Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 11/4/2014 12:28 AM, Endi Sukma Dewata wrote:
On 10/28/2014 5:35 PM, Endi Sukma Dewata wrote:
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
This patch depends on #353-2.
New patch attached to fix the ticket URL. It depends on #353-3.
New patch attached for some cleanups.
Rebased on top of #353-5 to include access control tests.
--
Endi S. Dewata
From b4591d364a9e38de66536de596347dd08301173e Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 134 +++--
VERSION | 4 +-
install/share/60basev3.ldif | 4 +-
install/updates/40-vault.update | 7 +
ipalib/plugins/vault.py | 238 +-
ipatests/test_xmlrpc/test_vault_plugin.py | 17 +++
6 files changed, 389 insertions(+), 15 deletions(-)
diff --git a/API.txt b/API.txt
index
559f4b97fad334f037cb61bbb787f7dfcbd6e23c..f6fd2686a49dfabc053a772818904ca6c14f3b53
100644
--- a/API.txt
+++ b/API.txt
@@ -4518,12 +4518,13 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?', cli_name='data')
option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
pattern='^[a-zA-Z0-9_.-/]+$', required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Flag('rights', autofill=True, default=False)
@@ -4533,13 +4534,40 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 10/28/2014 5:35 PM, Endi Sukma Dewata wrote:
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
This patch depends on #353-2.
New patch attached to fix the ticket URL. It depends on #353-3.
New patch attached for some cleanups.
--
Endi S. Dewata
From a9714d34d180ce26c3d484fe313c991fa101ccfb Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 134 +++---
VERSION | 4 +-
install/share/60basev4.ldif | 4 +-
install/updates/40-vault.update | 7 ++
ipalib/plugins/vault.py | 177 +++-
5 files changed, 310 insertions(+), 16 deletions(-)
diff --git a/API.txt b/API.txt
index
b73da0af55a3c514de73ae4e1b2a4d13c01c903d..ee33af74eb2870fcdf1ab7e6781797b348243a8f
100644
--- a/API.txt
+++ b/API.txt
@@ -4476,12 +4476,13 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?', cli_name='data')
option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Flag('rights', autofill=True, default=False)
@@ -4491,13 +4492,40 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,11,3
+args: 1,12,3
arg:
Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
This patch depends on #353-2.
New patch attached to fix the ticket URL. It depends on #353-3.
--
Endi S. Dewata
From 6f464581e4e30e6105522ff25047764ec97e5a53 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 134 +--
VERSION | 4 +-
install/share/60basev4.ldif | 4 +-
install/updates/40-vault.update | 7 ++
ipalib/plugins/vault.py | 233 +++-
5 files changed, 366 insertions(+), 16 deletions(-)
diff --git a/API.txt b/API.txt
index
cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5
100644
--- a/API.txt
+++ b/API.txt
@@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,8,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Flag('rights', autofill=True, default=False)
@@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
[Freeipa-devel] [PATCH] 355 Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
This patch depends on #353-2.
--
Endi S. Dewata
From ccbfa01f40e2ac4c978e5ef0f1fbe167f96793a2 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.
New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.
Ticket #3872
---
API.txt | 134 +--
VERSION | 4 +-
install/share/60basev4.ldif | 4 +-
install/updates/40-vault.update | 7 ++
ipalib/plugins/vault.py | 233 +++-
5 files changed, 366 insertions(+), 16 deletions(-)
diff --git a/API.txt b/API.txt
index
cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5
100644
--- a/API.txt
+++ b/API.txt
@@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None)
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
command: vault_add
-args: 1,8,3
+args: 1,9,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('description', attribute=True, cli_name='desc', multivalue=False,
required=False)
option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('parent', attribute=False, cli_name='parent', multivalue=False,
required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Flag('rights', autofill=True, default=False)
@@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui')
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255,
multivalue=False,
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option:
