[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Martin Kosek
mkosek at redhat.com
Wed May 21 06:03:15 UTC 2014
On 05/16/2014 04:33 PM, Petr Viktorin wrote:
> On 05/16/2014 01:54 PM, Martin Kosek wrote:
>> On 04/29/2014 11:00 PM, Petr Viktorin wrote:
>>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously
>>> [0].
>>>
>>> Patch 0541 is some minor refactoring for the next part.
>>>
>>> Patch 0542 sets the read acces to addressbook attributes to anonymous when
>>> upgrading from pre-4.0.
>>> I first this by checking if the update is run from ipa-server-install or not,
>>> but then I realized the logic I want is simple: if the global anon read ACI
>>> exists, we want to preserve its spirit by setting addressbook attribute ACI to
>>> anonymous.
>>>
>>>
>>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et
>>> al.
>>>
>>
>> 540:
>>
>> Looks good! The only attributes I am concerned about are special IPA attributes:
>>
>> - ipauniqueid
>> - ipasshpubkey
>> - ipauserauthtype
>> - userclass
>>
>> I personally do not think they should be included in POSIX attributes
>> permissions, they are far from POSIX definition...
>>
>> What about creating one more permission "System: Read User IPA Attributes" as
>> these are specific to FreeIPA use and allowing that permission for all
>> authenticated users?
>
> Sounds reasonable. I assume we want this one to be also set to anonymous when
> upgrading from old versions.
> Attaching updated patches.
Ok, looks good.
I am now just pondering whether "System: Read User POSIX Attributes" is the
right name for the permission as there are not just POSIX attributes, but also
attributes from organizationalPerson or inetOrgPerson objectclasses.
Maybe we should name it "System: Read User Core Attributes" or "System: Read
User Basic Attributes"? Simo, any preference?
Also, I just realized we forgot memberOf attribute - it needs to be available
to authenticated users otherwise group membership will fall apart.
>
>> 541, 542:
>> ACK for both, works fine in both new installation and upgrade.
>>
>> Martin
>>
>
More information about the Freeipa-devel
mailing list