes ipapermlocation, ipapermtargetfilter and other
Permission attributes overridable, and adds a central list of non-object
permissions to the updater module. (For now, the list is empty).
My patch 0504.2 (Default read ACIs for Sudo objects) will add a
non-object permission for ou=sudoers.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0508-Document-the-managed-permission-updater-operation.patch
Type: text/x-patch
Size: 2478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/9092f54b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0509-Add-support-for-non-object-default-permissions.patch
Type: text/x-patch
Size: 5666 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/9092f54b/attachment-0001.bin>
More information about the Freeipa-devel
mailing list