Hello,
This adds read permissions to read hosts.

Read access is given to all authenticated users.
For reading host membership info, there is a separate permission that also defaults to all authenticated users.


The userPassword attribute is not included for obvious reasons.

--
PetrĀ³
From 0e528f986b92ccb56b6000ae8f9a2d573b5ff44e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 15:58:08 +0100
Subject: [PATCH] Add managed read permissions to host

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/host.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 1e339acfc55820db232ba189275a05957ef8ebbd..1323797ea85da73d8a62ae747da655fdf084a49c 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -252,6 +252,28 @@ class host(LDAPObject):
     }
     password_attributes = [('userpassword', 'has_password'),
                            ('krbprincipalkey', 'has_keytab')]
+    managed_permissions = {
+        'System: Read Hosts': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'description', 'fqdn', 'ipaclientversion',
+                'ipakrbauthzdata', 'ipasshpubkey', 'ipauniqueid',
+                'krbprincipalname', 'l', 'macaddress', 'nshardwareplatform',
+                'nshostlocation', 'nsosversion', 'objectclass',
+                'serverhostname', 'usercertificate', 'userclass',
+            },
+        },
+        'System: Read Host Membership': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'enrolledby', 'memberof', 'managedby',
+            },
+        },
+    }
 
     label = _('Hosts')
     label_singular = _('Host')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to