Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
On 06/11/2015 07:49 PM, thierry bordaz wrote:
On 06/11/2015 04:34 PM, David Kupka wrote:
Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
On 06/11/2015 03:55 PM, David Kupka wrote:
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter':
{'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note:
targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless
to do it
before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
Not entirely. I still see some weird permission in stageuser.py:
#
# Active container
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'default_privileges': {'Stage User Administrators'},
},
This was supposed to be System: Modify User RDN. When the name is
also
fixed, I am fine.
Updated patch attached.
Hi David,
All the tests are ok. The patch is fine for me. ACK
Pushed to master: 44cced658bde224957a605bfa083821d8fbf94c0
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
On 06/11/2015 03:55 PM, David Kupka wrote:
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter': {'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless to do it
before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
Not entirely. I still see some weird permission in stageuser.py:
#
# Active container
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'default_privileges': {'Stage User Administrators'},
},
This was supposed to be System: Modify User RDN. When the name is also
fixed, I am fine.
Updated patch attached.
--
David Kupka
From d4d7ee1c2c2e6ca88afa676d338cca4d80b8b379 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz tbor...@redhat.com
Date: Thu, 11 Jun 2015 13:18:27 +0200
Subject: [PATCH] Stage User: Fix permissions naming and split them where
apropriate.
---
ACI.txt | 26 +++---
VERSION | 4 +--
ipalib/plugins/stageuser.py | 82 ++---
3 files changed, 56 insertions(+), 56 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 60e9ebb10bc9b7266ff0d42a05d4d165d4ed2d55..08fc05ebc202a64b0e1584303c8dda5b5a1aa074 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -247,25 +247,27 @@ aci: (targetattr = cn || createtimestamp || entryusn || ipaallowedtarget || mem
dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
aci: (targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Remove Service Delegations;allow (delete) groupdn = ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Add Stage Users by Provisioning and Administrators;allow (add) groupdn = ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Add Stage User;allow (add) groupdn = ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = *)(target = ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Modify Preserved Users;allow (write) groupdn = ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = *)(target =
Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
On 06/11/2015 03:55 PM, David Kupka wrote:
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter': {'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless to do it
before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
Not entirely. I still see some weird permission in stageuser.py:
#
# Active container
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'default_privileges': {'Stage User Administrators'},
},
This was supposed to be System: Modify User RDN. When the name is also
fixed, I am fine.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
On 06/11/2015 04:34 PM, David Kupka wrote:
Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
On 06/11/2015 03:55 PM, David Kupka wrote:
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter':
{'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note:
targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless
to do it
before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
Not entirely. I still see some weird permission in stageuser.py:
#
# Active container
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'default_privileges': {'Stage User Administrators'},
},
This was supposed to be System: Modify User RDN. When the name is
also
fixed, I am fine.
Updated patch attached.
Hi David,
All the tests are ok. The patch is fine for me. ACK
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter': {'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless to do
it before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
--
David Kupka
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,
The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.
-# Active container
-#
-# Stage user administrators need write right on RDN when
-# the active user is deleted (preserved)
-'System: Write Active Users RDN by administrators': {
-'ipapermlocation': DN(baseuser.active_container_dn,
api.env.basedn),
-'ipapermbindruletype': 'permission',
-'ipapermtarget': DN('uid=*',
baseuser.active_container_dn, api.env.basedn),
-'ipapermtargetfilter': {'(objectclass=posixaccount)'},
-'ipapermright': {'write'},
-'ipapermdefaultattr': {'uid'},
-'default_privileges': {'Stage User Administrators'},
-},
-#
I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'
I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.
Thanks
thierry
From a35afd482cf08ed6ee721bf425041cae05c5e518 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz tbor...@redhat.com
Date: Thu, 11 Jun 2015 13:18:27 +0200
Subject: [PATCH] Stage User: Fix permissions naming and split them where
apropriate.
---
ACI.txt | 26 ---
VERSION | 4 +--
ipalib/plugins/stageuser.py | 80 ++---
3 files changed, 55 insertions(+), 55 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..338e5e174c575875ade1a35304c6f0e8dad9e39e 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -237,25 +237,27 @@ aci: (targetattr = cn || createtimestamp || entryusn || ipaallowedtarget || mem
dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
aci: (targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Remove Service Delegations;allow (delete) groupdn = ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Add Stage Users by Provisioning and Administrators;allow (add) groupdn = ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Add Stage User;allow (add) groupdn = ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = *)(target = ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Modify Preserved Users;allow (write) groupdn = ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Delete modify Stage Users by administrators;allow (delete,write) groupdn = ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example;)
-dn: dc=ipa,dc=example
-aci: (target_to = ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(target_from = ldap:///cn=users,cn=accounts,dc=ipa,dc=example;)(targetfilter = (objectclass=nsContainer))(version 3.0;acl permission:System: Preserve an active user to a delete Users;allow (moddn) groupdn = ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Modify Stage User;allow (write) groupdn = ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: dc=ipa,dc=example
-aci: (target_to = ldap:///cn=users,cn=accounts,dc=ipa,dc=example;)(target_from = ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=nsContainer))(version 3.0;acl permission:System: Reactive delete users;allow (moddn) groupdn =
