URL: https://github.com/freeipa/freeipa/pull/814 Author: Tiboris Title: #814: Add new permission to grant 'add' on cas container Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/814/head:pr814 git checkout pr814
From d3d6c09e6ad42828b69bc99c4b410a4791ef940e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tibor.dud...@gmail.com> Date: Wed, 24 May 2017 11:02:19 +0200 Subject: [PATCH] Add permission to grant 'add' on cas container Fixes: https://pagure.io/freeipa/issue/6609 --- ACI.txt | 2 ++ ipaserver/plugins/ca.py | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/ACI.txt b/ACI.txt index 185812a881..a0f19c55b3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -27,6 +27,8 @@ aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: dn: cn=cas,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Grant add on CAS container";allow (add) groupdn = "ldap:///cn=System: Grant add on CAS container,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 9bb163dffa..c7fda80375 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -138,6 +138,17 @@ class ca(LDAPObject): ], 'default_privileges': {'CA Administrator'}, }, + 'System: Grant add on CAS container': { + 'ipapermtargetfilter': {'(objectclass=nscontainer)'}, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'add'}, + 'replaces': [' \ + (target = "ldap:///cn=cas,cn=ca,$SUFFIX") \ + (version 3.0;acl "permission:Grant add on CAS container"; \ + allow (add) groupdn = "ldap:///cn=Grabt add on CAS container, \ + cn=permissions, cn=pbac,$SUFFIX";)', ], + 'default_privileges': {'CA Administrator'}, + }, 'System: Delete CA': { 'ipapermright': {'delete'}, 'replaces': [
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org