Re: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too
This seems to make sense. Can you provide some context before I ACK? On 12/02/2010 09:21 AM, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/555 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3q3oACgkQHsardTLnvCUaegCeJLcTFgO4fWVRJNObu15IX8v3 N7UAniWpckSzQuWqi1hL9Jnm9kv7ktK1 =AWdp -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2010 03:33 PM, Adam Young wrote: This seems to make sense. Can you provide some context before I ACK? We're discussing it with Rob in the ticket, too: https://fedorahosted.org/freeipa/ticket/555 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3rzQACgkQHsardTLnvCV4VgCdG1IzBG/zVxpuKP4I7Olpskz2 xPsAn27by5mhTW4Lv9HWCB22K4EGDxor =mVQX -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Multicolumn enrollment dialog
On 12/01/2010 08:56 PM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/112/ The enrollment dialog has been modified to use scrollable tables that supports multiple columns to display the search results and selected entries. The columns are specified by calling create_adder_column() on the association facet. By default the tables will use only one column which is to display the primary keys. The following enrollment dialogs have been modified to use multiple columns: - Group's member_user - Service's managedby_host - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd The ipa_association_table_widget's add() and remove() have been moved into ipa_association_facet so they can be customized by facet's subclass. The ipa_table's add_row() has been renamed to add_record(). Some old code has been removed from ipa_facet_create_action_panel(). The code was used to generate association links from a single facet. It's no longer needed because now each association has its own facet. The test data has been updated. The IPA.nested_tabs() has been fixed to return the entity itself if IPA.tab_set is not defined. This is needed to pass unit test. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Looks good. Some nits. Move the width: 200px into the style sheet. We should have a css class that is used for all of the checkbox columns. Why are the is create_adder_column on the association facet and not the adder object? Shouldn't it be adder.add_column? Remove the parentesis in these and just ue the plural. var header_message = that.other_entity + '(s) enrolled in ' + that.entity_name + ' ' + that.pkey; That string actually needs to come from the association definition. I realize that these are autogenerated, but the generic word enrolled doesn't work for the majority of the associations. For instance, user should say: groups containing user kfrog. You can use the plural name of the object out of the meta data for the other entity: IPA.metadata[entity].object_name_plural. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 622 fix passwd output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/30/2010 09:13 PM, Rob Crittenden wrote: A couple of Password attributes had no label so prompting looked bad. When printing exceptions we need to convert the label and error to unicode so translations work. Use standard output routines instead of output_for_cli() in passwd plugin. ticket 352 rob Ack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3u5gACgkQHsardTLnvCX+5wCgj9+YGMzU7NZ+IEJsZiI46TDi u3UAoLWWZ3DPokwf/5QDpYiL+HWIi5JQ =UL2a -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 625 Provide attrs for ACI UI
Provide available attributes for all objects for use in creating permissions (ACIs). This is provided in the meta data call. Also tell whether an object is bindable (has password or kerberos key) for use in the future selfservice plugin. rob From 7ccf39c8797b74853d279f1c6698b33d06a1e319 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 11:05:54 -0500 Subject: [PATCH] Provide list of available attributes for use in ACI UI. Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446 --- install/share/bootstrap-template.ldif |1 - ipalib/plugins/baseldap.py| 23 ++- ipalib/plugins/host.py|1 + ipalib/plugins/internal.py|2 +- ipalib/plugins/service.py |1 + ipalib/plugins/user.py|1 + 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..4f10f07 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -218,7 +218,6 @@ ipaUserObjectClasses: inetuser ipaUserObjectClasses: posixaccount ipaUserObjectClasses: krbprincipalaux ipaUserObjectClasses: krbticketpolicyaux -ipaUserObjectClasses: radiusprofile ipaUserObjectClasses: ipaobject ipaDefaultEmailDomain: $DOMAIN ipaMigrationEnabled: FALSE diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3894e18..7d382f9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -197,6 +197,8 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdnattr = None +# Can bind as this entry (has userPassword or krbPrincipalKey) +bindable = False container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -293,14 +295,33 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', +'takes_params', 'rdn_attribute', 'bindable', ) + def __json__(self): +ldap = self.backend json_dict = dict( (a, getattr(self, a)) for a in self.json_friendly_attributes ) if self.primary_key: json_dict['primary_key'] = self.primary_key.name +objectclasses = self.object_class +if self.object_class_config: +config = ldap.get_ipa_config()[1] +objectclasses = config.get( +self.object_class_config, objectclasses +) +# Get list of available attributes for this object for use +# in the ACI UI. +attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +attrlist = [] +# Go through the MUST first +for (oid, attr) in attrs[0].iteritems(): +attrlist.append(attr.names[0]) +# And now the MAY +for (oid, attr) in attrs[1].iteritems(): +attrlist.append(attr.names[0]) +json_dict['aciattrs'] = attrlist json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index a9589c6..437b7d5 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -165,6 +165,7 @@ class host(LDAPObject): 'memberof': ['hostgroup', 'netgroup', 'role'], 'managedby': ['host'], } +bindable = True label = _('Hosts') diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index 708d829..ddef160 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -56,7 +56,7 @@ class json_metadata(Command): ((objname, json_serialize(self.api.Object[objname])), ) ) ) -retval= dict([(metadata,meta), (messages,dict())]) +retval= dict([(metadata,meta)]) else: meta=dict( diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index fbb1ff2..1e55599 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -237,6 +237,7 @@ class service(LDAPObject): attribute_members = { 'managedby': ['host'], } +bindable = True label = _('Services') diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 1bbb9b1..07b8e82 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -73,6 +73,7 @@ class user(LDAPObject): 'memberof': ['group', 'netgroup', 'role'], } rdnattr = 'uid' +bindable = True label = _('Users') -- 1.7.2.1 ___
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob From 973c42462f1e1d7b453c513c9ea74d878b5acf1c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 11:05:54 -0500 Subject: [PATCH] Provide list of available attributes for use in ACI UI. Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446 --- install/share/bootstrap-template.ldif |1 - ipalib/plugins/baseldap.py| 23 ++- ipalib/plugins/host.py|1 + ipalib/plugins/internal.py|2 +- ipalib/plugins/service.py |1 + ipalib/plugins/user.py|1 + 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..4f10f07 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -218,7 +218,6 @@ ipaUserObjectClasses: inetuser ipaUserObjectClasses: posixaccount ipaUserObjectClasses: krbprincipalaux ipaUserObjectClasses: krbticketpolicyaux -ipaUserObjectClasses: radiusprofile ipaUserObjectClasses: ipaobject ipaDefaultEmailDomain: $DOMAIN ipaMigrationEnabled: FALSE diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3894e18..7d382f9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -197,6 +197,8 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdnattr = None +# Can bind as this entry (has userPassword or krbPrincipalKey) +bindable = False container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -293,14 +295,33 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', +'takes_params', 'rdn_attribute', 'bindable', ) + def __json__(self): +ldap = self.backend json_dict = dict( (a, getattr(self, a)) for a in self.json_friendly_attributes ) if self.primary_key: json_dict['primary_key'] = self.primary_key.name +objectclasses = self.object_class +if self.object_class_config: +config = ldap.get_ipa_config()[1] +objectclasses = config.get( +self.object_class_config, objectclasses +) +# Get list of available attributes for this object for use +# in the ACI UI. +attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +attrlist = [] +# Go through the MUST first +for (oid, attr) in attrs[0].iteritems(): +attrlist.append(attr.names[0]) +# And now the MAY +for (oid, attr) in attrs[1].iteritems(): +attrlist.append(attr.names[0]) +json_dict['aciattrs'] = attrlist json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index a9589c6..437b7d5 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -165,6 +165,7 @@ class host(LDAPObject): 'memberof': ['hostgroup', 'netgroup', 'role'], 'managedby': ['host'], } +bindable = True label = _('Hosts') diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index 708d829..ddef160 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -56,7 +56,7 @@ class json_metadata(Command): ((objname, json_serialize(self.api.Object[objname])), ) ) ) -retval= dict([(metadata,meta), (messages,dict())]) +retval=
[Freeipa-devel] [PATCH] admiyo-0108-remove-task-and-role-groups
These will be replaced with the new ACI entities shortly. But they have to be removed, as they break the webUI as is. From cd40488cbb4bee3a06c9adc3a9d35ce3fa1aca08 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 2 Dec 2010 11:39:33 -0500 Subject: [PATCH] remove task and role groups since these entites are no longer exposed in the Meta data, including them in the code causes breakage at initialization --- install/static/serverconfig.js | 51 install/static/webui.js|2 - 2 files changed, 0 insertions(+), 53 deletions(-) diff --git a/install/static/serverconfig.js b/install/static/serverconfig.js index e793af34aa3fdf5435a55c7b2a547bd12f2c1b18..eef51ac35bd1b38773fee0be1c025dbfd8f71ca7 100644 --- a/install/static/serverconfig.js +++ b/install/static/serverconfig.js @@ -43,61 +43,10 @@ ipa_entity_set_details_definition('aci', [ -/* Taskgroup*/ -ipa_entity_set_search_definition('taskgroup', [ -['cn', 'Role-group name', null], -['description', 'Description', null] -]); -ipa_entity_set_add_definition('taskgroup', [ -'dialog-add-taskgroup', 'Add New Taskgroup', [ -['cn', 'Name', null], -['description', 'Description', null], -] -]); -ipa_entity_set_details_definition('taskgroup', [ -ipa_stanza({name:'ipaserver', label:'Taskgroup Details'}). -input({name:'cn', label:'Name'}). -input({name:'description', label:'Description'}) -]); - -ipa_entity_set_association_definition('taskgroup', { -}); - -ipa_entity_set_association_definition('rolegroup', { -'rolegroup': { } -}); - - - - -/* Rolegroup*/ - -ipa_entity_set_search_definition('rolegroup', [ -['cn', 'Role-group name', null], -['description', 'Description', null] -]); - -ipa_entity_set_add_definition('rolegroup', [ -'dialog-add-rolegroup', 'Add New Rolegroup', [ -['cn', 'Name', null], -['description', 'Description', null], -] -]); - -ipa_entity_set_details_definition('rolegroup', [ -ipa_stanza({name:'ipaserver', label:'Rolegroup Details'}). -input({name:'cn', label:'Name'}). -input({name:'description', label:'Description'}) -]); - -ipa_entity_set_association_definition('rolegroup', { -'taskgroup': { associator: 'serial' } -}); - /* Configuration */ ipa_entity_set_details_definition('config',[ diff --git a/install/static/webui.js b/install/static/webui.js index dd90b0e20812034a7522ebf17573f9cfd773b2a9..93ad899e8a2e47bd301e8344b02d72ba104aacd9 100644 --- a/install/static/webui.js +++ b/install/static/webui.js @@ -47,8 +47,6 @@ var admin_tab_set = [ {name:'krbtpolicy', setup:ipa_details_only_setup} ]}, {name:'ipaserver', children: [ -{name:'taskgroup', setup: ipa_entity_setup}, -{name:'rolegroup', label:'Rolegroups', setup: ipa_entity_setup}, {name:'config', setup: ipa_details_only_setup} ]} ]; -- 1.7.2.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0108-remove-task-and-role-groups
On 12/2/2010 10:41 AM, Adam Young wrote: These will be replaced with the new ACI entities shortly. But they have to be removed, as they break the webUI as is. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Certificate management with self-signed CA
On 12/02/2010 12:02 AM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! The certificate_status_widget has been modified to check for the environment variable ra_plugin to determine the CA used by IPA server. If self-signed CA is used, some operations will not be available (e.g. checking certificate status, revoking/restoring certificate), so the corresponding interface will be hidden. Other operations such as creating new certificate and viewing certificate are still available. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Multicolumn enrollment dialog
On 12/02/2010 10:19 AM, Adam Young wrote: On 12/01/2010 08:56 PM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/112/ The enrollment dialog has been modified to use scrollable tables that supports multiple columns to display the search results and selected entries. The columns are specified by calling create_adder_column() on the association facet. By default the tables will use only one column which is to display the primary keys. The following enrollment dialogs have been modified to use multiple columns: - Group's member_user - Service's managedby_host - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd The ipa_association_table_widget's add() and remove() have been moved into ipa_association_facet so they can be customized by facet's subclass. The ipa_table's add_row() has been renamed to add_record(). Some old code has been removed from ipa_facet_create_action_panel(). The code was used to generate association links from a single facet. It's no longer needed because now each association has its own facet. The test data has been updated. The IPA.nested_tabs() has been fixed to return the entity itself if IPA.tab_set is not defined. This is needed to pass unit test. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Looks good. Some nits. Move the width: 200px into the style sheet. We should have a css class that is used for all of the checkbox columns. Why are the is create_adder_column on the association facet and not the adder object? Shouldn't it be adder.add_column? Remove the parentesis in these and just ue the plural. var header_message = that.other_entity + '(s) enrolled in ' + that.entity_name + ' ' + that.pkey; That string actually needs to come from the association definition. I realize that these are autogenerated, but the generic word enrolled doesn't work for the majority of the associations. For instance, user should say: groups containing user kfrog. You can use the plural name of the object out of the meta data for the other entity: IPA.metadata[entity].object_name_plural. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] admiyo-0106-associate-search
Had this one ready for review, but Endi's recent association changes meant I had to rebase it. Hence the -2. patch version From 14a5910c6ef56a212fbac3a8c76467e17d9b7719 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 2 Dec 2010 12:35:37 -0500 Subject: [PATCH] associate search automatically perfomr the no-args search for enrollment-adder pages --- install/static/associate.js |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index a6edf748f7dc9b54292f7b8b469ce624e0ad5f8e..04fc3759870fa3f1161255d09884664d4cfe7f7f 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -159,10 +159,15 @@ function ipa_association_adder_dialog(spec) { } that.adder_dialog_init(); +execute_search(''); + }; that.search = function() { +execute_search(that.get_filter()); +} +function execute_search(filter){ function on_success(data, text_status, xhr) { var results = data.result; that.clear_available_values(); @@ -173,7 +178,6 @@ function ipa_association_adder_dialog(spec) { } } -var filter = that.get_filter(); ipa_cmd('find', [filter], {'all': true}, on_success, null, that.other_entity); }; -- 1.7.2.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0106-associate-search
On 12/2/2010 11:37 AM, Adam Young wrote: Had this one ready for review, but Endi's recent association changes meant I had to rebase it. Hence the -2. patch version ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob From 0e32a5c12c79384d5f22c69474f45112ae2c6def Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 13:25:00 -0500 Subject: [PATCH] Add more information and examples on targets. ticket 310 --- ipalib/plugins/aci.py | 39 +-- 1 files changed, 33 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index c0f47e3..acb6121 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -47,11 +47,23 @@ An ACI consists of three parts: 3. bind rules The target is a set of rules that define which LDAP objects are being -targetted. This can include a list of attributes, an area of that LDAP +targeted. This can include a list of attributes, an area of that LDAP tree or an LDAP filter. -The permissions define what the ACI is allowed to do, they are one or more -of: +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant add permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the the ACI is allowed to do, and are one or +more of: 1. write - write one or more attributes 2. read - read one or more attributes 3. add - add a new entry to the tree @@ -71,18 +83,33 @@ http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.htm EXAMPLES: +NOTE: ACIs are now added via the permision plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + Add an ACI so that the group secretaries can update the address on any user: + ipa group-add --desc=Office secretaries secretaries ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write Secretaries write addresses Show the new ACI: ipa aci-show Secretaries write addresses - Add an ACI that allows members of the addusers taskgroup to add new users: - ipa aci-add --type=user --taskgroup=addusers --permissions=add Add new users + Add an ACI that allows members of the addusers permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add Add new users - Add an ACI that lets members of the edotors manage members of the admins group: + Add an ACI that allows members of the editors manage members of the admins group: ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors Editors manage admins + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter=(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com) Edit the address of those who work for the boss + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree=cn=*,cn=orange,cn=accounts,dc=example,dc=com --desc=Add Orange Entries add_orange + + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI
Re: [Freeipa-devel] [PATCH] UI for host managedby
On 12/01/2010 09:39 PM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! A custom facet has been added to manage the host's managedby attribute. The facet defines the add and remove methods, the columns for the association table and enrollment dialog, and the link for the primary key column. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 618 handle membership better
On Tue, 23 Nov 2010 15:14:27 -0500 Rob Crittenden rcrit...@redhat.com wrote: Use better description for group names in help and always prompt for members When running foo-[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e g1\nadmin\n | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415 rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 018 Normalize and convert default params, too
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2010 03:33 PM, Adam Young wrote: This seems to make sense. Can you provide some context before I ACK? We're discussing it with Rob in the ticket, too: https://fedorahosted.org/freeipa/ticket/555 It works for me, ack and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Some fixes in HBAC module
Jan Zelený wrote: I'm posting two patches fixing some issues with the HBAC plugin: https://fedorahosted.org/freeipa/ticket/487 https://fedorahosted.org/freeipa/ticket/494 https://fedorahosted.org/freeipa/ticket/495 Ack patch 0007, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 618 handle membership better
Simo Sorce wrote: On Tue, 23 Nov 2010 15:14:27 -0500 Rob Crittendenrcrit...@redhat.com wrote: Use better description for group names in help and always prompt for members When runningfoo-[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e g1\nadmin\n | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415 rob ACK. Simo. Rebased and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 621 drop install/tools/README
Jakub Hrozek wrote: On Tue, Nov 30, 2010 at 02:02:00PM -0500, Rob Crittenden wrote: The README in install/tools is really for v1 and contains almost nothing useful for v2 so I'm proposing to drop it altogether. I'm also adding a link to the QuickStart guide on the trac wiki. The guide itself needs a lot of work but its a start. rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 622 fix passwd output
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/30/2010 09:13 PM, Rob Crittenden wrote: A couple of Password attributes had no label so prompting looked bad. When printing exceptions we need to convert the label and error to unicode so translations work. Use standard output routines instead of output_for_cli() in passwd plugin. ticket 352 rob Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Do not create reverse zone by default
On Mon, 15 Nov 2010 12:53:22 +0100 Jakub Hrozek jhro...@redhat.com wrote: Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418 ACK and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0110-tooltips
On 12/2/2010 3:43 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fixed association links
Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/113/ The create_association_facets() has been modified such that it does not generate duplicate links. This is done by assigning the proper labels and hiding non-assignable associations. Each association will get a label based on the attribute used: - memberof: entity name Membership - member.*: Member entity name - managedby: Managed by entity name - enrolledby: Enrolled by entity name The following associations will be hidden: - memberindirect The internal.py was modified to return localized labels. The test data has been updated. -- Endi S. Dewata From 2b0332826343a0b90777c7ea49ea2d3a40e2e8e3 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Thu, 2 Dec 2010 17:16:34 -0600 Subject: [PATCH] Fixed association links The create_association_facets() has been modified such that it does not generate duplicate links. This is done by assigning the proper labels and hiding non-assignable associations. Each association will get a label based on the attribute used: - memberof: entity name Membership - member.*: Member entity name - managedby: Managed by entity name - enrolledby: Enrolled by entity name The following associations will be hidden: - memberindirect The internal.py was modified to return localized labels. The test data has been updated. --- install/static/entity.js | 26 ++ install/static/group.js|2 +- install/static/hbacsvcgroup.js |2 +- install/static/host.js |2 +- install/static/service.js |2 +- install/static/sudocmdgroup.js |2 +- install/static/test/data/ipa_init.json |6 ++ ipalib/plugins/internal.py |5 + 8 files changed, 38 insertions(+), 9 deletions(-) diff --git a/install/static/entity.js b/install/static/entity.js index 6e2b501b0989b4549123888bef0fcc69a7b23b0d..0c7c849d1aa99f263367f0d66dd043e93c399fe7 100644 --- a/install/static/entity.js +++ b/install/static/entity.js @@ -151,9 +151,7 @@ function ipa_entity(spec) { return config; }; -that.create_association_facet = function(other_entity, attribute_member) { - -var label = IPA.metadata[other_entity].label; +that.create_association_facet = function(attribute_member, other_entity, label) { if (!attribute_member) { attribute_member = ipa_get_member_attribute( @@ -173,12 +171,32 @@ function ipa_entity(spec) { var attribute_members = IPA.metadata[that.name].attribute_members; for (var attribute_member in attribute_members) { + +// skip memberindirect +if (attribute_member === 'memberindirect') continue; + var other_entities = attribute_members[attribute_member]; for (var j = 0; j other_entities.length; j++) { var other_entity = other_entities[j]; +var other_entity_name = IPA.metadata[other_entity].label; -var facet = that.create_association_facet(other_entity, attribute_member); +var label = other_entity_name; + +if (attribute_member.match(/^memberof$/)) { +label = other_entity_name+' '+IPA.messages.association.memberof; + +} else if (attribute_member.match(/^member/)) { +label = IPA.messages.association.member+' '+other_entity_name; + +} else if (attribute_member.match(/^managedby$/)) { +label = IPA.messages.association.managedby+' '+other_entity_name; + +} else if (attribute_member.match(/^enrolledby$/)) { +label = IPA.messages.association.enrolledby+' '+other_entity_name; +} + +var facet = that.create_association_facet(attribute_member, other_entity, label); if (that.get_facet(facet.name)) continue; that.add_facet(facet); } diff --git a/install/static/group.js b/install/static/group.js index bcac40982d1bddaec55bdb46173df0b65e2bfb68..afc4ca271b20f0cb1f6911f1391150e00c699894 100644 --- a/install/static/group.js +++ b/install/static/group.js @@ -64,7 +64,7 @@ function ipa_group() { facet = ipa_group_member_user_facet({ 'name': 'member_user', -'label': 'Users', +'label': IPA.messages.association.member+' '+IPA.metadata['user'].label, 'other_entity': 'user' }); that.add_facet(facet); diff --git a/install/static/hbacsvcgroup.js b/install/static/hbacsvcgroup.js index 9cc1cdea4fba86c36ab99fbcf2f96ceda50b99b1..2aab5d0e247aef8ee90e3a05aedc3aa73eae9c43 100755 --- a/install/static/hbacsvcgroup.js +++ b/install/static/hbacsvcgroup.js @@ -55,7 +55,7 @@ function ipa_hbacsvcgroup() { facet = ipa_hbacsvcgroup_member_hbacsvc_facet({ 'name': 'member_hbacsvc', -
[Freeipa-devel] [PATCH] Fixed buttons in enrollment dialog
Hi, Please review the attached patch. Thanks! The Find, Add, and Remove buttons in the enrollment dialog have been replaced with ipa_buttons. -- Endi S. Dewata From d70d1e1293d851ca738235b14ce9922361aa0f35 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Thu, 2 Dec 2010 20:46:25 -0600 Subject: [PATCH] Fixed buttons in enrollment dialog The Find, Add, and Remove buttons in the enrollment dialog have been replaced with ipa_buttons. --- install/static/widget.js | 48 + 1 files changed, 35 insertions(+), 13 deletions(-) diff --git a/install/static/widget.js b/install/static/widget.js index f7b857f6bb92f8dbcadf73c2bba3710b06825564..429773ef0f9624bddefcabc919cbae98183cd15c 100755 --- a/install/static/widget.js +++ b/install/static/widget.js @@ -964,12 +964,14 @@ function ipa_adder_dialog(spec) { var search_panel = $('div/').appendTo(that.container); -that.filter_field = $('input/', { -type: 'text' +$('input/', { +type: 'text', +name: 'filter' }).appendTo(search_panel); -that.find_button = $('input/', { +$('input/', { type: 'button', +name: 'find', value: 'Find' }).appendTo(search_panel); @@ -1007,14 +1009,16 @@ function ipa_adder_dialog(spec) { }).appendTo(results_panel); var p = $('p/').appendTo(buttons_panel); -that.remove_button = $('input /', { +$('input /', { type: 'button', +name: 'remove', value: '' }).appendTo(p); p = $('p/').appendTo(buttons_panel); -that.add_button = $('input /', { +$('input /', { type: 'button', +name: 'add', value: '' }).appendTo(p); @@ -1036,19 +1040,37 @@ function ipa_adder_dialog(spec) { var selected_panel = $('div[name=selected]', that.container); that.selected_table.setup(selected_panel); -that.add_button.click(function(){ -var rows = that.available_table.remove_selected_rows(); -that.selected_table.add_rows(rows); +that.filter_field = $('input[name=filter]', that.container); + +var button = $('input[name=find]', that.container); +that.find_button = ipa_button({ +'label': button.val(), +'icon': 'ui-icon-search', +'click': function() { that.search(); } }); +button.replaceWith(that.find_button); -that.remove_button.click(function(){ -var rows = that.selected_table.remove_selected_rows(); -that.available_table.add_rows(rows); +button = $('input[name=remove]', that.container); +that.remove_button = ipa_button({ +'label': button.val(), +'icon': 'ui-icon-trash', +'click': function() { +var rows = that.selected_table.remove_selected_rows(); +that.available_table.add_rows(rows); +} }); +button.replaceWith(that.remove_button); -that.find_button.click(function(){ -that.search(); +button = $('input[name=add]', that.container); +that.add_button = ipa_button({ +'label': button.val(), +'icon': 'ui-icon-plus', +'click': function() { +var rows = that.available_table.remove_selected_rows(); +that.selected_table.add_rows(rows); +} }); +button.replaceWith(that.add_button); }; that.open = function(container) { -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fixed buttons in enrollment dialog
On 12/02/2010 09:50 PM, Endi Sukma Dewata wrote: Hi, Please review the attached patch. Thanks! The Find, Add, and Remove buttons in the enrollment dialog have been replaced with ipa_buttons. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel You should be filtering out Host- Enrolled by Users as well. This is a single entity field, and it is automatically filled out when the user enrolls the host in IPA. That will fix https://fedorahosted.org/freeipa/ticket/377 Don't forget to update test/date/ipa_init.json with the new messages. Rest of it looks good. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel