The meta-permissions.

Read access is given to all authenticated users. Reading membership info (i.e. privileges) is split into a separate permission.


Another permission is added that allows read access to all ACIs.
If we don't want to open that up for everyone, I could limit this to only ACIs containing "permission:". (Since old-style permissions store their information in ACIs, their ACIs need to be readable.)

--
PetrĀ³
From cf65d4206ed2a7447dd4e1947b973d77f58ea3d3 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to permission

Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/permission.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index e2f8428108398537fa09848c21f99ad8a0e33756..947cc1d47735ee512c7c86352fffe109060de732 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
     # For use the complete object_class list, including 'top', so
     # the updater doesn't try to delete 'top' every time.
     object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
+    permission_filter_objectclasses = ['ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
         'memberindirect', 'ipapermissiontype', 'objectclass',
         'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@@ -181,6 +182,37 @@ class permission(baseldap.LDAPObject):
         'memberindirect': ['role'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Permissions': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipapermissiontype',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'ipapermdefaultattr', 'ipapermincludedattr',
+                'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
+                'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
+            },
+        },
+        'System: Read Permission Membership': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'member', 'memberof',
+            },
+        },
+        'System: Read All ACIs': {
+            # Readable ACIs are needed for reading legacy permissions.
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'aci'},
+        },
+    }
 
     label = _('Permissions')
     label_singular = _('Permission')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to