Jan Zelený wrote:
Rob Crittenden<rcrit...@redhat.com>  wrote:
Jan Zelený wrote:
Jan Zelený<jzel...@redhat.com>   wrote:
Rob Crittenden<rcrit...@redhat.com>   wrote:
Jan Zelený wrote:
Rob Crittenden<rcrit...@redhat.com>    wrote:
Jan Zelený wrote:
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.


Nack. These values need to be added as valid types to the aci plugin
and the _type_map needs to be updated.


I'm sending an updated patch.


Since dnszone and dnsrecord point to the same kind of entry what is the
point of having two separate names for them? When we read the entry we
aren't going to be able to differentiate between the two.

I didn't take a look how the type thing works, so I'm kinda guessing
here (please ignore the comment if it is wrong):
Sure, object with idnszone class is always also in dnsrecord class, but
that's not the case backwards (idnsrecord object isn't always idnszone)
- so I think it is possible to set different ACIs for these two types.

Can the type be made more specific?

If the mapping doesn't distinguish object classes and it can, maybe
that's the answer. Will investagate further. But if not, I still think
this is the way to go considering the underline issue which we tried to
solve by this change.

   From what I found I think that making changes necessary to distinguish

dnsrecord and dnszone are not worth it, especially that user can use
"filter" for that purpose. Since having both of them doesn't have any
additional value, I'm sending new version of the patch, which is only
adding dnsrecord type.


Ack but this patch needs a rebase.


Rebased patch in attachment


pushed to master

Freeipa-devel mailing list

Reply via email to