Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/09/2014 04:02 PM, Martin Kosek wrote: On 04/09/2014 03:56 PM, Petr Viktorin wrote: On 04/09/2014 10:31 AM, Martin Kosek wrote: On 04/08/2014 05:19 PM, Petr Viktorin wrote: On 04/08/2014 12:46 PM, Martin Kosek wrote: On 04/08/2014 11:03 AM, Petr Viktorin wrote: On 04/07/2014 01:30 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read Sudo commands, command groups, rules. Read access is given to all authenticated users. Looks good. What about "ou=sudoers"? I think we should also allow it in this patch for authenticated users. This is the tree that clients use to read sudo. This new version does that. It needs my patches 0508-0509 since the ou=sudoers permission is not tied to a specific Object plugin. I would also allow 'ou', otherwise an authenticated user cannot read the ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. Right, I wonder how I missed that. New patch attached; it needs 0508-0509.2. Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs" attribute? It is part of sudoRole objectclass: objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft er $ sudoOrder $ description ) X-ORIGIN 'SUDO' ) but we seem to not generate it in our compat plugin though. But as it is part of the objectclass, I would rather add it to avoid any mistakes. If you add it, it's an ACK from me. Martin Thanks for the catch. Added, along with description. Great! I did not spot the description myself. ACK. Thanks, pushed to master: 7786ff694b098f44574f92b3bbf89db48438a20f -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/09/2014 03:56 PM, Petr Viktorin wrote: > On 04/09/2014 10:31 AM, Martin Kosek wrote: >> On 04/08/2014 05:19 PM, Petr Viktorin wrote: >>> On 04/08/2014 12:46 PM, Martin Kosek wrote: On 04/08/2014 11:03 AM, Petr Viktorin wrote: > On 04/07/2014 01:30 PM, Martin Kosek wrote: >> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>> Hello, >>> This adds read permissions to read Sudo commands, command groups, rules. >>> >>> Read access is given to all authenticated users. >> >> Looks good. What about "ou=sudoers"? I think we should also allow it in >> this >> patch for authenticated users. This is the tree that clients use to read >> sudo. > > This new version does that. It needs my patches 0508-0509 since the > ou=sudoers > permission is not tied to a specific Object plugin. > I would also allow 'ou', otherwise an authenticated user cannot read the ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. >>> >>> Right, I wonder how I missed that. >>> >>> New patch attached; it needs 0508-0509.2. >>> >> >> Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs" >> attribute? It is part of sudoRole objectclass: >> >> objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer >> Entries' >>SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ >> sudoRun >> As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ >> sudoNotAft >> er $ sudoOrder $ description ) X-ORIGIN 'SUDO' ) >> >> but we seem to not generate it in our compat plugin though. But as it is part >> of the objectclass, I would rather add it to avoid any mistakes. >> >> If you add it, it's an ACK from me. >> >> Martin >> > > Thanks for the catch. Added, along with description. > Great! I did not spot the description myself. ACK. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/09/2014 10:31 AM, Martin Kosek wrote:
On 04/08/2014 05:19 PM, Petr Viktorin wrote:
On 04/08/2014 12:46 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:
On 04/07/2014 01:30 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
Looks good. What about "ou=sudoers"? I think we should also allow it in this
patch for authenticated users. This is the tree that clients use to read sudo.
This new version does that. It needs my patches 0508-0509 since the ou=sudoers
permission is not tied to a specific Object plugin.
I would also allow 'ou', otherwise an authenticated user cannot read the
ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
Right, I wonder how I missed that.
New patch attached; it needs 0508-0509.2.
Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs"
attribute? It is part of sudoRole objectclass:
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries'
SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun
As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft
er $ sudoOrder $ description ) X-ORIGIN 'SUDO' )
but we seem to not generate it in our compat plugin though. But as it is part
of the objectclass, I would rather add it to avoid any mistakes.
If you add it, it's an ACK from me.
Martin
Thanks for the catch. Added, along with description.
--
Petr³
From 83827574ccd1855c8a965890be9ba0a6c58055f9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Wed, 26 Mar 2014 14:19:44 +0100
Subject: [PATCH] Add managed read permissions to Sudo objects
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/sudocmd.py | 13 +
ipalib/plugins/sudocmdgroup.py | 12
ipalib/plugins/sudorule.py | 31 +++
3 files changed, 56 insertions(+)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
+permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
+managed_permissions = {
+'System: Read Sudo Commands': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'description', 'ipauniqueid', 'memberof', 'objectclass',
+'sudocmd',
+},
+},
+}
+
label = _('Sudo Commands')
label_singular = _('Sudo Command')
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
+permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
+managed_permissions = {
+'System: Read Sudo Command Groups': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'businesscategory', 'cn', 'description', 'ipauniqueid',
+'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+},
+},
+}
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..16611aededfd63dac8652468cff473d9d1a07c0d 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
+permission_filter_objectclasses = ['ipasudorule']
default_attributes =
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/08/2014 05:19 PM, Petr Viktorin wrote: > On 04/08/2014 12:46 PM, Martin Kosek wrote: >> On 04/08/2014 11:03 AM, Petr Viktorin wrote: >>> On 04/07/2014 01:30 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: > Hello, > This adds read permissions to read Sudo commands, command groups, rules. > > Read access is given to all authenticated users. Looks good. What about "ou=sudoers"? I think we should also allow it in this patch for authenticated users. This is the tree that clients use to read sudo. >>> >>> This new version does that. It needs my patches 0508-0509 since the >>> ou=sudoers >>> permission is not tied to a specific Object plugin. >>> >> >> I would also allow 'ou', otherwise an authenticated user cannot read the >> ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. > > Right, I wonder how I missed that. > > New patch attached; it needs 0508-0509.2. > Sorry for not spotting it earlier, but shouldn't we also add "sudoRunAs" attribute? It is part of sudoRole objectclass: objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft er $ sudoOrder $ description ) X-ORIGIN 'SUDO' ) but we seem to not generate it in our compat plugin though. But as it is part of the objectclass, I would rather add it to avoid any mistakes. If you add it, it's an ACK from me. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/08/2014 12:46 PM, Martin Kosek wrote:
On 04/08/2014 11:03 AM, Petr Viktorin wrote:
On 04/07/2014 01:30 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
Looks good. What about "ou=sudoers"? I think we should also allow it in this
patch for authenticated users. This is the tree that clients use to read sudo.
This new version does that. It needs my patches 0508-0509 since the ou=sudoers
permission is not tied to a specific Object plugin.
I would also allow 'ou', otherwise an authenticated user cannot read the
ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread.
Right, I wonder how I missed that.
New patch attached; it needs 0508-0509.2.
--
Petr³
From 6c426c9a66a755dddf387e2396abbeaead3d3eb1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Mon, 7 Apr 2014 14:56:34 +0200
Subject: [PATCH] Add managed read permissions to Sudo objects and ou=sudoers
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/sudocmd.py | 13 +
ipalib/plugins/sudocmdgroup.py | 12
ipalib/plugins/sudorule.py | 31 +++
3 files changed, 56 insertions(+)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
+permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
+managed_permissions = {
+'System: Read Sudo Commands': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'description', 'ipauniqueid', 'memberof', 'objectclass',
+'sudocmd',
+},
+},
+}
+
label = _('Sudo Commands')
label_singular = _('Sudo Command')
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
+permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
+managed_permissions = {
+'System: Read Sudo Command Groups': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'businesscategory', 'cn', 'description', 'ipauniqueid',
+'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+},
+},
+}
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..88fd86e31b95bb49b69a5a3dfdb7bf153784fbfc 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
+permission_filter_objectclasses = ['ipasudorule']
default_attributes = [
'cn', 'ipaenabledflag', 'externaluser',
'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,36 @@ class sudorule(LDAPObject):
'ipasudorunas': ['user', 'group'],
'ipasudorunasgroup': ['group'],
}
+managed_permissions = {
+'System: Read Sudo Rules': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cmdcategory', 'cn', 'description', 'externalhost',
+'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/08/2014 11:03 AM, Petr Viktorin wrote: > On 04/07/2014 01:30 PM, Martin Kosek wrote: >> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>> Hello, >>> This adds read permissions to read Sudo commands, command groups, rules. >>> >>> Read access is given to all authenticated users. >> >> Looks good. What about "ou=sudoers"? I think we should also allow it in this >> patch for authenticated users. This is the tree that clients use to read >> sudo. > > This new version does that. It needs my patches 0508-0509 since the ou=sudoers > permission is not tied to a specific Object plugin. > I would also allow 'ou', otherwise an authenticated user cannot read the ou=sudoers RDN. I will comment on NONOBJECT_PERMISSIONS in the other thread. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/07/2014 01:30 PM, Martin Kosek wrote:
On 04/03/2014 12:09 PM, Petr Viktorin wrote:
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
Looks good. What about "ou=sudoers"? I think we should also allow it in this
patch for authenticated users. This is the tree that clients use to read sudo.
This new version does that. It needs my patches 0508-0509 since the
ou=sudoers permission is not tied to a specific Object plugin.
--
Petr³
From 11f8d647cc3976dc2d30908482c0dd7720cce270 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Mon, 7 Apr 2014 14:56:34 +0200
Subject: [PATCH] Add managed read permissions to Sudo objects and ou=sudoers
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/sudocmd.py | 13 +
ipalib/plugins/sudocmdgroup.py | 12
ipalib/plugins/sudorule.py | 18 ++
.../install/plugins/update_managed_permissions.py | 17 +++--
4 files changed, 58 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
+permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
+managed_permissions = {
+'System: Read Sudo Commands': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'description', 'ipauniqueid', 'memberof', 'objectclass',
+'sudocmd',
+},
+},
+}
+
label = _('Sudo Commands')
label_singular = _('Sudo Command')
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
+permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
+managed_permissions = {
+'System: Read Sudo Command Groups': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'businesscategory', 'cn', 'description', 'ipauniqueid',
+'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+},
+},
+}
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..3f2c4063ce385d15f0551f663cba227a1269c62e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
+permission_filter_objectclasses = ['ipasudorule']
default_attributes = [
'cn', 'ipaenabledflag', 'externaluser',
'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,23 @@ class sudorule(LDAPObject):
'ipasudorunas': ['user', 'group'],
'ipasudorunasgroup': ['group'],
}
+managed_permissions = {
+'System: Read Sudo Rules': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cmdcategory', 'cn', 'description', 'externalhost',
+'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+'ipasudorunasextuser', 'ipasudorunasgroup',
+'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+'ipauniqueid', 'memberall
Re: [Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
On 04/03/2014 12:09 PM, Petr Viktorin wrote: > Hello, > This adds read permissions to read Sudo commands, command groups, rules. > > Read access is given to all authenticated users. Looks good. What about "ou=sudoers"? I think we should also allow it in this patch for authenticated users. This is the tree that clients use to read sudo. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
Hello,
This adds read permissions to read Sudo commands, command groups, rules.
Read access is given to all authenticated users.
--
Petr³
From bb9ff134db5427621b13f94e062ed24f725bc280 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Wed, 26 Mar 2014 14:19:44 +0100
Subject: [PATCH] Add managed read permissions to Sudo objects
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/sudocmd.py | 13 +
ipalib/plugins/sudocmdgroup.py | 12
ipalib/plugins/sudorule.py | 18 ++
3 files changed, 43 insertions(+)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
+permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
+managed_permissions = {
+'System: Read Sudo Commands': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'description', 'ipauniqueid', 'memberof', 'objectclass',
+'sudocmd',
+},
+},
+}
+
label = _('Sudo Commands')
label_singular = _('Sudo Command')
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
+permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
+managed_permissions = {
+'System: Read Sudo Command Groups': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'businesscategory', 'cn', 'description', 'ipauniqueid',
+'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+},
+},
+}
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 2463325024da7c2b6aab40fc9e03150bb6645635..3f2c4063ce385d15f0551f663cba227a1269c62e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
+permission_filter_objectclasses = ['ipasudorule']
default_attributes = [
'cn', 'ipaenabledflag', 'externaluser',
'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,23 @@ class sudorule(LDAPObject):
'ipasudorunas': ['user', 'group'],
'ipasudorunasgroup': ['group'],
}
+managed_permissions = {
+'System: Read Sudo Rules': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cmdcategory', 'cn', 'description', 'externalhost',
+'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+'ipasudorunasextuser', 'ipasudorunasgroup',
+'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+'sudoorder', 'usercategory', 'objectclass',
+},
+},
+}
label = _('Sudo Rules')
label_singular = _('Sudo Rule')
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
