Martin Kosek wrote:
On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
2) In delegation.ldif: ipapermission object class is missing for
removeentitlements and modifyentitlements (it has been added for
addentitlements though)

This was on purpose, I should have been clearer. Patch 664 makes major
changes to these and I'm trying to make the merge easier. I'll fix them
up when 664 gets pushed.

I thought so. I was confused by addentitlements permission which
objectclass was updated. We just have to make sure, that the
entitlements patch includes this new objectClass.

In this patch you add READONLY flag to Replica permissions. However it
is not actually used and stays as just an informative flag. It won't
prevent user from modifying/removing READONLY permissions.

I guess enhancing permission-mod and permission-del of READONLY check
will be a subject of another ticket?

Ok, interesting point. I considered the aci itself to be read-only. The
only thing a user could do is rename the permission, right? I think that
would maintain consistency so it shouldn't be a problem. It would
probably be easy to really make these read-only but that would have a UI
impact as well, perhaps a problematic one. I suppose if they could
handle any read-only exceptions we'd raise that would be adequate.


Yes, user could rename or delete permission. In both cases it won't have
any effect to the ACI as ACI plugin does not see it. But I think it
would be nice to prevent modifications to these permissions when we have
this new and shiny READONLY flag. Read-only exception may be a way to
achieve this...


I think I got everything. Simo suggested using SYSTEM instead of
READONLY so I switched to that. I also renamed the attribute to
ipapermissiontype and added enforcement over mod/del.


Martin found a few more problems, here is another patch.


ACK, all permission tests are OK.

Good job.

pushed to master

Freeipa-devel mailing list

Reply via email to