On 07/04/2014 10:00 AM, Petr Spacek wrote:
> On 4.7.2014 09:34, Martin Kosek wrote:
>> The permission is required for DNS Administrators as realm domains
>> object is updated when a master zone is added.
>>
>> https://fedorahosted.org/freeipa/ticket/4423
> 
> I can't resist ;-)
> 
> NACK: Build failed.
> 
> --- existing ACI.txt
> +++ new result
> @@ -154,6 +154,8 @@
>  aci: (targetattr = "krbmaxpwdlife || krbminpwdlife ||
> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter =
> "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group
> Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group
> Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>  dn: cn=System: Read Group Password
> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
>  aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife ||
> krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration ||
> krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength ||
> objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl
> "permission:System: Read Group Password Policy";allow (compare,read,search)
> groupdn = "ldap:///cn=System: Read Group Password
> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
> +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
> +aci: (targetattr = "associateddomain")(targetfilter =
> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: 
> Modify
> Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm
> Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>  dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
>  aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter =
> "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read
> Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;)
>  dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
> 
> Managed permission ACI validation failed.
> Re-check permission changes and run `makeaci`.
> ACI.txt validation failed

Oh, well - here is an updated patch.

Martin
From 93ac182eeadd4b933f85d44bc2a75855aeb0e8de Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 4 Jul 2014 09:32:08 +0200
Subject: [PATCH] Add Modify Realm Domains permission

The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.

https://fedorahosted.org/freeipa/ticket/4423
---
 ACI.txt                        | 2 ++
 ipalib/plugins/realmdomains.py | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 8e73c5c8541154e73c201994de828aa43c3777b1..bc82d644e6a3ca2fd24437b4b1bfa4534e955de5 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -154,6 +154,8 @@ dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=exa
 aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 08d3a6a7857766e1c1d6fc4225b5d3a605c9f869..c53340591bd0f0f02fcc9db3142b74197aff551b 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -79,6 +79,14 @@ class realmdomains(LDAPObject):
                 'objectclass', 'cn', 'associateddomain',
             },
         },
+        'System: Modify Realm Domains': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'associatedDomain',
+            },
+            'default_privileges': {'DNS Administrators'},
+        },
     }
 
     label = _('Realm Domains')
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to