[Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

Petr Viktorin pviktori at redhat.com
Wed Jun 18 12:48:19 UTC 2014 

On 06/18/2014 02:23 PM, Martin Kosek wrote:
> On 06/18/2014 02:20 PM, Petr Viktorin wrote:
>> On 06/18/2014 02:05 PM, Martin Kosek wrote:
[...]
>>> 583.2: OK
>>>
>>> 584.2:
>>>
>>> 1) Typo in description:
>>> Convewrt the existing default permissions.
>>
>> Thanks for the catch, I'll fix it before pushing.
>>
>>>
>>> 2) What would you like to do with per-zone permissions?
>>>
>>> # ipa dnszone-add-permission example.com
>>> ------------------------------------------------------
>>> Added system permission "Manage DNS zone example.com."
>>> ------------------------------------------------------
>>>     Manage DNS zone example.com.
>>>
>>> # ipa permission-show 'Manage DNS zone example.com.'
>>>     Permission name: Manage DNS zone example.com.
>>>     Granted to Privilege: test2
>>>     Indirect Member of roles: test2
>>>
>>> Should the command be converted to add V2 permissions? We would have to also
>>> deal with conversion from old DNS zone permissions to permissionsv2 though.
>>>
>>> 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS
>>> entries in a zone" permissions to managed? It would make their maintenance and
>>> updates much easier, we would also get rid of more updates in update files.
>>>
>>> The only problem I see is how to define 'userattr =
>>> "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be
>>> rough at the moment.
>>
>> I'd like to leave these two cases until after the "regular" default permissions
>> are done.
>> The regular permissions must be converted now because when you "touch" them
>> with 4.0 permission-mod, they get converted to V2 and the updater will no
>> longer count them as old default permissions. So we need to convert all of them
>> right now. The SYSTEM ones can't be modified so they could theoretically wait
>> till 4.1+.
>> There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'.
>
> Ok, not a blocker.

I opened [#4384] for 1).

>> For the second case, yes, adding more bind rule types will need some work (and
>> a new permission flag). I'd like to combine that work with the
>> selfservice/delegation, which also need special bind rules.
>
> Ok, please make sure that we have the ideas and missing TODOs reflected in tickets.

I'm tracking 3) as part of [#4346] now. These show up in a simple grep 
or ldapsearch.

> Given these arrangements, ACK to the patch set as is (with the typo fix).
>
> Martin
>

Thanks, pushed to master: 700ac6c11627137db758ad376c44745db579dc84



[#4384] https://fedorahosted.org/freeipa/ticket/4384
[#4346] https://fedorahosted.org/freeipa/ticket/4346

-- 
Petr³

More information about the Freeipa-devel mailing list