On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: > I'll address the other issues separately. > > On 06/18/2014 05:46 PM, Martin Kosek wrote: > > 3) I hit one issue when I open the Web UI host tab, I get "Insufficient > > access: > > No such virtual command" error triggered by "cert-show" command. > > > > We will need to add the permission "System: Read Virtual Operations" that > > Honza > > is creating also to "Host Administrators" to fix that part. > > I'm not familiar with Honza's effort, but that seems right. > I'm curious, why don't we just allow reading virtual operations by > anybody? It seems to me they're the same in every IPA installation, > what's there to hide? > > Anyway, I poked around in how it works now: for cert-show you need write > access to the objectClass of the "retrieve certificate" virt op entry. > So that right you can actually remove the "ipaVirtualOperation" objectClass. > Aand the new "Anonymous read access to containers" ACI has a > (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for > a virt op can allow everyone see that virt op). > Shouldn't we base the check on some other attribute instead? > > And curiously, for cert-find there is no virt op based access check.
I wonder if we can replace some of these with the ipaProtectedOperation machinery, it works better for protecting itself from manipulation. Simo. _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel