[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions
Petr Viktorin
pviktori at redhat.com
Wed Apr 9 11:41:51 UTC 2014
On 04/09/2014 10:31 AM, Martin Kosek wrote:
> On 04/08/2014 05:17 PM, Petr Viktorin wrote:
>> On 04/08/2014 04:39 PM, Martin Kosek wrote:
>>> On 04/08/2014 01:14 PM, Petr Viktorin wrote:
>>>> On 04/08/2014 12:53 PM, Martin Kosek wrote:
>>>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>> ...
>>>>> The patch is functional, but I am not really a big fan of placing it in the
>>>>> plugin. I would prefer if the ACI definition is also in the sudo plugin
>>>>> together with other definition. It would be then much easier to audit all
>>>>> sudo-related ACIs.
>>>>>
>>>>> Why can't we add this ACI to sudorule object managed permissions and just
>>>>> override the location and target?
>>>>
>>>> I can do that. Most of the changes make this overriding possible, where the
>>>> permission is actually defined is a detail.
>>>>
>>>>> I am not insisting on a specific format, I would simply prefer to have all
>>>>> plugin object related ACIs close together.
>>>>
>>>> My reasoning is that finding the definition would not be straightforward. All
>>>> the object-specific permissions so far are defined in "their" plugins, as
>>>> determined by --type. This one won't have --type, and it's not clear if it
>>>> should be in sudorule, sudocmd or sudocmdgroup.
>>>>
>>>> But, I don't have a strong preference. A `git grep` will always show the
>>>> definition.
>>>>
>>>
>>> IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
>>> sudocmds and sudocmdgroups are just part of the sudorule.
>>>
>>> We may just want to somehow differentiate the non--type ACIs from the regular
>>> --type ones. Whether it is a different attribute in the Object or a setting in
>>> managed permission is something I will leave up to you.
>>
>> I went with a "non_object" key in the managed permission info.
>>
>> Attaching new patches.
>
> This looks good to me, ACK.
>
> Martin
>
Thanks, pushed to master: c58d6b2689acbfa36aec362b7de1ec7512d5f82a
--
Petr³
More information about the Freeipa-devel
mailing list