Hello,
This allows adding default permissions to privileges.
The privileges need to be created before the managed permission updater
runs (e.g. via the file-based updater).
My updated patch 0513 will use this.
--
PetrĀ³
From 2cea76be8acaddf9fa7af6c5212dc2b1d0c6d100 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Thu, 10 Apr 2014 12:24:41 +0200
Subject: [PATCH] Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipaserver/install/plugins/update_managed_permissions.py | 11 +++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index d938eecf175867f3a6a61a68d5f384bf9e79c055..efd87d0d197e463dc07efc8ae7fb9a88c87642a6 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -51,6 +51,9 @@
* ipapermdefaultattr
- Used as attribute of the permission.
- When upgrading, only new values are added; all old values are kept.
+* default_privileges
+ - Names of privileges to add the permission to
+ - Only applied on newly created permissions
* replaces_global_anonymous_aci
- If true, any attributes specified (denied) in the legacy global anonymous
read ACI will be added to excluded_attributes of the new permission.
@@ -200,6 +203,14 @@ def update_entry(self, obj, entry, template,
entry['ipapermright'] = list(template.pop('ipapermright'))
+default_privileges = template.pop('default_privileges', None)
+if is_new and default_privileges:
+entry['member'] = list(
+DN(('cn', privilege_name),
+ self.api.env.container_privilege,
+ self.api.env.basedn)
+for privilege_name in default_privileges)
+
# Add to the set of default attributes
attributes = set(template.pop('ipapermdefaultattr', ()))
attributes.update(entry.get('ipapermdefaultattr', ()))
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel