On Thu, 2014-01-09 at 15:14 +0100, Petr Viktorin wrote:
> On 01/09/2014 03:07 PM, Simo Sorce wrote:
> > On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote:
> >> Hello,
> >> When I'm done with [#4074], the "type" permissions will use a target
> >> filter, e.g.:
> >>
> >>       ipa permission-add \
> >>           'Modify Account Expiration' \
> >>           --attr=krbPrincipalExpiration \
> >>           --type=user --perm=write
> >>
> >> should result in this ACI at cn=users,...:
> >>
> >>       (targetattr = "krbPrincipalExpiration")
> >>       (targetfilter = "(objectclass=ipauser)")
> >>       (version 3.0;
> >>           acl "permission:Modify Account Expiration";
> >>           allow (write) groupdn = "ldap:///cn=Modify Account
> >> Expiration,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
> >>
> >> The probjem is matching the "user" type with the "ipauser" objectclass.
> >> I've looked, but I don't think we have such "canonical objectclasses"
> >> defined anywhere in the code. There is object_class and
> >> possible_objectclasses for each object type in the plugins, but these
> >> aren't adequate: user has "posixaccount"; some have multiple
> >> objectclasses listed (even `top` in one case). (Of course it's not a
> >> problem to add multiple classes to the filter, it just seems superfluous.)
> >> I'd like to add a new attribute to LDAPObject that lists the
> >> objectclass(es) for permission filters. This would also mean the list of
> >> allowed `type`s for permissions can be pulled from the plugins, rather
> >> than being hardcoded in the aci/permission plugin.
> >
> > Sounds reasonable, I trust the objetclass can be manually changed anyway
> > if an admin needs to do so ?
> >
> > Simo.
> 
> Yes, `type` is just a convenience shortcut to set the location + filter, 
> which can be manipulated individually.
> Removing the objectclass filter would make the permission no longer show 
> up as that `type`.

The question I think was more nuanced. Will we allow the creation of
custom permissions for UI/CLI ? In that case will the admin be able to
just provide a custom objectclass name ? I guess the answer is yes, but
just checking.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to