On 9.9.2015 18:39, Petr Vobornik wrote:
On 09/09/2015 10:52 AM, Jan Cholasta wrote:
On 8.9.2015 23:06, Petr Vobornik wrote:
On 09/03/2015 03:18 PM, Jan Cholasta wrote:
On 2.9.2015 07:26, Endi Sukma Dewata wrote:
On 9/1/2015 10:22 AM, Simo Sorce wrote:
On Tue, 2015-09-01 at 17:15 +0200, Petr Vobornik wrote:
On 09/01/2015 04:39 PM, Jan Cholasta wrote:
On 1.9.2015 16:26, Jan Cholasta wrote:
On 26.8.2015 13:22, Petr Vobornik wrote:
On 08/25/2015 08:04 PM, Petr Vobornik wrote:
adds commands:
* vaultcontainer-show [--service <service>|--user <user> ]
* vaultcontainer-add-owner
       [--service <service>|--user <user> ]
       [--users <users>]  [--groups <groups>] [--services
<services>]
* vaultcontainer-remove-owner
       [--service <service>|--user <user> ]
       [--users <users>]  [--groups <groups>] [--services
<services>]

https://fedorahosted.org/freeipa/ticket/5250

Use cases:
1. When user/service is deleted, associated vault container
looses
owner. There was no API command to set the owner.
2. Change owner of container by admin to manage access.

Show command was added to show current owners.

Find command was not added, should it be?



There is also a design for vault container ownership handling
created by
Endi - it's for future Vault 2.0.

http://www.freeipa.org/page/V4/Password_Vault_2.0#Adding_container_owner






This patch has a different API than the proposed - different
way of
specifying the container. The design page uses path e.g.
/users/foobar.
This patch uses the same way as vaults e.g. --user=foobar. This
means
that the implementation in this patch cannot manage ownership of
parent
vault containers e.g. cn=users,cn=vaults,cn=kra,$SUFFIX.

Do we want to go with this approach in 4.2?

Attaching also new path which removes setting of owner which
doesn't
exist so that integrity is OK and that it is consistent with
removing of
user.

Updated patch attached - output fix.

We had a long discussion about this with Petr and we think the
best
approach is as follows:

    * Add new "Vault administrators" privilege. Vault
administrators will
have unrestricted access to vaults and vault containers, including
the
power to add/remove owners of vaults and vault containers.

    * Remove the ability of vault owners to add/remove other vault
owners. If vault owner needs to be changed, vault administrator
has to
do it. Note that vault owners will still have the ability to
add/remove
vault members.

    * When adding new vault container, set owner to the current
user. If
vault container owner needs to be changed, vault administrator has
to do
it.

    * Allow adding vaults and vault containers only if the
owner is
set
to the current user.

    * Introduce commands to modify vault container owner and to
delete
vault container, so the administrator has a choice between
assigning
ownership or deleting an unowned container.

Also:

    * Control access to vault data using an ipaProtectedOperation
ACI.
Users which have read access to "ipaProtectedOperation;accessKRA"
on a
vault can retrieve data from the vault and users which have write
access
to "ipaProtectedOperation;accessKRA" on a vault can archive data in
the
vault.

Honza


+1

CCing Simo and Endi to check the proposal.

And Scott (related to #5216, #5215)

Sounds reasonable to me.
I can see that allowing owners to hand over vaults w/o admin
intervention may have some appeal in some use cases, but I also
see it
can bring downsides with it, so all in all I think I agree with the
above points.

Simo.


Not a total objection, but if many people in unrelated groups are
using
vaults, and they are sharing the vaults only with members of each
group,
having to ask a Vault Administrator for each ownership change sounds a
bit cumbersome. Since the Vault Adminstrator will have access to all
vaults in all groups, only a small number of people can be trusted to
hold that role. If there are many ownership changes the Vault
Administrator will have to handle all those requests, and the vault
users may have to wait until the change is completed.

If owners are allowed to add others as owners, the vaults will be
pretty
much maintenance free to the admin.

Owners can still manage members, which is IMO good enough for sharing a
vault with other users.


Regardless, please update the wiki page to describe the new behavior
when it's implemented:
http://www.freeipa.org/page/V4/Password_Vault_1.1

Sure.

I have updated and rebased Petr's patch 916.

Patch 488 obsoletes Petr's patch 918.

Patch for vault data access control is not included, because I was not
able to make GER work correctly with "ipaProtectedOperation;accessKRA".


I found 1 major issue(#3), one easy fix(#2), optional(#1) and a question
(#4).

1. `ipa vaultcontainer-del` doesn't show user/service name. IMHO not a
blocker.

[pvoborni@vm-063 ~]$ ipa vaultcontainer-del --user=fbar
--------------------------
Deleted vault container ""
--------------------------

Fixed.



2. Invalid description of vaultcontainer-show
   "Display information about a vault."

Fixed


3. Something which needs to be fixed:

Setting password for first vault without a vault container fails(here
run as vault admin but the same issue is present when it's run as the
user).

[pvoborni@vm-063 ~]$ ipa vault-add f1 --user=fbar
New password:
Verify password:
ipa: ERROR: Invalid credentials
[pvoborni@vm-063 ~]$ ipa vault-find --user=fbar
---------------
1 vault matched
---------------
Vault name: f1
Type: symmetric
Vault user: fbar
----------------------------
Number of entries returned 1
----------------------------

Works for me. Are you testing on master or ipa-4-2?

I might have not copied a required file during the testing. It works for
me now as well.



Second works:

[pvoborni@vm-063 ~]$ ipa vault-add f2 --user=fbar
New password:
Verify password:
** Passwords do not match! **
New password:
Verify password:
----------------
Added vault "f2"
----------------
Vault name: f2
Type: symmetric
Salt: w4tnrjW/Ra2jGS8lI6Frfg==
Owner users: va
Vault user: fbar



[pvoborni@vm-063 ~]$ ipa vault-find --user=fbar
----------------
2 vaults matched
----------------
Vault name: f1
Type: symmetric
Vault user: fbar

Vault name: f2
Type: symmetric
Vault user: fbar
----------------------------
Number of entries returned 2
----------------------------


4. Q: Should vault container owner delete all its vault?

I don't know, should it? IMO it shouldn't, at least not by default.


As fbar when there is a vault without fbar as owner

[root@vm-063 pvoborni]# ipa vaultcontainer-del
ipa: ERROR: Not allowed on non-leaf entry

when fbar is added as owner to all vaults

[root@vm-063 pvoborni]# ipa vaultcontainer-del
--------------------------
Deleted vault container ""
--------------------------
[root@vm-063 pvoborni]# ipa vault-add f1
New password:
Verify password:
ipa: ERROR: Invalid credentials
[root@vm-063 pvoborni]# ipa vault-del f1
------------------
Deleted vault "f1"
------------------
[root@vm-063 pvoborni]# ipa vault-add f1
New password:
Verify password:
----------------
Added vault "f1"
----------------
Vault name: f1
Type: symmetric
Salt: bkHxRIipkaeX+H/fOnZdBw==
Owner users: fbar
Vault user: fbar






Updated and rebased patches attached.

Added new patch 491 to support KRA updates.

--
Jan Cholasta
From c893f44d2e4ecc9faf3f1be6dcd15e47757ba26e Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Tue, 25 Aug 2015 19:56:00 +0200
Subject: [PATCH 1/5] vault: add vault container commands

adds commands:
* vaultcontainer-show [--service <service>|--user <user>|--shared ]
* vaultcontainer-del [--service <service>|--user <user>|--shared ]
* vaultcontainer-add-owner
     [--service <service>|--user <user>|--shared ]
     [--users <users>]  [--groups <groups>] [--services <services>]
* vaultcontainer-remove-owner
     [--service <service>|--user <user>|--shared ]
     [--users <users>]  [--groups <groups>] [--services <services>]

https://fedorahosted.org/freeipa/ticket/5250
---
 API.txt                 |  53 +++++++++++
 VERSION                 |   4 +-
 ipalib/plugins/vault.py | 241 +++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 275 insertions(+), 23 deletions(-)

diff --git a/API.txt b/API.txt
index a4c947a..cf54461 100644
--- a/API.txt
+++ b/API.txt
@@ -5667,6 +5667,59 @@ option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
+command: vaultcontainer_add_owner
+args: 0,10,3
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+command: vaultcontainer_del
+args: 0,5,3
+option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Str('service?')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'dict'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: ListOfPrimaryKeys('value', None, None)
+command: vaultcontainer_remove_owner
+args: 0,10,3
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+command: vaultcontainer_show
+args: 0,8,3
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Str('service?')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
 capability: messages 2.52
 capability: optional_uid_params 2.54
 capability: permissions2 2.69
diff --git a/VERSION b/VERSION
index 0a2de6e..a14b89f 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=155
-# Last change: ftweedal - remove certprofile 'rename' option
+IPA_API_VERSION_MINOR=156
+# Last change: pvoborni - add vault container commands
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index a933198..8db1f40 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -258,6 +258,226 @@ vault_options = (
 )
 
 
+class VaultModMember(LDAPModMember):
+    def get_options(self):
+        for param in super(VaultModMember, self).get_options():
+            if param.name == 'service' and param not in vault_options:
+                param = param.clone_rename('services')
+            yield param
+
+    def get_member_dns(self, **options):
+        if 'services' in options:
+            options['service'] = options.pop('services')
+        else:
+            options.pop('service', None)
+        return super(VaultModMember, self).get_member_dns(**options)
+
+    def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
+        for fail in failed.itervalues():
+            fail['services'] = fail.pop('service', [])
+        self.obj.get_container_attribute(entry_attrs, options)
+        return completed, dn
+
+
+@register()
+class vaultcontainer(LDAPObject):
+    __doc__ = _("""
+    Vault Container object.
+    """)
+
+    container_dn = api.env.container_vault
+
+    object_name = _('vaultcontainer')
+    object_name_plural = _('vaultcontainers')
+    object_class = ['ipaVaultContainer']
+
+    attribute_members = {
+        'owner': ['user', 'group', 'service'],
+    }
+
+    label = _('Vault Containers')
+    label_singular = _('Vault Container')
+
+    takes_params = (
+        Str(
+            'owner_user?',
+            label=_('Owner users'),
+        ),
+        Str(
+            'owner_group?',
+            label=_('Owner groups'),
+        ),
+        Str(
+            'owner_service?',
+            label=_('Owner services'),
+        ),
+        Str(
+            'owner?',
+            label=_('Failed owners'),
+        ),
+        Str(
+            'service?',
+            label=_('Vault service'),
+            flags={'virtual_attribute'},
+        ),
+        Flag(
+            'shared?',
+            label=_('Shared vault'),
+            flags={'virtual_attribute'},
+        ),
+        Str(
+            'username?',
+            label=_('Vault user'),
+            flags={'virtual_attribute'},
+        ),
+    )
+
+    def get_dn(self, *keys, **options):
+        """
+        Generates vault DN from parameters.
+        """
+        service = options.get('service')
+        shared = options.get('shared')
+        user = options.get('username')
+
+        count = (bool(service) + bool(shared) + bool(user))
+        if count > 1:
+            raise errors.MutuallyExclusiveError(
+                reason=_('Service, shared and user options ' +
+                         'cannot be specified simultaneously'))
+
+        parent_dn = super(vaultcontainer, self).get_dn(*keys, **options)
+
+        if not count:
+            principal = getattr(context, 'principal')
+
+            if principal.startswith('host/'):
+                raise errors.NotImplementedError(
+                    reason=_('Host is not supported'))
+
+            (name, realm) = split_principal(principal)
+            if '/' in name:
+                service = name
+            else:
+                user = name
+
+        if service:
+            dn = DN(('cn', service), ('cn', 'services'), parent_dn)
+        elif shared:
+            dn = DN(('cn', 'shared'), parent_dn)
+        elif user:
+            dn = DN(('cn', user), ('cn', 'users'), parent_dn)
+        else:
+            raise RuntimeError
+
+        return dn
+
+    def get_container_attribute(self, entry, options):
+        if options.get('raw', False):
+            return
+        container_dn = DN(self.container_dn, self.api.env.basedn)
+        if entry.dn.endswith(DN(('cn', 'services'), container_dn)):
+            entry['service'] = entry.dn[0]['cn']
+        elif entry.dn.endswith(DN(('cn', 'shared'), container_dn)):
+            entry['shared'] = True
+        elif entry.dn.endswith(DN(('cn', 'users'), container_dn)):
+            entry['username'] = entry.dn[0]['cn']
+
+
+@register()
+class vaultcontainer_show(LDAPRetrieve):
+    __doc__ = _('Display information about a vault container.')
+
+    takes_options = LDAPRetrieve.takes_options + vault_options
+
+    has_output_params = LDAPRetrieve.has_output_params
+
+    def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+        assert isinstance(dn, DN)
+
+        if not self.api.Command.kra_is_enabled()['result']:
+            raise errors.InvocationError(
+                format=_('KRA service is not enabled'))
+
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        self.obj.get_container_attribute(entry_attrs, options)
+        return dn
+
+
+@register()
+class vaultcontainer_del(LDAPDelete):
+    __doc__ = _('Delete a vault container.')
+
+    takes_options = LDAPDelete.takes_options + vault_options
+
+    msg_summary = _('Deleted vault container')
+
+    def pre_callback(self, ldap, dn, *keys, **options):
+        assert isinstance(dn, DN)
+
+        if not self.api.Command.kra_is_enabled()['result']:
+            raise errors.InvocationError(
+                format=_('KRA service is not enabled'))
+
+        return dn
+
+    def execute(self, *keys, **options):
+        keys = keys + (u'',)
+        return super(vaultcontainer_del, self).execute(*keys, **options)
+
+
+@register()
+class vaultcontainer_add_owner(VaultModMember, LDAPAddMember):
+    __doc__ = _('Add owners to a vault container.')
+
+    takes_options = LDAPAddMember.takes_options + vault_options
+
+    member_attributes = ['owner']
+    member_param_label = _('owner %s')
+    member_count_out = ('%i owner added.', '%i owners added.')
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be added'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners added'),
+        ),
+    )
+
+
+@register()
+class vaultcontainer_remove_owner(VaultModMember, LDAPRemoveMember):
+    __doc__ = _('Remove owners from a vault container.')
+
+    takes_options = LDAPRemoveMember.takes_options + vault_options
+
+    member_attributes = ['owner']
+    member_param_label = _('owner %s')
+    member_count_out = ('%i owner removed.', '%i owners removed.')
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be removed'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners removed'),
+        ),
+    )
+
+
 @register()
 class vault(LDAPObject):
     __doc__ = _("""
@@ -1730,27 +1950,6 @@ class vault_retrieve_internal(PKQuery):
         return response
 
 
-class VaultModMember(LDAPModMember):
-    def get_options(self):
-        for param in super(VaultModMember, self).get_options():
-            if param.name == 'service' and param not in vault_options:
-                param = param.clone_rename('services')
-            yield param
-
-    def get_member_dns(self, **options):
-        if 'services' in options:
-            options['service'] = options.pop('services')
-        else:
-            options.pop('service', None)
-        return super(VaultModMember, self).get_member_dns(**options)
-
-    def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
-        for fail in failed.itervalues():
-            fail['services'] = fail.pop('service', [])
-        self.obj.get_container_attribute(entry_attrs, options)
-        return completed, dn
-
-
 @register()
 class vault_add_owner(VaultModMember, LDAPAddMember):
     __doc__ = _('Add owners to a vault.')
-- 
2.4.3

From 53a1b78be129e71404bcf45c358be0c1bd55b424 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 3 Sep 2015 08:46:59 +0200
Subject: [PATCH 2/5] vault: set owner to current user on container creation

This reverts commit 419754b1c11139435ae5b5082a51026da0d5e730.

https://fedorahosted.org/freeipa/ticket/5250
---
 ipalib/plugins/vault.py | 21 +--------------------
 1 file changed, 1 insertion(+), 20 deletions(-)

diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 8db1f40..c80e65d 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -980,27 +980,8 @@ class vault_add_internal(LDAPCreate):
 
         parent_dn = DN(*dn[1:])
 
-        container_dn = DN(self.api.Object.vault.container_dn,
-                          self.api.env.basedn)
-
-        services_dn = DN(('cn', 'services'), container_dn)
-        users_dn = DN(('cn', 'users'), container_dn)
-
-        if dn.endswith(services_dn):
-            # service container should be owned by the service
-            service = parent_dn[0]['cn']
-            parent_owner_dn = self.api.Object.service.get_dn(service)
-
-        elif dn.endswith(users_dn):
-            # user container should be owned by the user
-            user = parent_dn[0]['cn']
-            parent_owner_dn = self.api.Object.user.get_dn(user)
-
-        else:
-            parent_owner_dn = owner_dn
-
         try:
-            self.obj.create_container(parent_dn, parent_owner_dn)
+            self.obj.create_container(parent_dn, owner_dn)
         except errors.DuplicateEntry as e:
             pass
 
-- 
2.4.3

From ad07fc4643e1e6ce6ea955eae95bb5c6c0640abe Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 3 Sep 2015 09:02:41 +0200
Subject: [PATCH 3/5] vault: update access control

Do not allow vault and container owners to manage owners. Allow adding vaults
and containers only if owner is set to the current user.

https://fedorahosted.org/freeipa/ticket/5250
---
 install/share/vault.update | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/install/share/vault.update b/install/share/vault.update
index 14421b5..4f00238 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -7,14 +7,20 @@ dn: cn=vaults,cn=kra,$SUFFIX
 default: objectClass: top
 default: objectClass: ipaVaultContainer
 default: cn: vaults
-default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
-default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
+default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
 
 dn: cn=services,cn=vaults,cn=kra,$SUFFIX
 default: objectClass: top
-- 
2.4.3

From e93b55cfc9d75c9ecb7331416609430e6e2ae942 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 3 Sep 2015 09:32:11 +0200
Subject: [PATCH 4/5] vault: add permissions and administrator privilege

https://fedorahosted.org/freeipa/ticket/5250
---
 ACI.txt                              | 22 ++++++++
 install/updates/40-delegation.update |  8 +++
 ipalib/plugins/vault.py              | 98 ++++++++++++++++++++++++++++++++++++
 3 files changed, 128 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 9909927..40fa822 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -338,6 +338,28 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Add Vaults";allow (add) groupdn = "ldap:///cn=System: Add Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Delete Vaults";allow (delete) groupdn = "ldap:///cn=System: Delete Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "member")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Membership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipavaultpublickey || ipavaultsalt || ipavaulttype || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Modify Vaults";allow (write) groupdn = "ldap:///cn=System: Modify Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipavaultpublickey || ipavaultsalt || ipavaulttype || member || memberhost || memberuser || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Read Vaults";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Add Vault Containers";allow (add) groupdn = "ldap:///cn=System: Add Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Delete Vault Containers";allow (delete) groupdn = "ldap:///cn=System: Delete Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Manage Vault Container Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Container Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Modify Vault Containers";allow (write) groupdn = "ldap:///cn=System: Modify Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example";)(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Read Vault Containers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Add CA Certificate For Renewal";allow (add) groupdn = "ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 8d4f629..08906a6 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -260,3 +260,11 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: CA Administrator
 default:description: CA Administrator
+
+# Vault Administrators
+dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Vault Administrators
+default:description: Vault Administrators
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index c80e65d..5f4a8b2 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -290,6 +290,7 @@ class vaultcontainer(LDAPObject):
     object_name = _('vaultcontainer')
     object_name_plural = _('vaultcontainers')
     object_class = ['ipaVaultContainer']
+    permission_filter_objectclasses = ['ipaVaultContainer']
 
     attribute_members = {
         'owner': ['user', 'group', 'service'],
@@ -298,6 +299,48 @@ class vaultcontainer(LDAPObject):
     label = _('Vault Containers')
     label_singular = _('Vault Container')
 
+    managed_permissions = {
+        'System: Read Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Add Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'add'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Delete Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'delete'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Modify Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Container Ownership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+    }
+
     takes_params = (
         Str(
             'owner_user?',
@@ -490,6 +533,7 @@ class vault(LDAPObject):
     object_name_plural = _('vaults')
 
     object_class = ['ipaVault']
+    permission_filter_objectclasses = ['ipaVault']
     default_attributes = [
         'cn',
         'description',
@@ -512,6 +556,60 @@ class vault(LDAPObject):
     label = _('Vaults')
     label_singular = _('Vault')
 
+    managed_permissions = {
+        'System: Read Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'ipavaulttype',
+                'ipavaultsalt', 'ipavaultpublickey', 'owner', 'member',
+                'memberuser', 'memberhost',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Add Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'add'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Delete Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'delete'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Modify Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'ipavaulttype',
+                'ipavaultsalt', 'ipavaultpublickey',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Ownership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Membership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'member',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+    }
+
     takes_params = (
         Str(
             'cn',
-- 
2.4.3

From 7080c2c8592a35b6a636cf537c541877b48c346c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 14 Sep 2015 07:56:44 +0200
Subject: [PATCH 5/5] install: support KRA update

https://fedorahosted.org/freeipa/ticket/5250
---
 freeipa.spec.in                  |  1 -
 install/share/Makefile.am        |  2 +-
 install/share/vault.ldif         | 29 +++++++++++++++++++++++++++++
 install/share/vault.update       | 38 --------------------------------------
 install/updates/40-vault.update  | 23 +++++++++++++++++++++++
 install/updates/Makefile.am      |  1 +
 ipaplatform/base/paths.py        |  1 -
 ipaserver/install/krainstance.py |  7 ++++++-
 8 files changed, 60 insertions(+), 42 deletions(-)
 create mode 100644 install/share/vault.ldif
 delete mode 100644 install/share/vault.update
 create mode 100644 install/updates/40-vault.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1722962..64e8155 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -760,7 +760,6 @@ fi
 %{_usr}/share/ipa/copy-schema-to-ca.py*
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
-%{_usr}/share/ipa/*.update
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 80e959a..d68c40e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -83,7 +83,7 @@ app_DATA =				\
 	copy-schema-to-ca.py		\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
-	vault.update			\
+	vault.ldif			\
 	kdcproxy.conf			\
 	kdcproxy-enable.uldif		\
 	kdcproxy-disable.uldif		\
diff --git a/install/share/vault.ldif b/install/share/vault.ldif
new file mode 100644
index 0000000..06dd83c
--- /dev/null
+++ b/install/share/vault.ldif
@@ -0,0 +1,29 @@
+dn: cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: vaults
+
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: services
+
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: shared
+
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: users
diff --git a/install/share/vault.update b/install/share/vault.update
deleted file mode 100644
index 4f00238..0000000
--- a/install/share/vault.update
+++ /dev/null
@@ -1,38 +0,0 @@
-dn: cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: kra
-
-dn: cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: vaults
-default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
-default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
-
-dn: cn=services,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: services
-
-dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: shared
-
-dn: cn=users,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: users
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
new file mode 100644
index 0000000..3daea5b
--- /dev/null
+++ b/install/updates/40-vault.update
@@ -0,0 +1,23 @@
+dn: cn=vaults,cn=kra,$SUFFIX
+remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
+addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 2693e4f..eddf4d8 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -34,6 +34,7 @@ app_DATA =				\
 	40-automember.update		\
 	40-certprofile.update		\
 	40-otp.update			\
+	40-vault.update			\
 	41-caacl.update			\
 	45-roles.update			\
 	50-7_bit_check.update	        \
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ff75e0d..3930c93 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -251,7 +251,6 @@ class BasePathNamespace(object):
     SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
     IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
     UPDATES_DIR = "/usr/share/ipa/updates/"
-    VAULT_UPDATE = "/usr/share/ipa/vault.update"
     PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
     CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
     VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 958fe6f..48268b0 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -124,6 +124,7 @@ class KRAInstance(DogtagInstance):
         self.step("configure HTTP to proxy connections",
                   self.http_proxy)
         self.step("add vault container", self.__add_vault_container)
+        self.step("apply LDAP updates", self.__apply_updates)
 
         self.start_creation(runtime=126)
 
@@ -313,13 +314,17 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
 
     def __add_vault_container(self):
+        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
+        self.ldap_disconnect()
+
+    def __apply_updates(self):
         sub_dict = {
             'SUFFIX': self.suffix,
         }
 
         ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
                                    sub_dict=sub_dict)
-        ld.update([paths.VAULT_UPDATE])
+        ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
 
     @staticmethod
     def update_cert_config(nickname, cert, dogtag_constants=None):
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to