On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > On 05/16/2014 04:33 PM, Petr Viktorin wrote: > > On 05/16/2014 01:54 PM, Martin Kosek wrote: > >> On 04/29/2014 11:00 PM, Petr Viktorin wrote: > >>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed > >>> previously > >>> [0]. > >>> > >>> Patch 0541 is some minor refactoring for the next part. > >>> > >>> Patch 0542 sets the read acces to addressbook attributes to anonymous when > >>> upgrading from pre-4.0. > >>> I first this by checking if the update is run from ipa-server-install or > >>> not, > >>> but then I realized the logic I want is simple: if the global anon read > >>> ACI > >>> exists, we want to preserve its spirit by setting addressbook attribute > >>> ACI to > >>> anonymous. > >>> > >>> > >>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html > >>> et > >>> al. > >>> > >> > >> 540: > >> > >> Looks good! The only attributes I am concerned about are special IPA > >> attributes: > >> > >> - ipauniqueid > >> - ipasshpubkey > >> - ipauserauthtype > >> - userclass > >> > >> I personally do not think they should be included in POSIX attributes > >> permissions, they are far from POSIX definition... > >> > >> What about creating one more permission "System: Read User IPA Attributes" > >> as > >> these are specific to FreeIPA use and allowing that permission for all > >> authenticated users? > > > > Sounds reasonable. I assume we want this one to be also set to anonymous > > when > > upgrading from old versions. > > Attaching updated patches. > > Ok, looks good. > > I am now just pondering whether "System: Read User POSIX Attributes" is the > right name for the permission as there are not just POSIX attributes, but also > attributes from organizationalPerson or inetOrgPerson objectclasses. > > Maybe we should name it "System: Read User Core Attributes" or "System: Read > User Basic Attributes"? Simo, any preference?
We could use: "System: Read User Standard Attributes" but the 'posix' version is also ok to me. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel