Hello,
This adds read permissions to read Sudo commands, command groups, rules.

Read access is given to all authenticated users.


--
PetrĀ³
From bb9ff134db5427621b13f94e062ed24f725bc280 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 14:19:44 +0100
Subject: [PATCH] Add managed read permissions to Sudo objects

Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/sudocmd.py      | 13 +++++++++++++
 ipalib/plugins/sudocmdgroup.py | 12 ++++++++++++
 ipalib/plugins/sudorule.py     | 18 ++++++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
     object_name = _('sudo command')
     object_name_plural = _('sudo commands')
     object_class = ['ipaobject', 'ipasudocmd']
+    permission_filter_objectclasses = ['ipasudocmd']
     # object_class_config = 'ipahostobjectclasses'
     search_attributes = [
         'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
     }
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
+    managed_permissions = {
+        'System: Read Sudo Commands': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'description', 'ipauniqueid', 'memberof', 'objectclass',
+                'sudocmd',
+            },
+        },
+    }
+
     label = _('Sudo Commands')
     label_singular = _('Sudo Command')
 
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
     object_name = _('sudo command group')
     object_name_plural = _('sudo command groups')
     object_class = ['ipaobject', 'ipasudocmdgrp']
+    permission_filter_objectclasses = ['ipasudocmdgrp']
     default_attributes = [
         'cn', 'description', 'member',
     ]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
     attribute_members = {
         'member': ['sudocmd'],
     }
+    managed_permissions = {
+        'System: Read Sudo Command Groups': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipauniqueid',
+                'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+        },
+    }
 
     label = _('Sudo Command Groups')
     label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..3f2c4063ce385d15f0551f663cba227a1269c62e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
     object_name = _('sudo rule')
     object_name_plural = _('sudo rules')
     object_class = ['ipaassociation', 'ipasudorule']
+    permission_filter_objectclasses = ['ipasudorule']
     default_attributes = [
         'cn', 'ipaenabledflag', 'externaluser',
         'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,23 @@ class sudorule(LDAPObject):
         'ipasudorunas': ['user', 'group'],
         'ipasudorunasgroup': ['group'],
     }
+    managed_permissions = {
+        'System: Read Sudo Rules': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cmdcategory', 'cn', 'description', 'externalhost',
+                'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+                'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+                'ipasudorunasextuser', 'ipasudorunasgroup',
+                'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+                'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+                'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+                'sudoorder', 'usercategory', 'objectclass',
+            },
+        },
+    }
 
     label = _('Sudo Rules')
     label_singular = _('Sudo Rule')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to