On 04/08/2014 12:53 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:

Patch 0508:
This documents the inputs for the permission updater in the module itself. This
is taken from the design page. I expect it'll need an addition now and then, so
I think it's better to have this near the code it corresponds to.

Patch 0509:
So far the new default permissions have been tied to an Object plugin, and took
the ACI location and objectclass filter from the object. However there are some
permissions that are not tied to an IPA object, for instance ones dealing with
a compat tree. However, these permissions should behave similarly to the
Object-based ones, so it makes sense to use the same updater with them.

A question is where the non-Object permissions should be stored. I can think of
several alternatives:
a) in a special data file, like .update files
b) in a new plugin type
c) somewhere in the code

I went for c) for simplicity, but feel free to discuss. (CCing Rob since he had
some strong opinions in this area.)

This patch makes ipapermlocation, ipapermtargetfilter and other Permission
attributes overridable, and adds a central list of non-object permissions to
the updater module. (For now, the list is empty).

My patch 0504.2 (Default read ACIs for Sudo objects) will add a non-object
permission for ou=sudoers.

The patch is functional, but I am not really a big fan of placing it in the
plugin. I would prefer if the ACI definition is also in the sudo plugin
together with other definition. It would be then much easier to audit all
sudo-related ACIs.

Why can't we add this ACI to sudorule object managed permissions and just
override the location and target?

I can do that. Most of the changes make this overriding possible, where the permission is actually defined is a detail.

I am not insisting on a specific format, I would simply prefer to have all
plugin object related ACIs close together.

My reasoning is that finding the definition would not be straightforward. All the object-specific permissions so far are defined in "their" plugins, as determined by --type. This one won't have --type, and it's not clear if it should be in sudorule, sudocmd or sudocmdgroup.

But, I don't have a strong preference. A `git grep` will always show the definition.


Freeipa-devel mailing list

Reply via email to