Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Martin Kosek wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittenden wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called "Write IPA Configuration" (with an underlying ACI) and one priviledge also called "Write IPA Configuration". Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Rob Crittenden wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan Yeah, I know it's redundant looking but these need to be 2 separate records. Privileges are for the most part a 1-1 relationship to permissions but not always. We wanted to have this intermediate object to make things easier for the end-user when assigning them to roles. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Martin Kosek wrote: > On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: > > Rob Crittenden wrote: > > > Add permission and privilege for updating the IPA configuration in > > > cn=ipaconfig. > > > > > > ticket 950 > > > > > > rob > > > > I'm not quite sure how does the patch work. In particular, I wonder about > > these two blocks: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:cn: Write IPA Configuration > > + > > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Can't they be specified in one block like: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Thanks in advance > > > > Otherwise the patch looks good, so if this is not an issue, I give it > > ACK. > > > > Jan > > I think this is OK. We are adding 2 objects - one permission called > "Write IPA Configuration" (with an underlying ACI) and one priviledge > also called "Write IPA Configuration". Therefore they cannot be merged > to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: > Rob Crittenden wrote: > > Add permission and privilege for updating the IPA configuration in > > cn=ipaconfig. > > > > ticket 950 > > > > rob > > I'm not quite sure how does the patch work. In particular, I wonder about > these two blocks: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: Write IPA Configuration > + > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Can't they be specified in one block like: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Thanks in advance > > Otherwise the patch looks good, so if this is not an issue, I give it ACK. > > Jan I think this is OK. We are adding 2 objects - one permission called "Write IPA Configuration" (with an underlying ACI) and one priviledge also called "Write IPA Configuration". Therefore they cannot be merged to one LDAP object. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden wrote: > Add permission and privilege for updating the IPA configuration in > cn=ipaconfig. > > ticket 950 > > rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel