Martin Kosek wrote:
On 04/16/2014 02:14 PM, Petr Viktorin wrote:
A single permission granting anonymous read access covers automountlocation,
automountmap, and automountkey.


This works fine, I am just wondering about the ACI:

1) Simo, are you OK with one ACI covering all automount objects? I personally
am, I cannot imagine a situation when somebody allows automount maps but not
the automount keys. But on the other hand, we also have separate permissions
for sudo commands, sudo command groups, sudo rules...

With sudo you may want a different set of users deciding WHAT can be executed from WHO can execute it. I don't think automount needs that level of specificity.


2) Should we limit the ACI by an objectclass filter? I.e.
(|(objectclass=automountmap)(objectclass=automount))?

I think these are the only things living in that container so it may be overkill. I'm not against adding it if someone feels more strongly about it.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to