Re: [Freeipa-devel] [PATCH] 0524 Add managed read permission to config

2014-04-15 Thread Martin Kosek 
On 04/14/2014 10:00 PM, Petr Viktorin wrote:
 Read access is given to all authenticated users.
 

This only works when I added  cn and objectclass attributes to the ACI. Is this
expected?

It would work when we add nsContainer ACI for cn=etc though as it has the
nsContainer objectlass.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0524 Add managed read permission to config

2014-04-15 Thread Petr Viktorin 

On 04/15/2014 09:53 AM, Martin Kosek wrote:

On 04/14/2014 10:00 PM, Petr Viktorin wrote:

Read access is given to all authenticated users.



This only works when I added  cn and objectclass attributes to the ACI. Is this
expected?

It would work when we add nsContainer ACI for cn=etc though as it has the
nsContainer objectlass.


You're right, cn and objectclass should be granted explicitly. My mistake.
Fixed patch attached.


--
PetrĀ³
From 94e2401bde270c1671a10e18389e1c5b5a99ff7b Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 14:56:30 +0100
Subject: [PATCH] Add managed read permission to config

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/config.py | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 05369be4e93052f18c6cefa03621d651f470749b..4ac411c74c75ab7408c5c876f1efaec8788a5618 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -94,6 +94,28 @@ class config(LDAPObject):
 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
 'ipauserauthtype'
 ]
+container_dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'))
+permission_filter_objectclasses = ['ipaguiconfig']
+managed_permissions = {
+'System: Read Global Configuration': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cn', 'objectclass',
+'ipacertificatesubjectbase', 'ipaconfigstring',
+'ipadefaultemaildomain', 'ipadefaultloginshell',
+'ipadefaultprimarygroup', 'ipagroupobjectclasses',
+'ipagroupsearchfields', 'ipahomesrootdir',
+'ipakrbauthzdata', 'ipamaxusernamelength',
+'ipamigrationenabled', 'ipapwdexpadvnotify',
+'ipaselinuxusermapdefault', 'ipaselinuxusermaporder',
+'ipasearchrecordslimit', 'ipasearchtimelimit',
+'ipauserauthtype', 'ipauserobjectclasses',
+'ipausersearchfields', 'ipacustomfields',
+},
+},
+}
 
 label = _('Configuration')
 label_singular = _('Configuration')
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0524 Add managed read permission to config

2014-04-15 Thread Martin Kosek 
On 04/15/2014 10:37 AM, Petr Viktorin wrote:
 On 04/15/2014 09:53 AM, Martin Kosek wrote:
 On 04/14/2014 10:00 PM, Petr Viktorin wrote:
 Read access is given to all authenticated users.


 This only works when I added  cn and objectclass attributes to the ACI. Is 
 this
 expected?

 It would work when we add nsContainer ACI for cn=etc though as it has the
 nsContainer objectlass.
 
 You're right, cn and objectclass should be granted explicitly. My mistake.
 Fixed patch attached.
 
 

That's better - works fine. ACK.

Pushed to master: 75eaf0bddfe0ce3eaea86b42a767c16846379b4b

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel