On 04/08/2014 12:46 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:
On 04/07/2014 01:30 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
Looks good. What about "ou=sudoers"? I think we should also allow it in this
patch for authenticated users. This is the tree that clients use to read sudo.
This new version does that. It needs my patches 0508-0509 since the ou=sudoers
permission is not tied to a specific Object plugin.
I would also allow 'ou', otherwise an authenticated user cannot read the
ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
Right, I wonder how I missed that.
New patch attached; it needs 0508-0509.2.
--
PetrĀ³
From 6c426c9a66a755dddf387e2396abbeaead3d3eb1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 7 Apr 2014 14:56:34 +0200
Subject: [PATCH] Add managed read permissions to Sudo objects and ou=sudoers
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/sudocmd.py | 13 +++++++++++++
ipalib/plugins/sudocmdgroup.py | 12 ++++++++++++
ipalib/plugins/sudorule.py | 31 +++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
+ permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
+ managed_permissions = {
+ 'System: Read Sudo Commands': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'description', 'ipauniqueid', 'memberof', 'objectclass',
+ 'sudocmd',
+ },
+ },
+ }
+
label = _('Sudo Commands')
label_singular = _('Sudo Command')
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
+ permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
+ managed_permissions = {
+ 'System: Read Sudo Command Groups': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'businesscategory', 'cn', 'description', 'ipauniqueid',
+ 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+ },
+ },
+ }
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..88fd86e31b95bb49b69a5a3dfdb7bf153784fbfc 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
+ permission_filter_objectclasses = ['ipasudorule']
default_attributes = [
'cn', 'ipaenabledflag', 'externaluser',
'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,36 @@ class sudorule(LDAPObject):
'ipasudorunas': ['user', 'group'],
'ipasudorunasgroup': ['group'],
}
+ managed_permissions = {
+ 'System: Read Sudo Rules': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cmdcategory', 'cn', 'description', 'externalhost',
+ 'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+ 'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+ 'ipasudorunasextuser', 'ipasudorunasgroup',
+ 'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+ 'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+ 'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+ 'sudoorder', 'usercategory', 'objectclass',
+ },
+ },
+ 'System: Read Sudoers compat tree': {
+ 'non_object': True,
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('ou=sudoers', api.env.basedn),
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'cn', 'ou',
+ 'sudouser', 'sudohost', 'sudocommand', 'sudooption',
+ 'sudorunasuser', 'sudorunasgroup',
+ 'sudonotbefore', 'sudonotafter', 'sudoorder',
+ },
+ }
+ }
label = _('Sudo Rules')
label_singular = _('Sudo Rule')
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
