Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
On 04/07/2014 01:34 PM, Petr Viktorin wrote: On 04/07/2014 01:28 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following one? (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) Do we want to remove them together with this patch to have the change grouped together with allow ACIs or do you plan to remove all similar deny ACIs at once? (together with the master read ACI) Martin I want to remove them after removing the global read ACI, so that in the mean time we're not allowing more access than we should. Ok, makes sense. I tested the patch again and it worked fine (after I removed the deny rule). ACK. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
On 04/09/2014 10:59 AM, Martin Kosek wrote: On 04/07/2014 01:34 PM, Petr Viktorin wrote: On 04/07/2014 01:28 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following one? (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) Do we want to remove them together with this patch to have the change grouped together with allow ACIs or do you plan to remove all similar deny ACIs at once? (together with the master read ACI) Martin I want to remove them after removing the global read ACI, so that in the mean time we're not allowing more access than we should. Ok, makes sense. I tested the patch again and it worked fine (after I removed the deny rule). ACK. Martin Thanks, pushed to master: 39327dbb75e92e4184bdda2dbd802cf349866861 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following one? (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) Do we want to remove them together with this patch to have the change grouped together with allow ACIs or do you plan to remove all similar deny ACIs at once? (together with the master read ACI) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
On 04/07/2014 01:28 PM, Martin Kosek wrote: On 04/03/2014 12:09 PM, Petr Viktorin wrote: Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. So far looked OK in my tests. What about the ACIs like the following one? (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) Do we want to remove them together with this patch to have the change grouped together with allow ACIs or do you plan to remove all similar deny ACIs at once? (together with the master read ACI) Martin I want to remove them after removing the global read ACI, so that in the mean time we're not allowing more access than we should. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
Hello,
This adds read permissions to read HBAC rules, services, and service groups.
Read access is given to all authenticated users.
--
Petr³
From e0aa9e6e22ecdb42c0f3b21d42d66e5b5945d80d Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 26 Mar 2014 15:33:49 +0100
Subject: [PATCH] Add managed read permissions to HBAC objects
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/hbacrule.py | 15 +++
ipalib/plugins/hbacsvc.py | 11 +++
ipalib/plugins/hbacsvcgroup.py | 12
3 files changed, 38 insertions(+)
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 99758b25a287488f42f95c84b5e4b8658399fdd6..52abb408b04f882b5b202468ad3d9976ebba2f95 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -115,6 +115,7 @@ class hbacrule(LDAPObject):
object_name = _('HBAC rule')
object_name_plural = _('HBAC rules')
object_class = ['ipaassociation', 'ipahbacrule']
+permission_filter_objectclasses = ['ipahbacrule']
default_attributes = [
'cn', 'ipaenabledflag',
'description', 'usercategory', 'hostcategory',
@@ -130,6 +131,20 @@ class hbacrule(LDAPObject):
'sourcehost': ['host', 'hostgroup'],
'memberservice': ['hbacsvc', 'hbacsvcgroup'],
}
+managed_permissions = {
+'System: Read HBAC Rules': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'accessruletype', 'accesstime', 'cn', 'description',
+'externalhost', 'hostcategory', 'ipaenabledflag',
+'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
+'servicecategory', 'sourcehost', 'sourcehostcategory',
+'usercategory', 'objectclass',
+},
+},
+}
label = _('HBAC Rules')
label_singular = _('HBAC Rule')
diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py
index 6c6bc94fe15a8e7af2c5ef87376bfbf3cc6438ff..58861fcfa77c5b220b4fb62e7af0039fe855d94e 100644
--- a/ipalib/plugins/hbacsvc.py
+++ b/ipalib/plugins/hbacsvc.py
@@ -57,11 +57,22 @@ class hbacsvc(LDAPObject):
object_name = _('HBAC service')
object_name_plural = _('HBAC services')
object_class = [ 'ipaobject', 'ipahbacservice' ]
+permission_filter_objectclasses = ['ipahbacservice']
default_attributes = ['cn', 'description', 'memberof']
uuid_attribute = 'ipauniqueid'
attribute_members = {
'memberof': ['hbacsvcgroup'],
}
+managed_permissions = {
+'System: Read HBAC Services': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'cn', 'description', 'ipauniqueid', 'memberof', 'objectclass',
+},
+},
+}
label = _('HBAC Services')
label_singular = _('HBAC Service')
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 5fc0635c409eaa4be7a07dc95ec4b87b34928476..5e3ef5b7037e9a41d32cf62629c0dc87b31c8e17 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -52,11 +52,23 @@ class hbacsvcgroup(LDAPObject):
object_name = _('HBAC service group')
object_name_plural = _('HBAC service groups')
object_class = ['ipaobject', 'ipahbacservicegroup']
+permission_filter_objectclasses = ['ipahbacservicegroup']
default_attributes = [ 'cn', 'description', 'member' ]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'member': ['hbacsvc'],
}
+managed_permissions = {
+'System: Read HBAC Service Groups': {
+'replaces_global_anonymous_aci': True,
+'ipapermbindruletype': 'all',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'businesscategory', 'cn', 'description', 'ipauniqueid',
+'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+},
+},
+}
label = _('HBAC Service Groups')
label_singular = _('HBAC Service Group')
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
