On 01/09/2014 03:20 PM, Simo Sorce wrote:
On Thu, 2014-01-09 at 15:14 +0100, Petr Viktorin wrote:
On 01/09/2014 03:07 PM, Simo Sorce wrote:
On Thu, 2014-01-09 at 13:15 +0100, Petr Viktorin wrote:
When I'm done with [#4074], the "type" permissions will use a target
filter, e.g.:

       ipa permission-add \
           'Modify Account Expiration' \
           --attr=krbPrincipalExpiration \
           --type=user --perm=write

should result in this ACI at cn=users,...:

       (targetattr = "krbPrincipalExpiration")
       (targetfilter = "(objectclass=ipauser)")
       (version 3.0;
           acl "permission:Modify Account Expiration";
           allow (write) groupdn = "ldap:///cn=Modify Account

The probjem is matching the "user" type with the "ipauser" objectclass.
I've looked, but I don't think we have such "canonical objectclasses"
defined anywhere in the code. There is object_class and
possible_objectclasses for each object type in the plugins, but these
aren't adequate: user has "posixaccount"; some have multiple
objectclasses listed (even `top` in one case). (Of course it's not a
problem to add multiple classes to the filter, it just seems superfluous.)
I'd like to add a new attribute to LDAPObject that lists the
objectclass(es) for permission filters. This would also mean the list of
allowed `type`s for permissions can be pulled from the plugins, rather
than being hardcoded in the aci/permission plugin.

Sounds reasonable, I trust the objetclass can be manually changed anyway
if an admin needs to do so ?


Yes, `type` is just a convenience shortcut to set the location + filter,
which can be manipulated individually.
Removing the objectclass filter would make the permission no longer show
up as that `type`.

Ah I forgot to mention this, sorry:
For the default permissions (the ones that come with IPA), the admin won't be able to change the target at all. But any custom ones can be changed.

The question I think was more nuanced. Will we allow the creation of
custom permissions for UI/CLI ? In that case will the admin be able to
just provide a custom objectclass name ? I guess the answer is yes, but
just checking.



Freeipa-devel mailing list

Reply via email to