On 09/12/2014 09:48 AM, Alexander Bokovoy wrote:
On Fri, 12 Sep 2014, Martin Kosek wrote:
Removing a default ACI is difficult (read: new code that could go
wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2
add it back.
Perhaps we should just say in the release notes that people should
manually if they're upgrading from 4.0.2?
Well, I am not convinced that everyone reads the release notes, so I
would rather delete this permission in 4.0.3. Hopefully, there won't
be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
It's not much of a policy problem, it's just adding new code this late
in the cycle: The permission updater doesn't yet have a mechanism to
remove a permission, so I'm writing it now.
Freeipa-devel mailing list