Hello,
This adds read permissions to read HBAC rules, services, and service groups.

Read access is given to all authenticated users.

--
PetrĀ³
From e0aa9e6e22ecdb42c0f3b21d42d66e5b5945d80d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 15:33:49 +0100
Subject: [PATCH] Add managed read permissions to HBAC objects

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/hbacrule.py     | 15 +++++++++++++++
 ipalib/plugins/hbacsvc.py      | 11 +++++++++++
 ipalib/plugins/hbacsvcgroup.py | 12 ++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 99758b25a287488f42f95c84b5e4b8658399fdd6..52abb408b04f882b5b202468ad3d9976ebba2f95 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -115,6 +115,7 @@ class hbacrule(LDAPObject):
     object_name = _('HBAC rule')
     object_name_plural = _('HBAC rules')
     object_class = ['ipaassociation', 'ipahbacrule']
+    permission_filter_objectclasses = ['ipahbacrule']
     default_attributes = [
         'cn', 'ipaenabledflag',
         'description', 'usercategory', 'hostcategory',
@@ -130,6 +131,20 @@ class hbacrule(LDAPObject):
         'sourcehost': ['host', 'hostgroup'],
         'memberservice': ['hbacsvc', 'hbacsvcgroup'],
     }
+    managed_permissions = {
+        'System: Read HBAC Rules': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'accessruletype', 'accesstime', 'cn', 'description',
+                'externalhost', 'hostcategory', 'ipaenabledflag',
+                'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
+                'servicecategory', 'sourcehost', 'sourcehostcategory',
+                'usercategory', 'objectclass',
+            },
+        },
+    }
 
     label = _('HBAC Rules')
     label_singular = _('HBAC Rule')
diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py
index 6c6bc94fe15a8e7af2c5ef87376bfbf3cc6438ff..58861fcfa77c5b220b4fb62e7af0039fe855d94e 100644
--- a/ipalib/plugins/hbacsvc.py
+++ b/ipalib/plugins/hbacsvc.py
@@ -57,11 +57,22 @@ class hbacsvc(LDAPObject):
     object_name = _('HBAC service')
     object_name_plural = _('HBAC services')
     object_class = [ 'ipaobject', 'ipahbacservice' ]
+    permission_filter_objectclasses = ['ipahbacservice']
     default_attributes = ['cn', 'description', 'memberof']
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'memberof': ['hbacsvcgroup'],
     }
+    managed_permissions = {
+        'System: Read HBAC Services': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'description', 'ipauniqueid', 'memberof', 'objectclass',
+            },
+        },
+    }
 
     label = _('HBAC Services')
     label_singular = _('HBAC Service')
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 5fc0635c409eaa4be7a07dc95ec4b87b34928476..5e3ef5b7037e9a41d32cf62629c0dc87b31c8e17 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -52,11 +52,23 @@ class hbacsvcgroup(LDAPObject):
     object_name = _('HBAC service group')
     object_name_plural = _('HBAC service groups')
     object_class = ['ipaobject', 'ipahbacservicegroup']
+    permission_filter_objectclasses = ['ipahbacservicegroup']
     default_attributes = [ 'cn', 'description', 'member' ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['hbacsvc'],
     }
+    managed_permissions = {
+        'System: Read HBAC Service Groups': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipauniqueid',
+                'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+        },
+    }
 
     label = _('HBAC Service Groups')
     label_singular = _('HBAC Service Group')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to