On 06/18/2014 05:46 PM, Martin Kosek wrote:
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
1) Inconsistent casing in permission names:
System: Add Hosts
System: Add krbPrincipalName to a host
System: Enroll a host
System: Manage Host SSH Public Keys
System: Manage host keytab
System: Modify Hosts
System: Remove Hosts
Fixed
2) This ACI does not look right, missing enrolledby:
+ 'System: Enroll a host': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'objectclass'},
When I fixed 2) via permission-mod, client enrollment with user with "Host
Administrators" privilege worked fine.
Added
3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
No such virtual command" error triggered by "cert-show" command.
Virtual operations seem to be quite a can of worms.
I've sent a separate reply for these.
We will need to add the permission "System: Read Virtual Operations" that Honza
is creating also to "Host Administrators" to fix that part.
4) I ran unit tests and few missing attributes:
- update hosts ACI should get "macaddress" attribute
Added
5) I hit one nasty issue when running the unit tests (when my master stopped
working as host account was deleted) - host_is_master function in baseldap no
longer works as we hid cn=masters from regular users:
def host_is_master(ldap, fqdn):
"""
Check to see if this host is a master.
Raises an exception if a master, otherwise returns nothing.
"""
master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
'etc'), api. env.basedn)
try:
ldap.get_entry(master_dn, ['objectclass'])
raise errors.ValidationError(name='hostname', error=_('An IPA master
host cannot be deleted or disabled'))
except errors.NotFound:
# Good, not a master
return
This means, that host-del on a master machine or service-del on master service
happily passes.
We need to make sure this functionality is still working after the permission
refactoring. Should we reconsider the cn=masters tree and allow authenticated
users see the list of IPA servers (without digging into any other detail like
services) then?
Nasty indeed, thanks for the catch!
Sent as patch 0590, since it's a different issue than converting the
host permissions.
--
PetrĀ³
From 3d64f29fd8151f9cc9f5475a59ee5350df4749fc Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 30 May 2014 18:35:31 +0200
Subject: [PATCH] Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
ACI.txt | 14 ++++++
install/share/delegation.ldif | 82 ------------------------------------
install/updates/40-delegation.update | 29 +------------
ipalib/plugins/host.py | 66 +++++++++++++++++++++++++++++
4 files changed, 81 insertions(+), 110 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index cd19fb90fdd0ac1947393aabfd667e46a6f015fc..72036f1612806478a1776b6e8660023d230b631b 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -38,10 +38,24 @@ dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add Hosts";allow (add) groupdn = "ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 2c712bfc174b3151a5bf69e37ebfe58f2fff96f4..94f2e804bdf1dce687c66a9c5e2ee5073b96ccac 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -167,40 +167,6 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
cn: Modify Group membership
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-# Host administration
-
-dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Add Hosts
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Remove Hosts
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Modify Hosts
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-
-dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Manage Host SSH Public Keys
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-
# Hostgroup administration
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
@@ -387,17 +353,6 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
cn: Modify netgroup membership
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-# Keytab access
-
-dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Manage host keytab
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
@@ -411,15 +366,6 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
# The permission and aci for this is in install/updates/dns.ldif
-dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: ipapermission
-cn: Enroll a host
-member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-
# Replica administration
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
@@ -474,16 +420,6 @@ dn: $SUFFIX
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
-# Host administration
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
-
# Hostgroup administration
dn: $SUFFIX
@@ -536,13 +472,6 @@ dn: $SUFFIX
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX";)(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX";)(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
-# Host keytab admin
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
-
# Service keytab admin
dn: $SUFFIX
@@ -550,17 +479,6 @@ dn: $SUFFIX
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
-# Add the ACI needed to do host enrollment. When this occurs we
-# set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join. enrolledBy is specifically
-# not listed here, it is set by the plugin but we don't want an
-# admin overriding it using --setattr or ldapmodify.
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
-
# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.
dn: cn=virtual operations,cn=etc,$SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 889f3a1f637e77d59d635d9b256c005d21815257..fdbed5ba5416cc5ada449801e049e050540730a1 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -170,28 +170,9 @@ dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
default:cn: Password Policy Administrator
default:description: Password Policy Administrator
-# Allow an admin to enroll a host that has a one-time password.
-# When a host is created with a password no krbPrincipalName is set.
-# This will let it be added if the client ends up enrolling with
-# an administrator instead.
-dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Add krbPrincipalName to a host
-default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-default:member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)'
-
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
-# Don't allow admins to update enrolledBy
-dn: $SUFFIX
-replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)'
-
# The original DNS permissions lacked the tag.
dn: $SUFFIX
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -257,16 +238,7 @@ dn: $SUFFIX
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX";)(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
-dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Manage Host SSH Public Keys
-default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-
dn: $SUFFIX
-add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
-
# Don't allow the default 'manage group membership' to be able to manage the
# admins group
replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
@@ -283,6 +255,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
+
# Automember tasks
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 062db8fbb9ce3890cc522c9e14a62867cab892db..d3911036f592148100d5583ef14057862eeee099 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -290,6 +290,72 @@ class host(LDAPObject):
'memberof',
},
},
+ 'System: Add Hosts': {
+ 'ipapermright': {'add'},
+ 'replaces': [
+ '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators'},
+ },
+ 'System: Add krbPrincipalName to a Host': {
+ # Allow an admin to enroll a host that has a one-time password.
+ # When a host is created with a password no krbPrincipalName is set.
+ # This will let it be added if the client ends up enrolling with
+ # an administrator instead.
+ 'ipapermright': {'write'},
+ 'ipapermtargetfilter': [
+ '(objectclass=ipahost)',
+ '(!(krbprincipalname=*))',
+ ],
+ 'ipapermdefaultattr': {'krbprincipalname'},
+ 'replaces': [
+ '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators', 'Host Enrollment'},
+ },
+ 'System: Enroll a Host': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'objectclass', 'enrolledby'},
+ 'replaces': [
+ '(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
+ '(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators', 'Host Enrollment'},
+ },
+ 'System: Manage Host SSH Public Keys': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'ipasshpubkey'},
+ 'replaces': [
+ '(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators'},
+ },
+ 'System: Manage Host Keytab': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+ 'replaces': [
+ '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators', 'Host Enrollment'},
+ },
+ 'System: Modify Hosts': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {
+ 'description', 'l', 'nshardwareplatform', 'nshostlocation',
+ 'nsosversion', 'macaddress',
+ },
+ 'replaces': [
+ '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators'},
+ },
+ 'System: Remove Hosts': {
+ 'ipapermright': {'delete'},
+ 'replaces': [
+ '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'Host Administrators'},
+ },
}
label = _('Hosts')
--
1.9.0
From 919c1e66e12aba41cfcbe937dcdd98e7f4e09db9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 4 Jun 2014 13:54:54 +0200
Subject: [PATCH] host permissions: Allow writing attributes needed for
automatic enrollment
- userclass
added to existing Modify hosts permission
- usercertificate, userpassword
added to a new permissions
https://fedorahosted.org/freeipa/ticket/4252
---
ACI.txt | 6 +++++-
ipalib/plugins/host.py | 14 +++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 72036f1612806478a1776b6e8660023d230b631b..1cdb297da048c9042aab5bca2c43bf6e0adf1cd5 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -48,8 +48,12 @@ dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Manage host certificates,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage host certificates";allow (write) groupdn = "ldap:///cn=System: Manage host certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Manage host enrollment password,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage host enrollment password";allow (write) groupdn = "ldap:///cn=System: Manage host enrollment password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index d3911036f592148100d5583ef14057862eeee099..031bbb36aa2713a311843b9ade84a0509bae346d 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -342,7 +342,7 @@ class host(LDAPObject):
'ipapermright': {'write'},
'ipapermdefaultattr': {
'description', 'l', 'nshardwareplatform', 'nshostlocation',
- 'nsosversion', 'macaddress',
+ 'nsosversion', 'macaddress', 'userclass',
},
'replaces': [
'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -356,6 +356,18 @@ class host(LDAPObject):
],
'default_privileges': {'Host Administrators'},
},
+ 'System: Manage host certificates': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'usercertificate'},
+ 'default_privileges': {'Host Administrators', 'Host Enrollment'},
+ },
+ 'System: Manage host enrollment password': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {'userpassword'},
+ 'default_privileges': {'Host Administrators', 'Host Enrollment'},
+ },
}
label = _('Hosts')
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
