Ticket #2293 attempted to control attributes that are being specified for permission for given object tyle (user, group, ...). But this approach was too strict and it would decrease flexibility of our permission/ACI system.
Rather warn user about "irrelevant" attribute when adding a permission instead of refusing to create it.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=817401 (Red Hat Enterprise Linux 6)
Moving to August bucket, this ticket depends on #2732 which is scheduled for July.
permission-add should fail when permission is added on an unknown attribute, which it does, in FreeIPA 4.1 and later:
# ipa permission-add ManageUser --permissions=write --type=user --attr=foo ipa: ERROR: targetattr "foo" does not exist in schema. Please add attributeTypes "foo" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22foo\22)(targetfilter = \22(objectclass=posixaccount)\22)(version 3.0;acl \22permission:ManageUser\22;allow (write) groupdn = \22ldap:///cn=ManageUser,cn=permissions,cn=pbac,dc=mkosek-f21,dc=test\22;): Invalid syntax.
Additional checks on top of that would lower the flexibility of the command (default list of user objectclasses can be extended by plugins or other means).
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Login to comment on this ticket.