On 28.5.2015 12:53, Christian Heimes wrote:
> On 2015-05-28 12:46, Martin Kosek wrote:
>> I am fine with this too. So if there is not another major disagreement,
>> let us start with enabling KDCPROXY by default during upgrade/install,
>> the new ACI and the per-replica standard configuration.
>> 
>> API CLI/UI can come later (4.2.x or 4.3).
> 
> LGTM, too.
> 
> How should the new ACI work? I see two possible ways:
> 
> 1) Allow compare/search for ipaConfigString=enabledService for
> everybody:
> 
> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
>
> 
3.0; acl "Compare enabledService access to masters"; allow(search,
> compare) userdn = "ldap:///all";;)
> 
> 2) Create a new permission, assign it to all HTTP principals and allow 
> read, compare and search for all ipaConfigString attributes.

I like option 2 - a new permission like "Read configuration of IPA services".

> For the second way I need somebody to walk me through the permission and 
> role system of FreeIPA.

Unfortunately I did not use the new system myself so I do not have
particular steps to share. Please see design pages here:
http://www.freeipa.org/page/V3/Permissions_V2
http://www.freeipa.org/page/V3/Permissions_V2/tests

... and contact Petr Viktorin <pvikt...@redhat.com>. The new permission
system is his child :-)

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to