On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
usercertificate attr was moved from "System Modify Users" to this
new permission.

https://fedorahosted.org/freeipa/ticket/5177

Note: hosts have permission "System: Manage Host Certificates", services
don't have it but usercertificate is in "System: Modify Services". I would
move it as well if usercertificate was not the only attr in "System: Modify
Services".

New permission works as expected.

What are the implications of removing userCertificate attribute from
"Modify Users" ACI?  Users could be relying on it given that there
is (until now) no more fine-grained permission.

I'm not sure what is the expected ACI upgrade behavior but applying this patch on installed server and running ipa-server-upgrade ends with userCertificate still in "System: Modify Users" permission - it eliminates your worry. The rest of users who still run IPA < 4.2 won't even notice.


Perhaps we should

a) use update script to add the new permission to any roles that
    have the Modify Users permission, or
b) not remove the userCertificate attribute from the ACI, or
c) deem this change acceptable and leave the patch as-is, in which
    case: ACK

Cheers,
Fraser

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to