Jan Zelený wrote:
Jan Zelený<jzel...@redhat.com>  wrote:
Rob Crittenden<rcrit...@redhat.com>  wrote:
Jan Zelený wrote:
Rob Crittenden<rcrit...@redhat.com>   wrote:
Jan Zelený wrote:
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.


Nack. These values need to be added as valid types to the aci plugin
and the _type_map needs to be updated.


I'm sending an updated patch.


Since dnszone and dnsrecord point to the same kind of entry what is the
point of having two separate names for them? When we read the entry we
aren't going to be able to differentiate between the two.

I didn't take a look how the type thing works, so I'm kinda guessing here
(please ignore the comment if it is wrong):
Sure, object with idnszone class is always also in dnsrecord class, but
that's not the case backwards (idnsrecord object isn't always idnszone) -
so I think it is possible to set different ACIs for these two types.

Can the type be made more specific?

If the mapping doesn't distinguish object classes and it can, maybe that's
the answer. Will investagate further. But if not, I still think this is
the way to go considering the underline issue which we tried to solve by
this change.

 From what I found I think that making changes necessary to distinguish
dnsrecord and dnszone are not worth it, especially that user can use "filter"
for that purpose. Since having both of them doesn't have any additional value,
I'm sending new version of the patch, which is only adding dnsrecord type.


Ack but this patch needs a rebase.


Freeipa-devel mailing list

Reply via email to