Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.

Thu, 11 Jun 2015 07:19:37 -0700 

On 06/11/2015 03:55 PM, David Kupka wrote:
> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>> https://fedorahosted.org/freeipa/ticket/5057
>> Hello David,
>>
>> The patch looks ok except it removes a permission to update 'uid' from
>> an active user. This permission is required to delete(preserve) an
>> active user.
>>
>>     -        # Active container
>>     -        #
>>     -        # Stage user administrators need write right on RDN when
>>     -        # the active user is deleted (preserved)
>>     -        'System: Write Active Users RDN by administrators': {
>>     -            'ipapermlocation': DN(baseuser.active_container_dn,
>>     api.env.basedn),
>>     -            'ipapermbindruletype': 'permission',
>>     -            'ipapermtarget': DN('uid=*',
>>     baseuser.active_container_dn, api.env.basedn),
>>     -            'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>>     -            'ipapermright': {'write'},
>>     -            'ipapermdefaultattr': {'uid'},
>>     -            'default_privileges': {'Stage User Administrators'},
>>     -        },
>>     -        #
>>
>> I prepared a new patch (attached) with that permission and it makes
>> 'user-del --preserve' happy.
>> Now I think the name would rather be something like: 'System: Preserve
>> an active user (user-del --preserve)'
>>
>> I also added back this comment in two permissions 'Note: targetfilter is
>> the target parent container'.
>> This was to say that the targetfilter setting was intentional.
>> If you think it is not the right place, you may remove those comments.
>>
>> Thanks
>> thierry
>>
> 
> Hello Thierry,
> Indeed, I accidentally removed these. Thank you for careful review.
> Rebase is needed but it is due to change in VERSION and is useless to do it
> before push as there are too much patches going to master right now.
> Martin, are you (as a reporter) OK with the patch?
> 

Not entirely. I still see some weird permission in stageuser.py:

        #
        # Active container
        #
        # Stage user administrators need write right on RDN when
        # the active user is deleted (preserved)
        'System: Write Active Users RDN by administrators': {
            'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
            'ipapermbindruletype': 'permission',
            'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
            'ipapermtargetfilter': {'(objectclass=posixaccount)'},
            'ipapermright': {'write'},
            'ipapermdefaultattr': {'uid'},
            'default_privileges': {'Stage User Administrators'},
        },

This was supposed to be ""System: Modify User RDN". When the name is also
fixed, I am fine.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to