Re: [Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation
On 04.08.2016 15:09, Martin Basti wrote: On 29.07.2016 06:21, Fraser Tweedale wrote: On Thu, Jul 28, 2016 at 09:56:30AM +0200, Martin Babinsky wrote: On 07/28/2016 03:31 AM, Fraser Tweedale wrote: The attached patch fixes a kerberos.Principal-related regression. Thanks, Fraser Hi Fraser, The ticket you linked in the commit message points to a closed milestone. You have to open a new ticket which needs to be triaged. Sorry, those are the processes. Filed ticket:https://fedorahosted.org/freeipa/ticket/6146 Updated patch attached (rebase and update commit message only). Thanks, Fraser ACK, works for me Pushed to master: 9dac0a13f101277948b4ce73b21b1d7ec75848b6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation
On Thu, Jul 28, 2016 at 09:56:30AM +0200, Martin Babinsky wrote: > On 07/28/2016 03:31 AM, Fraser Tweedale wrote: > > The attached patch fixes a kerberos.Principal-related regression. > > > > Thanks, > > Fraser > > > Hi Fraser, > > The ticket you linked in the commit message points to a closed milestone. > You have to open a new ticket which needs to be triaged. Sorry, those are > the processes. > Filed ticket: https://fedorahosted.org/freeipa/ticket/6146 Updated patch attached (rebase and update commit message only). Thanks, Fraser From ef74c727e31a08af679eeeca027dd6a6bf526f0e Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Thu, 28 Jul 2016 10:55:45 +1000 Subject: [PATCH] caacl: fix regression in rule instantiation The Principal refactor causes service collections ('memberservice_service' attribute) to return Principal objects where previously it returned strings, but the HBAC machinery used for CA ACL enforcement only handles strings. Update the code to stringify service Principal objects when adding them to HBAC rules. Fixes: https://fedorahosted.org/freeipa/ticket/6146 --- ipaserver/plugins/caacl.py | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a..a7817c4cf64f070c74557f52e9f26c9013a4963c 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -132,16 +132,21 @@ def _acl_make_rule(principal_type, obj): rule.services.names = obj.get(attr, []) # add principals and principal's groups -m = {'user': 'group', 'host': 'hostgroup', 'service': None} category_attr = '{}category'.format(principal_type) if category_attr in obj and obj[category_attr][0].lower() == 'all': rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} else: -principal_attr = 'member{}_{}'.format(principal_type, principal_type) -rule.users.names = obj.get(principal_attr, []) -if m[principal_type] is not None: -group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) -rule.users.groups = obj.get(group_attr, []) +if principal_type == 'user': +rule.users.names = obj.get('memberuser_user', []) +rule.users.groups = obj.get('memberuser_group', []) +elif principal_type == 'host': +rule.users.names = obj.get('memberhost_host', []) +rule.users.groups = obj.get('memberhost_hostgroup', []) +elif principal_type == 'service': +rule.users.names = [ +unicode(principal) +for principal in obj.get('memberservice_service', []) +] return rule -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation
On 07/28/2016 03:31 AM, Fraser Tweedale wrote: The attached patch fixes a kerberos.Principal-related regression. Thanks, Fraser Hi Fraser, The ticket you linked in the commit message points to a closed milestone. You have to open a new ticket which needs to be triaged. Sorry, those are the processes. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation
The attached patch fixes a kerberos.Principal-related regression. Thanks, Fraser From c3d4bee34f4a1aa6afafee07851e8b5557860331 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Thu, 28 Jul 2016 10:55:45 +1000 Subject: [PATCH] caacl: fix regression in rule instantiation The Principal refactor causes service collections ('memberservice_service' attribute) to return Principal objects where previously it returned strings, but the HBAC machinery used for CA ACL enforcement only handles strings. Update the code to stringify service Principal objects when adding them to HBAC rules. Part of: https://fedorahosted.org/freeipa/ticket/3864 --- ipaserver/plugins/caacl.py | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a..a7817c4cf64f070c74557f52e9f26c9013a4963c 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -132,16 +132,21 @@ def _acl_make_rule(principal_type, obj): rule.services.names = obj.get(attr, []) # add principals and principal's groups -m = {'user': 'group', 'host': 'hostgroup', 'service': None} category_attr = '{}category'.format(principal_type) if category_attr in obj and obj[category_attr][0].lower() == 'all': rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} else: -principal_attr = 'member{}_{}'.format(principal_type, principal_type) -rule.users.names = obj.get(principal_attr, []) -if m[principal_type] is not None: -group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) -rule.users.groups = obj.get(group_attr, []) +if principal_type == 'user': +rule.users.names = obj.get('memberuser_user', []) +rule.users.groups = obj.get('memberuser_group', []) +elif principal_type == 'host': +rule.users.names = obj.get('memberhost_host', []) +rule.users.groups = obj.get('memberhost_hostgroup', []) +elif principal_type == 'service': +rule.users.names = [ +unicode(principal) +for principal in obj.get('memberservice_service', []) +] return rule -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code