Rob Crittenden wrote:
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We are
adding a new attribute to store extra information to make this clear, in
this case READONLY.

ticket 853

rob

I goofed on the schema, updated patch attached.

rob
>From 9c8671ef91f3de26ba6cc7877f9033ed6bdaa1eb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 31 Jan 2011 13:00:57 -0500
Subject: [PATCH] Add new schema to store information about permissions.

There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case READONLY.

ticket 853
---
 install/share/60basev2.ldif   |    2 +
 install/share/delegation.ldif |   49 +++++++++++++++++++++++++++++++++++++++++
 ipalib/plugins/permission.py  |   13 +++++++++-
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 7eb346b..4866b6d 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case
 attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
 objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionFlag ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
@@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to
 attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionFlag' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index e154f6b..d672cb4 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Change a user password
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add user to default group
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectclass: top
 objectclass: groupofnames
+objectClass: ipapermission
 cn: Unlock user accounts
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Group membership
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hostgroup membership
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
 
@@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
 
@@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
 
@@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Role membership
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
 
@@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify privilege membership
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
 
@@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Automount maps
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Automount maps
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Automount keys
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Automount keys
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify netgroup membership
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Manage host keytab
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Manage service keytab
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Enroll a host
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Replication Agreements
+ipapermissionflag: READONLY
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Replication Agreements
+ipapermissionflag: READONLY
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Replication Agreements
+ipapermissionflag: READONLY
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 # Entitlement management
@@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: addentitlements
 description: Add Entitlements
 member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Retrieve Certificates from the CA
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Request Certificate
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Request Certificates from a different host
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Get Certificates status from the CA
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Revoke Certificate
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
@@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Certificate Remove Hold
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efda..ac8d2a6 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -76,6 +76,12 @@ from ipalib.request import context
 
 ACI_PREFIX=u"permission"
 
+output_params = (
+    Str('ipapermissionflag',
+        label=_('Permission Type'),
+    ),
+)
+
 class permission(LDAPObject):
     """
     Permission object.
@@ -83,9 +89,9 @@ class permission(LDAPObject):
     container_dn = api.env.container_permission
     object_name = 'permission'
     object_name_plural = 'permissions'
-    object_class = ['groupofnames']
+    object_class = ['groupofnames', 'ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
-        'memberindirect',
+        'memberindirect', 'ipapermissionflag',
     ]
     aci_attributes = ['group', 'permissions', 'attrs', 'type',
         'filter', 'subtree', 'targetgroup',
@@ -236,6 +242,7 @@ class permission_mod(LDAPUpdate):
     """
 
     msg_summary = _('Modified permission "%(value)s"')
+    has_output_params = LDAPUpdate.has_output_params + output_params
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         # check if permission is in LDAP
@@ -330,6 +337,7 @@ class permission_find(LDAPSearch):
     msg_summary = ngettext(
         '%(count)d permission matched', '%(count)d permissions matched'
     )
+    has_output_params = LDAPSearch.has_output_params + output_params
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
@@ -378,6 +386,7 @@ class permission_show(LDAPRetrieve):
     """
     Display information about a permission.
     """
+    has_output_params = LDAPRetrieve.has_output_params + output_params
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         try:
             aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
-- 
1.7.3.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to