On 04/09/2014 05:17 PM, Martin Kosek wrote:
On 04/09/2014 04:54 PM, Petr Viktorin wrote:
The meta-permissions.


:-)

Read access is given to all authenticated users. Reading membership info (i.e.
privileges) is split into a separate permission.

Another permission is added that allows read access to all ACIs.
If we don't want to open that up for everyone, I could limit this to only ACIs
containing "permission:". (Since old-style permissions store their information
in ACIs, their ACIs need to be readable.)

If I read the notes from our DevConf discussion correctly, there are some
inconsistencies:

1) We decided to not do special membership permission for
permission/privilege/role permissions.

2) We decided to give read access to permissions, privileges and roles only to
member of a certain privilege. Is there any reason to not do that? IMO, regular
users do not need to be able to read the permission/privilege/role
configuration of a FreeIPA installation to use it for IdM.

Martin


Updated. I plan to add all the RBAC-related read permissions to a single privilege, "RBAC Readers". Or do we want more granularity by default?

Requires my patch 0514.

--
PetrĀ³
From 74d14e0d2e3e22fe05d93fac467b7061e8dfac12 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to permission

Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/40-delegation.update |  9 +++++++++
 ipalib/plugins/permission.py         | 27 +++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 3fabdf9c7319b261aa3e0bb20d42a80b807df1ec..e90819a5117afae5f65a24cb7b099f7e160dfa17 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -392,3 +392,12 @@ dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
 
 dn: cn=config
 add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
+
+
+# Read privileges
+dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: RBAC Readers
+default:description: Read roles, privileges, permissions and ACIs
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index e2f8428108398537fa09848c21f99ad8a0e33756..5a22acdb64b8024584a1f5db3e8bdafc1076f5aa 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
     # For use the complete object_class list, including 'top', so
     # the updater doesn't try to delete 'top' every time.
     object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
+    permission_filter_objectclasses = ['ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
         'memberindirect', 'ipapermissiontype', 'objectclass',
         'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject):
         'memberindirect': ['role'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Permissions': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipapermissiontype',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'ipapermdefaultattr', 'ipapermincludedattr',
+                'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
+                'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
+                'member', 'memberof',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+        'System: Read ACIs': {
+            # Readable ACIs are needed for reading legacy permissions.
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'aci'},
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Permissions')
     label_singular = _('Permission')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to