Re: [Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
On 04/23/2014 02:48 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: This adds managed read permissions to cn=etc. Since these permissions are not bound to objects, the first patch adds support for those. They're defined in the update plugin. The second patch adds permissions for various subtrees/entries in cn=etc, according to the [discussion thread]. I wonder if we should limit the attributes in cn=replication; are all nsds5replica attrs needed? Nope, IIRC we use this object exclusively to set the next available replica id. For cn=ad,cn=etc I put the permission in cn=etc and used a target, since cn=ad is not present by default. ok. 534 - ACK. 535: System: Read IPA Masters - ACK System: Read DNA Configuration - ACK System: Read CA Renewal Information - ACK - I tested with getcert resubmit -i $ID_OF_AUDITCERT System: Read CA Certificate - should be OK - currently we need just cn,objectclass,cACertificate, but we may allow others for future use System: Read Replication Information - changes needed? - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot - I am thinking we may be fine with allowing just those. Simo, what's your take on this? System: Read AD Domains - ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote: On 04/23/2014 02:48 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: This adds managed read permissions to cn=etc. Since these permissions are not bound to objects, the first patch adds support for those. They're defined in the update plugin. The second patch adds permissions for various subtrees/entries in cn=etc, according to the [discussion thread]. I wonder if we should limit the attributes in cn=replication; are all nsds5replica attrs needed? Nope, IIRC we use this object exclusively to set the next available replica id. For cn=ad,cn=etc I put the permission in cn=etc and used a target, since cn=ad is not present by default. ok. 534 - ACK. 535: System: Read IPA Masters - ACK System: Read DNA Configuration - ACK System: Read CA Renewal Information - ACK - I tested with getcert resubmit -i $ID_OF_AUDITCERT System: Read CA Certificate - should be OK - currently we need just cn,objectclass,cACertificate, but we may allow others for future use System: Read Replication Information - changes needed? - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot - I am thinking we may be fine with allowing just those. Simo, what's your take on this? Should be fine, hopefully we will soon overhaul the replication stuff to expose the topology and all, so I am not overly concerned. System: Read AD Domains - ACK Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
On 04/24/2014 02:24 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote: On 04/23/2014 02:48 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: This adds managed read permissions to cn=etc. Since these permissions are not bound to objects, the first patch adds support for those. They're defined in the update plugin. The second patch adds permissions for various subtrees/entries in cn=etc, according to the [discussion thread]. I wonder if we should limit the attributes in cn=replication; are all nsds5replica attrs needed? Nope, IIRC we use this object exclusively to set the next available replica id. For cn=ad,cn=etc I put the permission in cn=etc and used a target, since cn=ad is not present by default. ok. 534 - ACK. 535: System: Read IPA Masters - ACK System: Read DNA Configuration - ACK System: Read CA Renewal Information - ACK - I tested with getcert resubmit -i $ID_OF_AUDITCERT System: Read CA Certificate - should be OK - currently we need just cn,objectclass,cACertificate, but we may allow others for future use System: Read Replication Information - changes needed? - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot - I am thinking we may be fine with allowing just those. Simo, what's your take on this? Should be fine, hopefully we will soon overhaul the replication stuff to expose the topology and all, so I am not overly concerned. System: Read AD Domains - ACK Simo. Ok, thanks. It is an ACK as the System: Read Replication Information was the only one I was concerned about. Pushed to master: d893b77fb69ef2e0aedf823e7cd82ca86a2971af Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
This adds managed read permissions to cn=etc. Since these permissions are not bound to objects, the first patch adds support for those. They're defined in the update plugin. The second patch adds permissions for various subtrees/entries in cn=etc, according to the [discussion thread]. I wonder if we should limit the attributes in cn=replication; are all nsds5replica attrs needed? For cn=ad,cn=etc I put the permission in cn=etc and used a target, since cn=ad is not present by default. [discussion thread]: http://www.redhat.com/archives/freeipa-devel/2014-April/msg00250.html -- PetrĀ³ From ed223228c277028f62de6dd7c01e752a99cb6cb2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 27 Mar 2014 15:36:54 +0100 Subject: [PATCH] Add support for non-plugin default permissions Add support for managed permissions that are not tied to an object class and thus can't be defined in an Object plugin. A dict is added to hold templates for the non-plugin permissions. --- ipaserver/install/plugins/update_managed_permissions.py | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 3bba1f06e75fc2a0e57bce682827992e31f27708..438767f1c5c81709d5bd6efc875264c269ce0a6c 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -34,6 +34,9 @@ }, } +For permissions not tied to an object plugin, a NONOBJECT_PERMISSIONS +dict of the same format is defined in this module. + The permission name must start with the System: prefix. The template dictionary can have the following keys: @@ -41,8 +44,8 @@ - Directly used as attributes on the permission. - Replaced when upgrading an existing permission - If not specified, these default to the defaults of a permission of the -corresponding --type, or (if non_object is specified) to general permission -defaults. +corresponding --type, or, if non_object is specified, or if not on an +object, to general permission defaults . - ipapermlocation and ipapermtarget must be DNs - ipapermtargetfilter and objectclass must be iterables of strings * ipapermbindruletype @@ -77,6 +80,8 @@ register = Registry() +NONOBJECT_PERMISSIONS = {} + @register() class update_managed_permissions(PostUpdate): @@ -123,6 +128,11 @@ def execute(self, **options): template, anonymous_read_blacklist) +self.log.info('Updating non-object managed permissions') +for name, template in NONOBJECT_PERMISSIONS.iteritems(): +self.update_permission(ldap, None, unicode(name), template, + anonymous_read_blacklist) + return False, False, () def update_permission(self, ldap, obj, name, template, -- 1.9.0 From f40bcb3da0c07dc94627fbb66b135203785c00e2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add several managed read permissions under cn=etc This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/40-delegation.update | 7 ++ .../install/plugins/update_managed_permissions.py | 79 +- 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 69061ca3df0cde8f66816e2f2f09aa15405a369e..49bb76277c44c0c4cae27839a45c6b4fc7b4f386 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -422,3 +422,10 @@ dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: top default:cn: Automember Readers default:description: Read Automember definitions + +dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: IPA Masters Readers +default:description: Read list of IPA masters diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 438767f1c5c81709d5bd6efc875264c269ce0a6c..bffd9bbf434e76c9c6d74d0167a718acc96a54b1 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -68,7 +68,7 @@ No other keys are allowed in the template -from ipalib import errors +from ipalib import api, errors from ipapython.dn import DN from ipalib.plugable import Registry from ipalib.plugins import aci @@
Re: [Freeipa-devel] [PATCHES] 0534-0535 Add several managed read permissions under cn=etc
On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: This adds managed read permissions to cn=etc. Since these permissions are not bound to objects, the first patch adds support for those. They're defined in the update plugin. The second patch adds permissions for various subtrees/entries in cn=etc, according to the [discussion thread]. I wonder if we should limit the attributes in cn=replication; are all nsds5replica attrs needed? Nope, IIRC we use this object exclusively to set the next available replica id. For cn=ad,cn=etc I put the permission in cn=etc and used a target, since cn=ad is not present by default. ok. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel