The CLIs to manage vault owners and members have been modified to accept services with a new parameter. Due to name conflict, the existing 'service' parameter has been renamed to 'servicename'.
A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 -- Endi S. Dewata
From 9259bb2da81d323a15398c678bfc58e32434364a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Thu, 30 Jul 2015 23:20:34 +0200 Subject: [PATCH] Added CLI param and ACL for vault service operations. The CLIs to manage vault owners and members have been modified to accept services with a new parameter. Due to name conflict, the existing 'service' parameter has been renamed to 'servicename'. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 --- API.txt | 40 ++++++++++++++++++--------------- VERSION | 4 ++-- install/share/vault.update | 1 + ipalib/plugins/vault.py | 56 ++++++++++++++++++++++++++++++++++------------ 4 files changed, 67 insertions(+), 34 deletions(-) diff --git a/API.txt b/API.txt index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..0e1525da26b3b0f850f338b7bf2a83b043c9d399 100644 --- a/API.txt +++ b/API.txt @@ -5407,7 +5407,7 @@ option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5425,7 +5425,7 @@ option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5433,13 +5433,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: PrimaryKey('value', None, None) command: vault_add_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5448,13 +5449,14 @@ output: Output('completed', <type 'int'>, None) output: Output('failed', <type 'dict'>, None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_add_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5471,7 +5473,7 @@ option: Str('in?') option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5484,7 +5486,7 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('nonce') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5497,7 +5499,7 @@ command: vault_del args: 1,5,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5514,7 +5516,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) @@ -5537,7 +5539,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5546,13 +5548,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: PrimaryKey('value', None, None) command: vault_remove_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5561,13 +5564,14 @@ output: Output('completed', <type 'int'>, None) output: Output('failed', <type 'dict'>, None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_remove_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('service*', alwaysask=True, cli_name='services', csv=True) +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5585,7 +5589,7 @@ option: Str('password_file?', cli_name='password_file') option: Bytes('private_key?', cli_name='private_key') option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') @@ -5597,7 +5601,7 @@ args: 1,7,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') @@ -5612,7 +5616,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) -option: Str('service?') +option: Str('servicename?', cli_name='service') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 2b78af50bf1e811cbcd04f6c69b8d506c98fdedb..ada3a9b9ead98ef9610cff09cb2f57504c6353ea 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=147 -# Last change: mbasti - Consolidate DNS RR in API and schema +IPA_API_VERSION_MINOR=148 +# Last change: edewata - Added CLI param and ACL for vault service operations diff --git a/install/share/vault.update b/install/share/vault.update index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -8,6 +8,7 @@ default: objectClass: top default: objectClass: ipaVaultContainer default: cn: vaults default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 81197f9328c7ed890fa336f464bfcda475ac6189..9e54acac1ce3d7a8247f82511a955dc763a9513d 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -198,16 +198,20 @@ EXAMPLES: ipa vault-retrieve <name> --out data.bin --private-key-file private.pem """) + _(""" Add a vault owner: - ipa vault-add-owner <name> --users <usernames> + ipa vault-add-owner <name> [--users <usernames>] \ + [--groups <goupnames>] [--services <service names>] """) + _(""" Delete a vault owner: - ipa vault-remove-owner <name> --users <usernames> + ipa vault-remove-owner <name> [--users <usernames>] \ + [--groups <goupnames>] [--services <service names>] """) + _(""" Add a vault member: - ipa vault-add-member <name> --users <usernames> + ipa vault-add-member <name> [--users <usernames>] \ + [--groups <goupnames>] [--services <service names>] """) + _(""" Delete a vault member: - ipa vault-remove-member <name> --users <usernames> + ipa vault-remove-member <name> [--users <usernames>] \ + [--groups <goupnames>] [--services <service names>] """) register = Registry() @@ -215,7 +219,8 @@ register = Registry() vault_options = ( Str( - 'service?', + 'servicename?', + cli_name='service', doc=_('Service name of the service vault'), ), Flag( @@ -257,8 +262,8 @@ class vault(LDAPObject): 'ipavaulttype', ] attribute_members = { - 'owner': ['user', 'group'], - 'member': ['user', 'group'], + 'owner': ['user', 'group', 'service'], + 'member': ['user', 'group', 'service'], } label = _('Vaults') @@ -312,6 +317,11 @@ class vault(LDAPObject): label=_('Owner groups'), flags=['no_create', 'no_update', 'no_search'], ), + Str( + 'owner_service?', + label=_('Owner services'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -319,7 +329,7 @@ class vault(LDAPObject): Generates vault DN from parameters. """ - service = options.get('service') + service = options.get('servicename') shared = options.get('shared') user = options.get('username') @@ -662,6 +672,29 @@ class vault_add_internal(LDAPCreate): raise errors.InvocationError( format=_('KRA service is not enabled')) + parent_dn = DN(*dn[1:]) + + container_dn = DN(self.api.Object.vault.container_dn, + self.api.env.basedn) + + services_dn = DN(('cn', 'services'), container_dn) + users_dn = DN(('cn', 'users'), container_dn) + + if dn.endswith(services_dn): + # service container should be owned by the service + service = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.service.get_dn(service) + + elif dn.endswith(users_dn): + # user container should be owned by the user + user = parent_dn[0]['cn'] + parent_owner_dn = self.api.Object.user.get_dn(user) + + try: + self.obj.create_container(parent_dn, parent_owner_dn) + except errors.DuplicateEntry, e: + pass + principal = getattr(context, 'principal') (name, realm) = split_principal(principal) if '/' in name: @@ -669,12 +702,7 @@ class vault_add_internal(LDAPCreate): else: owner_dn = self.api.Object.user.get_dn(name) - try: - parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn, owner_dn) - except errors.DuplicateEntry, e: - pass - + # vault should be owned by the creator entry_attrs['owner'] = owner_dn return dn -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code