This adds managed read permissions to cn=etc. Since these permissions
are not bound to objects, the first patch adds support for those.
They're defined in the update plugin.
The second patch adds permissions for various subtrees/entries in
cn=etc, according to the [discussion thread].
I wonder if we should limit the attributes in cn=replication; are all
nsds5replica attrs needed?
For cn=ad,cn=etc I put the permission in cn=etc and used a target, since
cn=ad is not present by default.
[discussion thread]:
http://www.redhat.com/archives/freeipa-devel/2014-April/msg00250.html
--
PetrĀ³
From ed223228c277028f62de6dd7c01e752a99cb6cb2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Thu, 27 Mar 2014 15:36:54 +0100
Subject: [PATCH] Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.
A dict is added to hold templates for the non-plugin permissions.
---
ipaserver/install/plugins/update_managed_permissions.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 3bba1f06e75fc2a0e57bce682827992e31f27708..438767f1c5c81709d5bd6efc875264c269ce0a6c 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -34,6 +34,9 @@
},
}
+For permissions not tied to an object plugin, a NONOBJECT_PERMISSIONS
+dict of the same format is defined in this module.
+
The permission name must start with the "System:" prefix.
The template dictionary can have the following keys:
@@ -41,8 +44,8 @@
- Directly used as attributes on the permission.
- Replaced when upgrading an existing permission
- If not specified, these default to the defaults of a permission of the
- corresponding --type, or (if non_object is specified) to general permission
- defaults.
+ corresponding --type, or, if non_object is specified, or if not on an
+ object, to general permission defaults .
- ipapermlocation and ipapermtarget must be DNs
- ipapermtargetfilter and objectclass must be iterables of strings
* ipapermbindruletype
@@ -77,6 +80,8 @@
register = Registry()
+NONOBJECT_PERMISSIONS = {}
+
@register()
class update_managed_permissions(PostUpdate):
@@ -123,6 +128,11 @@ def execute(self, **options):
template,
anonymous_read_blacklist)
+ self.log.info('Updating non-object managed permissions')
+ for name, template in NONOBJECT_PERMISSIONS.iteritems():
+ self.update_permission(ldap, None, unicode(name), template,
+ anonymous_read_blacklist)
+
return False, False, ()
def update_permission(self, ldap, obj, name, template,
--
1.9.0
From f40bcb3da0c07dc94627fbb66b135203785c00e2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <[email protected]>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
install/updates/40-delegation.update | 7 ++
.../install/plugins/update_managed_permissions.py | 79 +++++++++++++++++++++-
2 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 69061ca3df0cde8f66816e2f2f09aa15405a369e..49bb76277c44c0c4cae27839a45c6b4fc7b4f386 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -422,3 +422,10 @@ dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:cn: Automember Readers
default:description: Read Automember definitions
+
+dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: IPA Masters Readers
+default:description: Read list of IPA masters
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 438767f1c5c81709d5bd6efc875264c269ce0a6c..bffd9bbf434e76c9c6d74d0167a718acc96a54b1 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -68,7 +68,7 @@
No other keys are allowed in the template
"""
-from ipalib import errors
+from ipalib import api, errors
from ipapython.dn import DN
from ipalib.plugable import Registry
from ipalib.plugins import aci
@@ -80,7 +80,82 @@
register = Registry()
-NONOBJECT_PERMISSIONS = {}
+NONOBJECT_PERMISSIONS = {
+ 'System: Read IPA Masters': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=nscontainer)'},
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'ipaconfigstring',
+ },
+ 'default_privileges': {'IPA Masters Readers'},
+ },
+ 'System: Read DNA Configuration': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=dnasharedconfig)'},
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'dnaHostname', 'dnaPortNum',
+ 'dnaSecurePortNum', 'dnaRemoteBindMethod', 'dnaRemoteConnProtocol',
+ 'dnaRemainingValues',
+ },
+ },
+ 'System: Read CA Renewal Information': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=pkiuser)'},
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'usercertificate',
+ },
+ },
+ 'System: Read CA Certificate': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=pkica)'},
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'cacertificate', 'certificaterevocationlist',
+ 'authorityrevocationlist', 'crosscertificatepair',
+ },
+ },
+ 'System: Read Replication Information': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=nsds5replica)'},
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'nsds5replicaroot', 'nsds5replicaid',
+ 'nsds5replicacleanruv', 'nsds5replicaabortcleanruv',
+ 'nsds5replicatype', 'nsds5replicabinddn', 'nsstate',
+ 'nsds5replicaname', 'nsds5flags', 'nsds5task',
+ 'nsds5replicareferral', 'nsds5replicaautoreferral',
+ 'nsds5replicapurgedelay', 'nsds5replicatombstonepurgeinterval',
+ 'nsds5replicachangecount', 'nsds5replicalegacyconsumer',
+ 'nsds5replicaprotocoltimeout', 'nsds5replicabackoffmin',
+ 'nsds5replicabackoffmax',
+ },
+ },
+ 'System: Read AD Domains': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': DN('cn=etc', api.env.basedn),
+ 'ipapermtarget': DN('cn=ad,cn=etc', api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=ipantdomainattrs)'},
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass', 'ipantsecurityidentifier', 'ipantflatname',
+ 'ipantdomainguid', 'ipantfallbackprimarygroup',
+ },
+ },
+}
@register()
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
