On Thu, 18 Nov 2010 23:11:51 -0500 Rob Crittenden <rcrit...@redhat.com> wrote:
> Re-implement access control using an updated model. > > The new model is based on permissions, privileges and roles. Most > importantly it corrects the reverse membership that caused problems > in the previous implementation. You add permission to privileges and > privileges to roles, not the other way around (even though it works > that way behind the scenes). > > A permission object is a combination of a simple group and an aci. > The linkage between the aci and the permission is the description of > the permission. This shows as the name/description of the aci. > > ldap:///self and groups granting groups (v1-style) are not supported > by this model (it will be provided separately). > > ticket 445 > > WARNING. The patch is humongous and changes a whole slew of stuff. It > patches cleanly against the master right now but it is quite delicate > so the sooner this is reviewed (without pushing anything else) the > better. > > The self-tests all pass for me as well as some spot checking. > > Also note that I currently define a single role and it has no > privileges. We will need to fill that in soon. Sorry Rob, but before I can ACK a change of this proportion in the Security model I want a wiki page with the model explained clearly and in detail. I am vetoing this patch until we have that. Note, I am *not* saying the patch is wrong, only that reviewing it w/o a reference model is basically impossible and it touches sensitive security stuff so I can't just let it pass hoping we got everything right. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel