On 04/09/2014 03:26 PM, Martin Kosek wrote:
On 04/09/2014 03:04 PM, Simo Sorce wrote:
On Wed, 2014-04-09 at 10:53 +0200, Martin Kosek wrote:
On 04/08/2014 02:25 PM, Petr Viktorin wrote:
Hello,
These add read permissions to read user groups and hostgroups.
For most attributes, anonymous read access is given.
For member, memberOf, memberUID, read access is given only to authenticated
users.
Didn't we agree that we want to make hostgroups read by authenticated users
only? Just like we did with netgroups. CCing Simo to confirm.
Apologies, I misread the agreement.
Besides the default bind type, the ACI looked ok.
I forgot if we decided anything about hostgroups, but they are not
necessary for an anonymous reader so we may as well not server them in
that case.
Simo.
In that case Petr please consider changing 511 to only allow authenticated
users to read hostgroups.
Thanks,
Martin
Fixed patches attached.
--
PetrĀ³
From 52b6bfd2b90ddab3354b9af798490ea96eb6bd5c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 26 Mar 2014 15:17:34 +0100
Subject: [PATCH] Add managed read permissions to group
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/group.py | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 318f0746a2f66f68db2b22e17b0d1689ad9ce3bc..644954d94a50e7a1222cc0cfc9b5de1eac47238a 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -137,6 +137,26 @@ class group(LDAPObject):
'sudorule'],
}
rdn_is_primary_key = True
+ managed_permissions = {
+ 'System: Read Groups': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'businesscategory', 'cn', 'description', 'gidnumber',
+ 'ipaexternalmember', 'ipauniqueid', 'mepmanagedby', 'o',
+ 'objectclass', 'ou', 'owner', 'seealso',
+ },
+ },
+ 'System: Read Group Membership': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'member', 'memberof', 'memberuid',
+ },
+ },
+ }
label = _('User Groups')
label_singular = _('User Group')
--
1.9.0
From 4f8d02fcd4403a4ca556ae46d115a02c2b9e79c7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 26 Mar 2014 16:21:26 +0100
Subject: [PATCH] Add managed read permission to hostgroup
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/hostgroup.py | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index a3dd3a4a9bad24fe966abc7294a3c8aebd6fadf7..9c125131d21793a5512a66118cee9d56b2ffc0b8 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -72,6 +72,25 @@ class hostgroup(LDAPObject):
'memberindirect': ['host', 'hostgroup'],
'memberofindirect': ['hostgroup', 'hbacrule', 'sudorule'],
}
+ managed_permissions = {
+ 'System: Read Hostgroups': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'businesscategory', 'cn', 'description', 'ipauniqueid', 'o',
+ 'objectclass', 'ou', 'owner', 'seealso',
+ },
+ },
+ 'System: Read Hostgroup Membership': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'member', 'memberof',
+ },
+ },
+ }
label = _('Host Groups')
label_singular = _('Host Group')
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
