On 04/08/2014 04:39 PM, Martin Kosek wrote:
On 04/08/2014 01:14 PM, Petr Viktorin wrote:
On 04/08/2014 12:53 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:
...
The patch is functional, but I am not really a big fan of placing it in the
plugin. I would prefer if the ACI definition is also in the sudo plugin
together with other definition. It would be then much easier to audit all
sudo-related ACIs.

Why can't we add this ACI to sudorule object managed permissions and just
override the location and target?

I can do that. Most of the changes make this overriding possible, where the
permission is actually defined is a detail.

I am not insisting on a specific format, I would simply prefer to have all
plugin object related ACIs close together.

My reasoning is that finding the definition would not be straightforward. All
the object-specific permissions so far are defined in "their" plugins, as
determined by --type. This one won't have --type, and it's not clear if it
should be in sudorule, sudocmd or sudocmdgroup.

But, I don't have a strong preference. A `git grep` will always show the
definition.


IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
sudocmds and sudocmdgroups are just part of the sudorule.

We may just want to somehow differentiate the non--type ACIs from the regular
--type ones. Whether it is a different attribute in the Object or a setting in
managed permission is something I will leave up to you.

I went with a "non_object" key in the managed permission info.

Attaching new patches.

--
PetrĀ³

From bc05ca06c450e6782d3a2e8becd80fd620fbb66a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 27 Mar 2014 12:17:37 +0100
Subject: [PATCH] Document the managed permission updater operation

The method was explained on the [Design] page, but as the updater
is extended the design page would become obsolete.
Document the operation in the docstring of the plugin itself.

Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
---
 .../install/plugins/update_managed_permissions.py  | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 603f3f0b74c97b14be0992d2c110f5bb6cd0e0e6..b2548f4f12aab2ae05c3c4a63e38eb8ca2b65ad6 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -17,6 +17,40 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+"""
+Plugin for updating managed permissions.
+
+The permissions are declared in Object plugins in the "managed_permissions"
+attribute, which is a dictionary mapping permission names to a "template"
+for the updater.
+For example, an entry could look like this:
+
+    managed_permissions = {
+        'System: Read Object A': {
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'cn', 'description'},
+            'replaces_global_anonymous_aci': True,
+        },
+    }
+
+The permission name must start with the "System:" prefix.
+
+The template dictionary can have the following keys:
+* ipapermbindruletype, ipapermright
+  - Directly used as attributes on the permission.
+  - Replaced when upgrading an existing permission
+* ipapermdefaultattr
+  - Used as attribute of the permission.
+  - When upgrading, only new values are added; all old values are kept.
+* replaces_global_anonymous_aci
+  - If true, any attributes specified (denied) in the legacy global anonymous
+    read ACI will be added to excluded_attributes of the new permission.
+  - Has no effect when existing permissions are updated.
+
+No other keys are allowed in the template
+"""
+
 from ipalib import errors
 from ipapython.dn import DN
 from ipalib.plugable import Registry
-- 
1.9.0

From 70f1788534ff1821faad3a5c10e23bbf363dc03d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 27 Mar 2014 15:36:54 +0100
Subject: [PATCH] Allow overriding all attributes of default permissions

Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.
---
 .../install/plugins/update_managed_permissions.py  | 50 +++++++++++++++++-----
 1 file changed, 39 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index b2548f4f12aab2ae05c3c4a63e38eb8ca2b65ad6..d938eecf175867f3a6a61a68d5f384bf9e79c055 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -37,9 +37,17 @@
 The permission name must start with the "System:" prefix.
 
 The template dictionary can have the following keys:
-* ipapermbindruletype, ipapermright
+* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, objectclass
   - Directly used as attributes on the permission.
   - Replaced when upgrading an existing permission
+  - If not specified, these default to the defaults of a permission of the
+    corresponding --type, or (if non_object is specified) to general permission
+    defaults.
+  - ipapermlocation and ipapermtarget must be DNs
+  - ipapermtargetfilter and objectclass must be iterables of strings
+* ipapermbindruletype
+  - Directly used as attribute on the permission.
+  - Not replaced when upgrading an existing permission.
 * ipapermdefaultattr
   - Used as attribute of the permission.
   - When upgrading, only new values are added; all old values are kept.
@@ -47,6 +55,9 @@
   - If true, any attributes specified (denied) in the legacy global anonymous
     read ACI will be added to excluded_attributes of the new permission.
   - Has no effect when existing permissions are updated.
+* non_object
+  - If true, no object-specific defaults are used (e.g. for
+    ipapermtargetfilter, ipapermlocation).
 
 No other keys are allowed in the template
 """
@@ -103,7 +114,6 @@ def execute(self, **options):
             if managed_permissions:
                 self.log.info('Updating managed permissions for %s', obj.name)
             for name, template in managed_permissions.items():
-                assert name.startswith('System:')
                 self.update_permission(ldap,
                                        obj,
                                        unicode(name),
@@ -115,6 +125,8 @@ def execute(self, **options):
     def update_permission(self, ldap, obj, name, template,
                           anonymous_read_blacklist):
         """Update the given permission and the corresponding ACI"""
+        assert name.startswith('System:')
+
         dn = self.api.Object[permission].get_dn(name)
 
         try:
@@ -125,7 +137,7 @@ def update_permission(self, ldap, obj, name, template,
             entry = ldap.make_entry(dn)
             is_new = True
 
-        self.log.info('Updating managed permission: %s', name)
+        self.log.debug('Updating managed permission: %s', name)
         self.update_entry(obj, entry, template,
                           anonymous_read_blacklist, is_new=is_new)
 
@@ -153,22 +165,38 @@ def update_entry(self, obj, entry, template,
 
         template = dict(template)
 
-        # Common attributes
-        entry['objectclass'] = self.api.Object[permission].object_class
+        if template.pop('non_object', False):
+            obj = None
 
         entry['ipapermissiontype'] = [u'SYSTEM', u'V2', u'MANAGED']
 
-        # Object-specific attributes
-        ldap_filter = ['(objectclass=%s)' % oc
-                       for oc in obj.permission_filter_objectclasses]
-        entry['ipapermtargetfilter'] = ldap_filter
+        # Attributes with defaults
+        objectclass = template.pop('objectclass', None)
+        if objectclass is None:
+            objectclass = self.api.Object[permission].object_class
+        entry['objectclass'] = list(objectclass)
 
-        ipapermlocation = DN(obj.container_dn, self.api.env.basedn)
+        ldap_filter = template.pop('ipapermtargetfilter', None)
+        if obj and ldap_filter is None:
+            ldap_filter = ['(objectclass=%s)' % oc
+                           for oc in obj.permission_filter_objectclasses]
+        entry['ipapermtargetfilter'] = list(ldap_filter or [])
+
+        ipapermlocation = template.pop('ipapermlocation', None)
+        if ipapermlocation is None:
+            assert obj
+            ipapermlocation = DN(obj.container_dn, self.api.env.basedn)
         entry.single_value['ipapermlocation'] = ipapermlocation
 
+        # Optional attributes
+        ipapermtarget = template.pop('ipapermtarget', None)
+        if ipapermtarget is not None:
+            entry['ipapermtarget'] = ipapermtarget
+
         # Attributes from template
         bindruletype = template.pop('ipapermbindruletype')
-        entry.single_value['ipapermbindruletype'] = bindruletype
+        if is_new:
+            entry.single_value['ipapermbindruletype'] = bindruletype
 
         entry['ipapermright'] = list(template.pop('ipapermright'))
 
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to