Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
On 06/11/2015 03:55 PM, David Kupka wrote:
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
On 06/10/2015 02:14 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5057
Hello David,

The patch looks ok except it removes a permission to update 'uid' from
an active user. This permission is required to delete(preserve) an
active user.

     -        # Active container
     -        #
     -        # Stage user administrators need write right on RDN when
     -        # the active user is deleted (preserved)
     -        'System: Write Active Users RDN by administrators': {
     -            'ipapermlocation': DN(baseuser.active_container_dn,
     api.env.basedn),
     -            'ipapermbindruletype': 'permission',
     -            'ipapermtarget': DN('uid=*',
     baseuser.active_container_dn, api.env.basedn),
     -            'ipapermtargetfilter': {'(objectclass=posixaccount)'},
     -            'ipapermright': {'write'},
     -            'ipapermdefaultattr': {'uid'},
     -            'default_privileges': {'Stage User Administrators'},
     -        },
     -        #

I prepared a new patch (attached) with that permission and it makes
'user-del --preserve' happy.
Now I think the name would rather be something like: 'System: Preserve
an active user (user-del --preserve)'

I also added back this comment in two permissions 'Note: targetfilter is
the target parent container'.
This was to say that the targetfilter setting was intentional.
If you think it is not the right place, you may remove those comments.

Thanks
thierry


Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless to do it
before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?


Not entirely. I still see some weird permission in stageuser.py:

         #
         # Active container
         #
         # Stage user administrators need write right on RDN when
         # the active user is deleted (preserved)
         'System: Write Active Users RDN by administrators': {
             'ipapermlocation': DN(baseuser.active_container_dn, 
api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=posixaccount)'},
             'ipapermright': {'write'},
             'ipapermdefaultattr': {'uid'},
             'default_privileges': {'Stage User Administrators'},
         },

This was supposed to be ""System: Modify User RDN". When the name is also
fixed, I am fine.

Updated patch attached.


--
David Kupka
From d4d7ee1c2c2e6ca88afa676d338cca4d80b8b379 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbor...@redhat.com>
Date: Thu, 11 Jun 2015 13:18:27 +0200
Subject: [PATCH] Stage User: Fix permissions naming and split them where
 apropriate.

---
 ACI.txt                     | 26 +++++++-------
 VERSION                     |  4 +--
 ipalib/plugins/stageuser.py | 82 ++++++++++++++++++++++-----------------------
 3 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 60e9ebb10bc9b7266ff0d42a05d4d165d4ed2d55..08fc05ebc202a64b0e1584303c8dda5b5a1aa074 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -247,25 +247,27 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem
 dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
-aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User kerberos principal key and password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users by administrators";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read/Write delete Users by administrators";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Read/Write delete Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset userPassord and kerberos keys of delete users by administrator";allow (read,search,write) groupdn = "ldap:///cn=System: Reset userPassord and kerberos keys of delete users by administrator,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Active Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Active Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Delete Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Delete Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
diff --git a/VERSION b/VERSION
index 897c34e72a88867812d5335bc1b1b00260ac5361..0ac49042dabee5f4f0bb7acea88e3b691877b664 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=130
-# Last change: pvoborni - disallow mod of topologysegment nodes
+IPA_API_VERSION_MINOR=131
+# dkupka: User life cycle permissions naming and split
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index c8c92f41b62c4db9a5cf8c625ff6b0c35664ec5e..18e09e957158bd53bdb8d295a8bf91a823e16ca7 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -112,12 +112,11 @@ class stageuser(baseuser):
     object_name               = _('stage user')
     object_name_plural        = _('stage users')
     managed_permissions       = {
-          #
-          # Stage container
-          #
-          # Stage user provisioning and Stage user Administrators,
-          # allowed to create stage users
-        'System: Add Stage Users by Provisioning and Administrators': {
+        #
+        # Stage container
+        #
+        # Allowed to create stage user
+        'System: Add Stage User': {
             'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
@@ -126,33 +125,40 @@ class stageuser(baseuser):
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
         },
-          # Stage user administrators allowed to read kerberos/password
-          # when the user is activated (to copy them in the active entry)
-         'System: Read Stage User kerberos principal key and password': {
+        # Allow to read kerberos/password
+        'System: Read Stage User password': {
+           'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
+           'ipapermbindruletype': 'permission',
+           'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
+           'ipapermtargetfilter': {'(objectclass=*)'},
+           'ipapermright': {'read', 'search', 'compare'},
+           'ipapermdefaultattr': {
+               'userPassword', 'krbPrincipalKey',
+           },
+           'default_privileges': {'Stage User Administrators'},
+        },
+        # Allow to update stage user
+        'System: Modify Stage User': {
             'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=*)'},
-            'ipapermright': {'read', 'search', 'compare'},
-            'ipapermdefaultattr': {
-                'userPassword', 'krbPrincipalKey',
-            },
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators'},
         },
-        # Stage user administrator allowed to delete stage users and
-        # to update them
-        'System: Delete modify Stage Users by administrators': {
+        # Allow to delete stage user
+        'System: Remove Stage User': {
             'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=*)'},
-            'ipapermright': {'delete','write'},
+            'ipapermright': {'delete'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators'},
         },
-        # Stage user administrator allowed to read any attributes
-        # of stage users
-        'System: Read Stage Users by administrators': {
+        # Allow to read any attributes of stage users
+        'System: Read Stage Users': {
             'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
@@ -162,36 +168,30 @@ class stageuser(baseuser):
             'default_privileges': {'Stage User Administrators'},
         },
         #
-        # Delete container
+        # Preserve container
         #
-        # Stage user administrator allow to read all attributes (when delete
-        # an active user with preserve flag)
-        # We also need to reset some of the attributes syntax DN/credential
-        # so allowed write on all the attributes
-        'System: Read/Write delete Users by administrators': {
+        # Allow to read Preserved User
+        'System: Read Preserved Users': {
             'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=posixaccount)'},
-            'ipapermright': {'read', 'search', 'compare', 'write'},
+            'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators'},
         },
-        #
-        # Stage user administrator allows to write the RDN
-        # when the delete user is undeleted
-        'System: Write Delete Users RDN by administrators': {
+        # Allow to update Preserved User
+        'System: Modify Preserved Users': {
             'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=posixaccount)'},
             'ipapermright': {'write'},
-            'ipapermdefaultattr': {'uid'},
+            'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators'},
         },
-        # Stage user administrator allows to reset kerberos/password
-        # when a deleted user is preserved
-        'System: Reset userPassord and kerberos keys of delete users by administrator': {
+        # Allow to reset Preserved User password
+        'System: Reset Preserved User password': {
             'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
@@ -207,7 +207,7 @@ class stageuser(baseuser):
         #
         # Stage user administrators need write right on RDN when
         # the active user is deleted (preserved)
-        'System: Write Active Users RDN by administrators': {
+        'System: Modify User RDN': {
             'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn),
@@ -219,10 +219,9 @@ class stageuser(baseuser):
         #
         # Cross containers autorization
         #
-        # Stage user administrators need a moddn right when preserving
-        # a delete user.
+        # Allow to move active user to preserve container (user-del --preserve)
         # Note: targetfilter is the target parent container
-        'System: Preserve an active user to a delete Users': {
+        'System: Preserve User': {
             'ipapermlocation': DN(api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn),
@@ -231,10 +230,9 @@ class stageuser(baseuser):
             'ipapermright': {'moddn'},
             'default_privileges': {'Stage User Administrators'},
         },
-        # Stage user administrators need a moddn right when undelete
-        # a delete user.
+        # Allow to move preserved user to active container (user-undel)
         # Note: targetfilter is the target parent container
-        'System: Reactive delete users': {
+        'System: Undelete User': {
             'ipapermlocation': DN(api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn),
-- 
2.4.2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to