[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects

Martin Kosek mkosek at redhat.com
Wed Apr 9 08:59:42 UTC 2014


On 04/07/2014 01:34 PM, Petr Viktorin wrote:
> On 04/07/2014 01:28 PM, Martin Kosek wrote:
>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>> Hello,
>>> This adds read permissions to read HBAC rules, services, and service groups.
>>>
>>> Read access is given to all authenticated users.
>>
>> So far looked OK in my tests. What about the ACIs like the following one?
>>
>> (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny
>> (read,search,compare) userdn != "ldap:///all";)
>>
>> Do we want to remove them together with this patch to have the change grouped
>> together with allow ACIs or do you plan to remove all similar deny ACIs at
>> once? (together with the master read ACI)
>>
>> Martin
>>
> 
> I want to remove them after removing the global read ACI, so that in the mean
> time we're not allowing more access than we should.

Ok, makes sense. I tested the patch again and it worked fine (after I removed
the deny rule).

ACK.

Martin




More information about the Freeipa-devel mailing list