I've noticed tests failing because the admin has no access to automember tasks.

This is because automember task admins don't have read access to the tasks, and when the code doesn't find the task it assumes the task is already done.


This adds the read permission both to the admins group, and to those with the 'Automember Task Administrator' privilege.

--
PetrĀ³
From bc42d99567d5e4690fe41ef0068b5d957b410639 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 30 May 2014 14:03:13 +0200
Subject: [PATCH] Add read permissions for automember tasks

Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/20-aci.update |  3 +++
 ipalib/plugins/automember.py  | 21 ++++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 34cba4cc82454bed3ff7bd523a0356d7dfdd42b7..6af800111f30d26d37ceb0849f8730a3e15dad0b 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -47,6 +47,9 @@ dn: $SUFFIX
 # Read-only
 add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
 
+dn: cn=tasks,cn=config
+add:aci:'(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
+
 # Removal of obsolete ACIs
 dn: cn=config
 # Replaced by 'System: Read Replication Agreements'
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index 3166c69589c398392d912743824b28540f6e321b..143c6a80c4544ba19652db91e24a5be97d7c8714 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -131,6 +131,11 @@
 INCLUDE_RE = 'automemberinclusiveregex'
 EXCLUDE_RE = 'automemberexclusiveregex'
 
+REBUILD_TASK_CONTAINER = DN(('cn', 'automember rebuild membership'),
+                            ('cn', 'tasks'),
+                            ('cn', 'config'))
+
+
 regex_attrs = (
     Str('automemberinclusiveregex*',
         cli_name='inclusive_regex',
@@ -215,6 +220,16 @@ class automember(LDAPObject):
             'default_privileges': {'Automember Readers',
                                    'Automember Task Administrator'},
         },
+        'System: Read Automember Tasks': {
+            'non_object': True,
+            'ipapermlocation': DN('cn=tasks', 'cn=config'),
+            'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER),
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'Automember Task Administrator'},
+        },
     }
 
     label = _('Auto Membership Rule')
@@ -732,11 +747,7 @@ def execute(self, *keys, **options):
         else:
             search_filter = '(%s=*)' % obj.primary_key.name
 
-        task_dn = DN(
-            ('cn', cn),
-            ('cn', 'automember rebuild membership'),
-            ('cn', 'tasks'),
-            ('cn', 'config'))
+        task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER)
 
         entry = ldap.make_entry(
             task_dn,
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to