On 11/05/2014 05:22 PM, Rob Verduijn wrote:
I saw in the upstream foreman-prepare-realm script that the new
permission names should include a prefix "System: "
That Prefix is not there, what did change was that some permissions
where no longer lower case only.
ie in 3.3.5 the permission is 'write dns configuration' and in 4.1 it
becomes 'Write DNS Configuration'

Rob

Right. There were some changes to IPA's default policy too, but I don't think it should affect the Foreman proxy very much. For example there are now permissions for reading data, but most are granted to all authenticated users by default.

I've left some comments in the pull request.

2014-11-05 16:25 GMT+01:00 Petr Spacek <pspa...@redhat.com
<mailto:pspa...@redhat.com>>:

    On 5.11.2014 16:20, Rob Verduijn wrote:

        Hello,

        Yes I noticed the name change it took me a while to realise it
        was a known
        ruby bug in katello that caused the real problem.

        I also checked after I updated the 'katello integrated' update
        from 3.3.5
        to 4.1 and the permissions were neatly renamed to their new
        counterparts.

        However the internal dns no longer worked :(


    So the permissions broke after upgrade to 4.1, right? pviktori, can
    you give us some advice?

    Thanks!

    Petr^2 Spacek

        Rob

        2014-11-05 16:17 GMT+01:00 Stephen Benjamin <step...@redhat.com
        <mailto:step...@redhat.com>>:

            On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote:

                        Also when I look at the permissions in ipa there
                        are no longer any
                        permissions that have the 'System: ' prefix.


                    AFAIK the foreman proxy is not necessary (and not
                    supported) with IPA
                    4.x because it was obsoleted by 'native' proxy
                    delivered by Foreman
                    upstream.

                    Am I right, Rob (Crittenden)? :-)


                I believe he's referring to the native smart proxy here.
                It includes a
                script to setup permissions. I guess it hasn't been
                tested against a 4.x
                IPA master.


            The permissions have changed names in FreeIPA 4.0, which
            means the
            script won't work.  I've tested this one against 4.1 on F21
            and it
            works:


            
https://raw.githubusercontent.__com/stbenjam/smart-proxy/8278/__sbin/foreman-prepare-realm
            
<https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm>

            There's an open pull request against foreman's Smart Proxy
            to include
            that in the next release:

            https://github.com/theforeman/__smart-proxy/pull/231--
            <https://github.com/theforeman/smart-proxy/pull/231-->



--
PetrĀ³

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to