diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-04 16:11:30 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-10 13:55:56 +0200 |
commit | e0cafea374ea62e1f59b15ad31a78f7702fac159 (patch) | |
tree | a9ccb760c386b4b72c835a3954d788615d469ef3 /ipaserver/install | |
parent | e3b20b9d03f08b889474ef94aef11b31723fdf53 (diff) | |
download | freeipa-e0cafea374ea62e1f59b15ad31a78f7702fac159.tar.gz freeipa-e0cafea374ea62e1f59b15ad31a78f7702fac159.tar.xz freeipa-e0cafea374ea62e1f59b15ad31a78f7702fac159.zip |
managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 13433d353..e6f852c09 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -408,11 +408,20 @@ class update_managed_permissions(PostUpdate): An attribute will be included if the user has it in LDAP but it does not appear in *any* historic ACI. It will be excluded if it is in *all* historic ACIs but not in LDAP. + Rationale: When we don't know which version of an ACI the user is + upgrading from, we only consider attributes where all the versions + agree. For other attrs we'll use the default from the new managed perm. If the ACIs differ in something else than the list of attributes, raise IncompatibleACIModification. This means manual action is needed (either delete the old permission or change it to resemble the default - again, then re-run ipa-ldap-updater) + again, then re-run ipa-ldap-updater). + + In case there are multiple historic default ACIs, and some of them + are compatible with the current but other ones aren't, we deduce that + the user is upgrading from one of the compatible ones. + The incompatible ones are removed from consideration, both for + compatibility and attribute lists. """ assert default_acistrings @@ -434,6 +443,7 @@ class update_managed_permissions(PostUpdate): attrs_in_all_defaults = None attrs_in_any_defaults = set() + all_incompatible = True for default_acistring in default_acistrings: default_aci = ACI(default_acistring) default_attrs = _pop_targetattr(default_aci) @@ -442,7 +452,9 @@ class update_managed_permissions(PostUpdate): if current_aci != default_aci: self.log.debug('ACIs not compatible') - raise(IncompatibleACIModification()) + continue + else: + all_incompatible = False if attrs_in_all_defaults is None: attrs_in_all_defaults = set(default_attrs) @@ -450,6 +462,10 @@ class update_managed_permissions(PostUpdate): attrs_in_all_defaults &= attrs_in_all_defaults attrs_in_any_defaults |= default_attrs + if all_incompatible: + self.log.debug('All old default ACIs are incompatible') + raise(IncompatibleACIModification()) + included = current_attrs - attrs_in_any_defaults excluded = attrs_in_all_defaults - current_attrs |