On 04/09/2014 10:31 AM, Martin Kosek wrote:
On 04/08/2014 05:19 PM, Petr Viktorin wrote:
On 04/08/2014 12:46 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:
On 04/07/2014 01:30 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.

Read access is given to all authenticated users.

Looks good. What about "ou=sudoers"? I think we should also allow it in this
patch for authenticated users. This is the tree that clients use to read sudo.

This new version does that. It needs my patches 0508-0509 since the ou=sudoers
permission is not tied to a specific Object plugin.


I would also allow 'ou', otherwise an authenticated user cannot read the
ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.

Right, I wonder how I missed that.

New patch attached; it needs 0508-0509.2.


Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
attribute? It is part of sudoRole objectclass:

objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries'
   SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun
  As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft
  er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )

but we seem to not generate it in our compat plugin though. But as it is part
of the objectclass, I would rather add it to avoid any mistakes.

If you add it, it's an ACK from me.

Martin


Thanks for the catch. Added, along with description.

--
PetrĀ³
From 83827574ccd1855c8a965890be9ba0a6c58055f9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 14:19:44 +0100
Subject: [PATCH] Add managed read permissions to Sudo objects

Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/sudocmd.py      | 13 +++++++++++++
 ipalib/plugins/sudocmdgroup.py | 12 ++++++++++++
 ipalib/plugins/sudorule.py     | 31 +++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
     object_name = _('sudo command')
     object_name_plural = _('sudo commands')
     object_class = ['ipaobject', 'ipasudocmd']
+    permission_filter_objectclasses = ['ipasudocmd']
     # object_class_config = 'ipahostobjectclasses'
     search_attributes = [
         'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
     }
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
+    managed_permissions = {
+        'System: Read Sudo Commands': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'description', 'ipauniqueid', 'memberof', 'objectclass',
+                'sudocmd',
+            },
+        },
+    }
+
     label = _('Sudo Commands')
     label_singular = _('Sudo Command')
 
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
     object_name = _('sudo command group')
     object_name_plural = _('sudo command groups')
     object_class = ['ipaobject', 'ipasudocmdgrp']
+    permission_filter_objectclasses = ['ipasudocmdgrp']
     default_attributes = [
         'cn', 'description', 'member',
     ]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
     attribute_members = {
         'member': ['sudocmd'],
     }
+    managed_permissions = {
+        'System: Read Sudo Command Groups': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipauniqueid',
+                'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+        },
+    }
 
     label = _('Sudo Command Groups')
     label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..16611aededfd63dac8652468cff473d9d1a07c0d 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
     object_name = _('sudo rule')
     object_name_plural = _('sudo rules')
     object_class = ['ipaassociation', 'ipasudorule']
+    permission_filter_objectclasses = ['ipasudorule']
     default_attributes = [
         'cn', 'ipaenabledflag', 'externaluser',
         'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,36 @@ class sudorule(LDAPObject):
         'ipasudorunas': ['user', 'group'],
         'ipasudorunasgroup': ['group'],
     }
+    managed_permissions = {
+        'System: Read Sudo Rules': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cmdcategory', 'cn', 'description', 'externalhost',
+                'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+                'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+                'ipasudorunasextuser', 'ipasudorunasgroup',
+                'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+                'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+                'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+                'sudoorder', 'usercategory', 'objectclass',
+            },
+        },
+        'System: Read Sudoers compat tree': {
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('ou=sudoers', api.env.basedn),
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'ou',
+                'sudouser', 'sudohost', 'sudocommand', 'sudorunas',
+                'sudorunasuser', 'sudorunasgroup', 'sudooption',
+                'sudonotbefore', 'sudonotafter', 'sudoorder', 'description',
+            },
+        }
+    }
 
     label = _('Sudo Rules')
     label_singular = _('Sudo Rule')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to