Allow renaming of sudo and HBAC rules #617
Conversation
|
I don't like it is done on the client side. This will not work for Web UI, for example. |
|
Thank you Alexander for your insight. Since this was a hack, I did not want to do it server-wise. I chose a different approach to the problem and reworked the original idea so the rename option is now worked with on server. Just for the record, the names of sudo rules are still not checked for CN compatibility since their primary key is not part of their DN, but that's how things have been since for ever, I am afraid (you can try |
stlaz
changed the title
ipaserver/plugins/baseldap.py
Outdated
| @@ -550,6 +550,7 @@ class LDAPObject(Object): | |||
| uuid_attribute = '' | |||
| attribute_members = {} | |||
| rdn_is_primary_key = False # Do we need RDN change to do a rename? | |||
| allow_rename = False | |||
There was a problem hiding this comment.
Why introduce a new class attribute when rdn_is_primary_key does exactly the same?
There was a problem hiding this comment.
Because we want to rename objects whose primary key is not RDN. But you're right, perhaps the attribute is just ill-named.
edit: nope, we are not changing DN in these objects.
There was a problem hiding this comment.
IMO the attribute is entirely ill, as it does 2 different things: it allows renaming and forces DN update on rename.
I think we should finally get rid of it and use
- the
allow_renameattribute to allow renaming and - decide whether a DN update is required or not based on the current DN.
There was a problem hiding this comment.
Note that the above should be done in a separate commit and linked to https://pagure.io/freeipa/issue/2466.
|
I like the idea but please address @HonzaCholasta comments. |
|
For the record, and I might be wrong, I did a bit of researching, the |
|
The latest patch removes the |
|
I'd like to see this in 3 different patches: needed refactoring, sudo, hbac |
|
I like the I'm afraid about one thing. This will basically break custom user plugins if they used |
|
I haven't seen any custom plugin that used |
|
Please provide tests, LGTM otherwise |
|
Added the tests but did not test them so we may want to see what Travis has to say about that. |
And please split it into multiple commits as I requested |
The rename operation on *_mod commands was only allowed when the primary key of an entry was also its RDN. With these changes, it should be possible to rename the rest of the entries as well. An attribute to the base LDAPObject was added to whitelist the objects we want to allow to be renamed. It replaced an old attribute rdn_is_primary_key which was used for the very same purpose but the name was confusing because it was not set correctly for certain objects. https://pagure.io/freeipa/issue/2466 https://pagure.io/freeipa/issue/6784
The recent changes allow HBAC rule objects to be renamed. https://pagure.io/freeipa/issue/6784
The recent changes allow the sudorule objects to be renamed. https://pagure.io/freeipa/issue/2466
|
*sigh* there was a rogue space. Split into three separate commits. |
|
Please update release notes (changelog) |
|
Changelogs were updated. |
FreeIPA renaming operations were reworked in freeipa/freeipa#617 The rdn_is_primary_key attribute was replaced with new allow_rename one. Fixes: abbra#11 Signed-off-by: Stanislav Levin <slev@altlinux.org>
FreeIPA renaming operations were reworked in freeipa/freeipa#617 The rdn_is_primary_key attribute was replaced with new allow_rename one. Fixes: #11 Signed-off-by: Stanislav Levin <slev@altlinux.org>
This simple hack adds a rename option to client side sudorule-mod
command.
https://pagure.io/freeipa/issue/2466