On 12/10/2010 01:36 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Rob Crittenden wrote:
Round out our trio of access control plugins. This adds group to group
delegation where you can grant group A the ability to write a set of
attributes of group B (v1-style delegation).
rob
I'm withdrawing this patch, needs more work.
rob
Here is the replacement patch along with some testing instructions:
$ kinit admin
$ ipa delegation-add --attrs=street --membergroup=admins
--group=editors 'editors edit admins street'
$ ipa user-add --first=tim --last=user tuser1 --password
$ ipa group-add --users=tuser1 editors
$ ipa user-add --first=jim --last=admin jadmin
$ ipa group-add-member --users=jadmin admins
$ kinit tuser1
$ ipa user-mod --street='123 main' jadmin (should succeed)
$ ipa user-mod --first=Jimmy jadmin (should fail)
ACK. pushed to master
Tested this out, and a few other options and they work OK.
This doesn't have the metadata, just like the self-service plugin.
So basically we create a couple of users. One we add to editors and
the other to admins.
We create an aci that grants users in editors to manage the street
address of users in admins, then we try it out
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
