[Freeipa-devel] [freeipa PR#814][synchronized] Add new permission to grant 'add' on cas container

[Tiboris via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/814
Author: Tiboris
 Title: #814: Add new permission to grant 'add' on cas container
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/814/head:pr814
git checkout pr814

From ab638abfc735f1c06a3fcdd9cd54dac17b3fec4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tibor.dud...@gmail.com>
Date: Wed, 24 May 2017 11:02:19 +0200
Subject: [PATCH] Add permission to grant 'add' on CAs container

Fixes: https://pagure.io/freeipa/issue/6609
---
 ACI.txt                 | 2 ++
 ipaserver/plugins/ca.py | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 185812a881..bc7b0efad9 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -27,6 +27,8 @@ aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System:
 dn: cn=cas,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Grant add on CAs container";allow (add) groupdn = "ldap:///cn=System: Grant add on CAs container,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";;)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 9bb163dffa..ffe376a7c4 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -138,6 +138,12 @@ class ca(LDAPObject):
             ],
             'default_privileges': {'CA Administrator'},
         },
+        'System: Grant add on CAs container': {
+            'ipapermtargetfilter': {'(objectclass=nscontainer)'},
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'add'},
+            'default_privileges': {'CA Administrator'},
+        },
         'System: Delete CA': {
             'ipapermright': {'delete'},
             'replaces': [

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org