On 09/12/2014 09:48 AM, Alexander Bokovoy wrote:
On Fri, 12 Sep 2014, Martin Kosek wrote:
Operational Attributes)


Removing a default ACI is difficult (read: new code that could go
wrong) if we
want to handle 4.0.2 properly, since installing/upgrading to 4.0.2
will always
add it back.
Perhaps we should just say in the release notes that people should
remove it
manually if they're upgrading from 4.0.2?

Well, I am not convinced that everyone reads the release notes, so I
would rather delete this permission in 4.0.3. Hopefully, there won't
be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
clients broken.
If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
isn't it?

It's not much of a policy problem, it's just adding new code this late in the cycle: The permission updater doesn't yet have a mechanism to remove a permission, so I'm writing it now.

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to