On 06/18/2014 02:23 PM, Martin Kosek wrote:
On 06/18/2014 02:20 PM, Petr Viktorin wrote:
On 06/18/2014 02:05 PM, Martin Kosek wrote:
[...]
583.2: OK
584.2:
1) Typo in description:
Convewrt the existing default permissions.
Thanks for the catch, I'll fix it before pushing.
2) What would you like to do with per-zone permissions?
# ipa dnszone-add-permission example.com
------------------------------------------------------
Added system permission "Manage DNS zone example.com."
------------------------------------------------------
Manage DNS zone example.com.
# ipa permission-show 'Manage DNS zone example.com.'
Permission name: Manage DNS zone example.com.
Granted to Privilege: test2
Indirect Member of roles: test2
Should the command be converted to add V2 permissions? We would have to also
deal with conversion from old DNS zone permissions to permissionsv2 though.
3) How difficult would it be to also convert "Add/Read/Remove/Update DNS
entries in a zone" permissions to managed? It would make their maintenance and
updates much easier, we would also get rid of more updates in update files.
The only problem I see is how to define 'userattr =
"parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be
rough at the moment.
I'd like to leave these two cases until after the "regular" default permissions
are done.
The regular permissions must be converted now because when you "touch" them
with 4.0 permission-mod, they get converted to V2 and the updater will no
longer count them as old default permissions. So we need to convert all of them
right now. The SYSTEM ones can't be modified so they could theoretically wait
till 4.1+.
There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'.
Ok, not a blocker.
I opened [#4384] for 1).
For the second case, yes, adding more bind rule types will need some work (and
a new permission flag). I'd like to combine that work with the
selfservice/delegation, which also need special bind rules.
Ok, please make sure that we have the ideas and missing TODOs reflected in
tickets.
I'm tracking 3) as part of [#4346] now. These show up in a simple grep
or ldapsearch.
Given these arrangements, ACK to the patch set as is (with the typo fix).
Martin
Thanks, pushed to master: 700ac6c11627137db758ad376c44745db579dc84
[#4384] https://fedorahosted.org/freeipa/ticket/4384
[#4346] https://fedorahosted.org/freeipa/ticket/4346
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
