[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name
Martin Kosek
mkosek at redhat.com
Tue Apr 15 07:38:40 UTC 2014
On 04/14/2014 07:18 PM, Simo Sorce wrote:
> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
>> Hello,
>>
>> The first patch adds default read permissions to krbtpolicy. Since the
>> plugin manages entries in two trees, there are two permissions. Since
>> two permissions are needed to cover krbtpolicy, it can't be used as a
>> permission's --type.
>> The permissions are added to a new privilege, 'Kerberos Ticket Policy
>> Readers'.
>>
>> The second patch adds an ACI for reading the Kerberos realm name. Since
>> client enrollment won't work without this, I don't see a reason for
>> having it managed by a permission.
>>
>
> LGTM
>
> Simo.
>
521 breaks a unit test:
======================================================================
FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using
--subtree
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in
<lambda>
func = lambda: self.check(nice, **test)
File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 319, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 359, in
check_output
assert_deepequal(expected, got, nice)
File "/root/freeipa-master/ipatests/util.py", line 344, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
File "/root/freeipa-master/ipatests/util.py", line 352, in assert_deepequal
VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
test_permission[37]: permission_find: Search for u'Testperm_RN' using --subtree
expected = 1
got = 2
path = ('count',)
Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as we
miss permissions for users).
Martin
More information about the Freeipa-devel
mailing list