On 03/13/2014 06:26 PM, Petr Viktorin wrote: > On 03/10/2014 05:40 PM, Petr Viktorin wrote: >> On 03/07/2014 07:57 PM, Petr Viktorin wrote: >>> Hello, >>> This implements https://fedorahosted.org/freeipa/ticket/4216 >>> >>> It feels like permissions have gone full circle, from being managed by >>> virtual attributes, to storing all data in LDAP and exposing that, to >>> exposing mainly virtual attributes after all. The good part is that the >>> virtual attributes are now just a layer on top of well-structured LDAP >>> entries. >>> >>> >>> To the point: extratargetfilter lists all target filters that are not >>> implied by --memberof or --user. The list is writable; changing it will >>> preserve the implied filters. By default the full underlying list is not >>> shown, you can use --all or --raw for that. >>> In CLI, extratargetfilter is now named simply --filter, and the >>> underlying ipapermtargetfilter is named --rawfilter. >>> >>> There are still some cases where the illusion is not complete: >>> >>> - When searching, extratargetfilter and ipapermtargetfilter behave the >>> same, they search the full list. >>> >>> - When adding a filter that matches the requirements for --memberof or >>> --type, the filter will be "used" for that option instead: >>> >>> $ ipa permission-add testperm --type user --perm write >>> --filter='(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)' >>> --------------------------- >>> Added permission "testperm" >>> --------------------------- >>> Permission name: testperm >>> Permissions: write >>> Bind rule type: permission >>> Subtree: cn=users,cn=accounts,$SUFFIX >>> Member of group: admins >>> Type: user >>> >>> >>> >>> Patches: >>> >>> 0489 - Outputting extratargetfilter >>> 0490 - Writing extratargetfilter >>> 0491 - CLI names for the options >>> 0492 - Tests for the above >>> 0493 - Searching by extratargetfilter >>> 0494 - Fix an existing bug in --memberof >>> 0495 - This uses the information made available in the previous patches >>> to polish a rough edge of the --memberof/--user options. >>> >> >> Attaching rebased patches. > > PetrĀ¹ found that extratargetfilter allowed the filter to be changed on managed > permissions. Attached patches fix this. >
Thanks for the fix. I tested and checked the whole patch set and looks and works good. Pushed to master: 64cc4d81cce2143f13b9ddad946473d58bc42b36 Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
