On Fri, 12 Sep 2014, Martin Kosek wrote:
Operational Attributes)

Removing a default ACI is difficult (read: new code that could go wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 will always
add it back.
Perhaps we should just say in the release notes that people should remove it
manually if they're upgrading from 4.0.2?

Well, I am not convinced that everyone reads the release notes, so I would rather delete this permission in 4.0.3. Hopefully, there won't be many 4.0.2 users. It seems as a lesser evil to me than having SSSD clients broken.
If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
isn't it?

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to