Bug 788645
| Summary: | [RFE] Allow filter and subtree to be added in same permission | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | charles_sheridan, mkosek, nsoman |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:08:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 976382, 1153292 | ||
| Bug Blocks: | 893850, 894378 | ||
|
Description
Dmitri Pal
2012-02-08 17:26:58 UTC
Fixed upstream as a part of permission plugin refactoring (https://fedorahosted.org/freeipa/ticket/4034): 423bb38965ce361c3a4d373ddc03008842f110ac Test adding noaci/system permissions to privileges d38748d64f5c7fb098b839b3c00a1f812d510d3b Make sure SYSTEM permissions can be retreived with --all --raw 7fc35ced1d83d9901f4a1bf59482c3c4666d6079 permission plugin: Ensure ipapermlocation (subtree) always exists 53caa7aca21b097e1ca975c1c4b4e7038558bc9b Roll back ACI changes on failed permission updates f47669a5b969a512756a39f451f04ed9c95ce3ab Verify ACIs are added correctly in tests d7ee87cfa1e288fe18dc2dbeb2d691753048f4db Rewrite the Permission plugin 445634d6ac39669cc007871861e19e15ae22c12d Add new permission schema 8ddb5da1eab910d5dd6eb13696bb6092e979d5a1 Add tests for permission plugin with older clients a1236b654200ba79ba0074ca88ff5972802fed56 Allow Declarative test classes to specify the API version a8ba5e0ef9fa92fb465aab8c25947f5717f4b3cb Allow sets for initialization of frozenset-typed Param keywords Verified using ipa-server-4.1.0-15.el7.x86_64
filter and subtree can now be added in same permission
# ipa permission-add read_roles --subtree cn=roles,cn=accounts,dc=testrelm,dc=test --filter "(cn=helpdesk)" --attrs={objectclass,cn,description} --bindtype=anonymous --right={read,search,compare}
-----------------------------
Added permission "read_roles"
-----------------------------
Permission name: read_roles
Granted rights: read, search, compare
Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
Bind rule type: anonymous
Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
Extra target filter: (cn=helpdesk)
# ipa permission-show read_roles --all
dn: cn=read_roles,cn=permissions,cn=pbac,dc=testrelm,dc=test
Permission name: read_roles
Granted rights: read, search, compare
Effective attributes: cn, createtimestamp, description, entryusn, modifytimestamp, objectclass
Included attributes: objectclass, cn, description
Bind rule type: anonymous
Subtree: cn=roles,cn=accounts,dc=testrelm,dc=test
Extra target filter: (cn=helpdesk)
Raw target filter: (cn=helpdesk)
ipapermissiontype: V2, SYSTEM
objectclass: ipapermission, top, groupofnames, ipapermissionv2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |