On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: > On 05/22/2014 04:20 PM, Petr Viktorin wrote: > > On 05/21/2014 12:14 PM, Simo Sorce wrote: > >> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > >>> On 05/16/2014 04:33 PM, Petr Viktorin wrote: > >>>> On 05/16/2014 01:54 PM, Martin Kosek wrote: > >>>>> On 04/29/2014 11:00 PM, Petr Viktorin wrote: > >>>>>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed > >>>>>> previously > >>>>>> [0]. > >>>>>> > >>>>>> Patch 0541 is some minor refactoring for the next part. > >>>>>> > >>>>>> Patch 0542 sets the read acces to addressbook attributes to anonymous > >>>>>> when > >>>>>> upgrading from pre-4.0. > >>>>>> I first this by checking if the update is run from ipa-server-install > >>>>>> or > >>>>>> not, > >>>>>> but then I realized the logic I want is simple: if the global anon > >>>>>> read ACI > >>>>>> exists, we want to preserve its spirit by setting addressbook attribute > >>>>>> ACI to > >>>>>> anonymous. > >>>>>> > >>>>>> > >>>>>> [0] > >>>>>> http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html > >>>>>> et > >>>>>> al. > >>>>>> > >>>>> > >>>>> 540: > >>>>> > >>>>> Looks good! The only attributes I am concerned about are special IPA > >>>>> attributes: > >>>>> > >>>>> - ipauniqueid > >>>>> - ipasshpubkey > >>>>> - ipauserauthtype > >>>>> - userclass > >>>>> > >>>>> I personally do not think they should be included in POSIX attributes > >>>>> permissions, they are far from POSIX definition... > >>>>> > >>>>> What about creating one more permission "System: Read User IPA > >>>>> Attributes" as > >>>>> these are specific to FreeIPA use and allowing that permission for all > >>>>> authenticated users? > >>>> > >>>> Sounds reasonable. I assume we want this one to be also set to anonymous > >>>> when > >>>> upgrading from old versions. > >>>> Attaching updated patches. > >>> > >>> Ok, looks good. > >>> > >>> I am now just pondering whether "System: Read User POSIX Attributes" is > >>> the > >>> right name for the permission as there are not just POSIX attributes, but > >>> also > >>> attributes from organizationalPerson or inetOrgPerson objectclasses. > >>> > >>> Maybe we should name it "System: Read User Core Attributes" or "System: > >>> Read > >>> User Basic Attributes"? Simo, any preference? > >> > >> We could use: "System: Read User Standard Attributes" > > > > I've used this one, then. > > > >> > >> but the 'posix' version is also ok to me. > > > > On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > >> Also, I just realized we forgot memberOf attribute - it needs to be > >> available > >> to authenticated users otherwise group membership will fall apart. > > > > Good catch. Added. > > > > We are very close to push this one - I have just one last concern about > userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, > now we added it to be read by default. This results in this warning during > upgrade: > > Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 > > Simo (or others), is this OK or do we want to keep hiding userpkcs12 by > default?
Is there any client that needs access to that information that we are aware of ? Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel