On 04/10/2014 02:58 PM, Martin Kosek wrote:
On 04/10/2014 01:46 PM, Petr Viktorin wrote:
On 04/09/2014 05:17 PM, Martin Kosek wrote:
On 04/09/2014 04:54 PM, Petr Viktorin wrote:
The meta-permissions.


Read access is given to all authenticated users. Reading membership info (i.e.
privileges) is split into a separate permission.

Another permission is added that allows read access to all ACIs.
If we don't want to open that up for everyone, I could limit this to only ACIs
containing "permission:". (Since old-style permissions store their information
in ACIs, their ACIs need to be readable.)

If I read the notes from our DevConf discussion correctly, there are some

1) We decided to not do special membership permission for
permission/privilege/role permissions.

2) We decided to give read access to permissions, privileges and roles only to
member of a certain privilege. Is there any reason to not do that? IMO, regular
users do not need to be able to read the permission/privilege/role
configuration of a FreeIPA installation to use it for IdM.


Updated. I plan to add all the RBAC-related read permissions to a single
privilege, "RBAC Readers". Or do we want more granularity by default?

Requires my patch 0514.

I was looking at the granularity we currently have with privilege and it is
mostly per FreeIPA function (Sudo Administrator or DNS Administrator), not per
IPA object (Sudo Command Administrator, Sudo Rule Administrator).

I would thus follow the same principle with RBAC and create RBAC Administrator
privilege which will cover read permissions for... permissions... privileges
and roles. In time, we will also add new write privileges there as they are
currently missing.

To sum it up, the patch works, I would just change the name of the privilege
and not focus it just on reading.

So to confirm, we want one privilege to cover both reading and writing?
Should I add new read permissions to existing "Administrator" privileges only, instead of creating new "Reader" permissions?


Freeipa-devel mailing list

Reply via email to