[Freeipa-devel] [PATCHES] 0558-0561 Read ACI fixes

[Martin Kosek]

On 05/29/2014 11:04 AM, Petr Viktorin wrote:
> On 05/29/2014 10:03 AM, Martin Kosek wrote:
>> On 05/28/2014 03:40 PM, Petr Viktorin wrote:
>>> Hello,
>>> Some of IPA plugins assume that everyone has access to everything. Here are
>>> some fixes for that.
>>>
>>> Patch 0560 adds a new permission for the UPG Definition, which is required to
>>> add users correctly.
>>
>> 558:
>>
>> Crash is now removed, though I am thinking that the output may be confusing for
>> users as there is no output:
>>
>> # ipa krbtpolicy-show
>> # echo $?
>> 0
>>
>> I need to use --all to see anything:
>>
>> # ipa krbtpolicy-show --all
>>    dn: cn=MKOSEK-FEDORA20.TEST,cn=kerberos,dc=mkosek-fedora20,dc=test
>>    cn: MKOSEK-FEDORA20.TEST
>>    objectclass: krbrealmcontainer, top, krbticketpolicyaux
>>
>> Would it make sense to raise ACIError if user cannot any Kerberos policy
>> attributes?
> 
> Hm, actually there's a bigger problem -- if the user policy is not readable,
> the command will actually lie.
> I think we'll need to check attributelevelrights here to see if the attributes
> are really unset or just unreadable. And I'll go through all the other commands
> more carefully, to see if distinction between "not readable" and "not existing"
> makes significant difference.
> 
> I withdraw the patch for now.
> 
>> 559: ACK
>> 560: ACK
>> 561:
>>
>> functionally works fine, tested with migrate-ds. When looking at the code,
>> would it make sense to replace this section:
>>
>> +        disable_attr = '(objectclass=disable)'
>> +        org_filter = upg_entries[0].single_value['originfilter']
>> +        return not re.search(r'%s' % disable_attr, org_filter)
>>
>> with
>>
>> +        origin_filter = upg_entries[0].single_value['originfilter']
>> +        return '(objectclass=disable)' not in origin_filter
>>
>> I am not sure why RE is used in this case at all.
> 
> Good point, thanks. Update attached.
> 
> 

Thanks, works fine. ACK for all these 3 patches.

Martin