Hello,
I'm splitting up ACI work into several designs to make it more manageable.

This one is about
- Moving ACIs out of $SUFFIX
- Storing all ACI data in the permission entry
- Permission flag system for ensuring backwards compatibility

Summary of the backcompat story:
- Attributes, rights, etc. of new permissions may not be modified or read on old servers (not possible since the ACIs aren't in $SUFFIX)
- Old permissions convert to new ones when they're modified on a new server
- Any server can assign (or remove) both old and new permissions to privileges

There is a bit of shuffling in API/CLI option names, since the API option name needs to match the LDAP attributeTypes.

The WIP design document is here:
http://www.freeipa.org/page/V3/Permissions_V2

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to