On Thu, 2014-01-09 at 15:14 +0100, Petr Viktorin wrote:
> On 01/09/2014 03:07 PM, Simo Sorce wrote:
> > On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote:
> >> Hello,
> >> When I'm done with [#4074], the "type" permissions will use a target
> >> filter, e.g.:
> >> ipa permission-add \
> >> 'Modify Account Expiration' \
> >> --attr=krbPrincipalExpiration \
> >> --type=user --perm=write
> >> should result in this ACI at cn=users,...:
> >> (targetattr = "krbPrincipalExpiration")
> >> (targetfilter = "(objectclass=ipauser)")
> >> (version 3.0;
> >> acl "permission:Modify Account Expiration";
> >> allow (write) groupdn = "ldap:///cn=Modify Account
> >> Expiration,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)
> >> The probjem is matching the "user" type with the "ipauser" objectclass.
> >> I've looked, but I don't think we have such "canonical objectclasses"
> >> defined anywhere in the code. There is object_class and
> >> possible_objectclasses for each object type in the plugins, but these
> >> aren't adequate: user has "posixaccount"; some have multiple
> >> objectclasses listed (even `top` in one case). (Of course it's not a
> >> problem to add multiple classes to the filter, it just seems superfluous.)
> >> I'd like to add a new attribute to LDAPObject that lists the
> >> objectclass(es) for permission filters. This would also mean the list of
> >> allowed `type`s for permissions can be pulled from the plugins, rather
> >> than being hardcoded in the aci/permission plugin.
> > Sounds reasonable, I trust the objetclass can be manually changed anyway
> > if an admin needs to do so ?
> > Simo.
> Yes, `type` is just a convenience shortcut to set the location + filter,
> which can be manipulated individually.
> Removing the objectclass filter would make the permission no longer show
> up as that `type`.
The question I think was more nuanced. Will we allow the creation of
custom permissions for UI/CLI ? In that case will the admin be able to
just provide a custom objectclass name ? I guess the answer is yes, but
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list