On Wed, 2011-01-26 at 10:36 -0500, Dmitri Pal wrote: > Martin Kosek wrote: > > On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote: > > > >> I took a quick look. > >> > >> Rob, I thought that there are different APIs for self and delegation. Is > >> this is the case? > >> ipa permission-... functions should never deal with self service or > >> delegation acis > >> They are just for the permission ACIs connected to the target groups. > >> I do not think this is the right approach. > >> The prefix is need but it should be automatically added if you use this > >> interface. > >> > > > > Well, this patch ensures that permission-* functions will not deal with > > selfservice od delegation ACIs. Each of these plugins has its own prefix > > (e.g. "permission:" or "delegation:") which is added to the underlying > > ACI name. > > > > Because of this, the Permission, Selfservice and Delegation plugins work > > only with ACIs with "their" prefix. Prefix is not visible for user, it > > is passed to ACI functions automatically by Permission, Delegation and > > Selfservice plugins. > > > > > > > Add an entirely new kind of record to IPA that isn't covered by any of the > --type options, creating a permission: > - ipa permission-add --permissions=add > --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange > Entries" add_orange > + ipa permission-add --permissions=add > --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange > Entries" --prefix=none add_orange > > This change exposes the prefix on the command line which means you can > manage ACIs with different prefixes. > Do i misread it?
In the patch, the --prefix option is allowed only for ACI plugin, which is hidden to user. This option shouldn't be allowed for permission, delegation or selfservice plugins: $ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange Usage: ipa [global-options] permission-add NAME [options] ipa: error: no such option: --prefix When these plugins access ACI they fill --prefix attribute automatically (search for ACI_PREFIX constant in the patch). Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel