[Freeipa-devel] Sudorule schema inconsistencies

[Jan Cholasta]

Hi,

On 12.5.2014 11:56, Tomas Babej wrote:
> Hi fellow developers,
>
> while working on https://fedorahosted.org/freeipa/ticket/4263 I found
> some inconsistencies in the attribute naming:
>
> There are the following attributes in the schema:
>
> * ipasudorunas_user : RunAs Users
> * ipasudorunas_group : Groups of RunAs Users (and not groups you can
> RunAsGroup as)
>
> This implies that ipasudorunas prefix implicitly talks about RunAsUser
> and not RunAsGroup. This hypothesis is confirmed by attribute:
>
> * ipasudorunasgroup_group : Run with the gid of a specified POSIX group
>
> since here the prefix is ipasudorunas*group*.
>
> However,
>
> * ipasudorunasextuser : RunAs External User (consistent)
> * ipasudorunasextgroup : RunAs External Group (*inconsistent*, since
> ipasudorunas prefix means RunAsUser in other attributes. This attribute
> naming implies semantics of "External Groups of RunAs Users" and not
> "External group you can RunAsGroup as.").
>
> The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for
> implementation of precisely this "External Groups of RunAs Users". Since
> ipasudorunasextgroup attribute is taken, we have the following alternatives:
>
> 1.) Create new attribute ipasudorunasgroup_extgroup and move semantics
> of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the
> 4263's use case. (painful)
> 2.) Create new attribute with incosistent name, such as
> ipasudorunasextgroupmembers or ipasudorunasextusergroup.
> 3.) Do not create new attributes, but use a workaround which adds failed
> groups as users with % prefix (patch attached).
>
> What do you think?

I'm going to point out that ipasudorunas_user etc. is not an actual 
attribute, it's the ipasudorunas attribute after membership processing. 
In other words, the ipasudorunas attribute is used for both users and 
groups. Is there anything stopping you from doing the same thing with 
ipasudorunasextuser?

Honza

-- 
Jan Cholasta