On 05/29/2014 10:03 AM, Martin Kosek wrote:
On 05/28/2014 03:40 PM, Petr Viktorin wrote:
Hello,
Some of IPA plugins assume that everyone has access to everything. Here are
some fixes for that.
Patch 0560 adds a new permission for the UPG Definition, which is required to
add users correctly.
558:
Crash is now removed, though I am thinking that the output may be confusing for
users as there is no output:
# ipa krbtpolicy-show
# echo $?
0
I need to use --all to see anything:
# ipa krbtpolicy-show --all
dn: cn=MKOSEK-FEDORA20.TEST,cn=kerberos,dc=mkosek-fedora20,dc=test
cn: MKOSEK-FEDORA20.TEST
objectclass: krbrealmcontainer, top, krbticketpolicyaux
Would it make sense to raise ACIError if user cannot any Kerberos policy
attributes?
Hm, actually there's a bigger problem -- if the user policy is not
readable, the command will actually lie.
I think we'll need to check attributelevelrights here to see if the
attributes are really unset or just unreadable. And I'll go through all
the other commands more carefully, to see if distinction between not
readable and not existing makes significant difference.
I withdraw the patch for now.
559: ACK
560: ACK
561:
functionally works fine, tested with migrate-ds. When looking at the code,
would it make sense to replace this section:
+disable_attr = '(objectclass=disable)'
+org_filter = upg_entries[0].single_value['originfilter']
+return not re.search(r'%s' % disable_attr, org_filter)
with
+origin_filter = upg_entries[0].single_value['originfilter']
+return '(objectclass=disable)' not in origin_filter
I am not sure why RE is used in this case at all.
Good point, thanks. Update attached.
--
PetrĀ³
From 6de342ee9e00d4cfb5a4b62ddb3de7896bd337a6 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 27 May 2014 16:41:43 +0200
Subject: [PATCH] aci plugin: Fix internal error when ACIs are not readable
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/aci.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 4821089f164106f195e9c59d5c9a379d8ffadf27..158909837040a4f43c50bf0e36ae62f2c61041e6 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -546,7 +546,7 @@ def execute(self, aciname, **kw):
raise errors.DuplicateEntry()
newaci_str = unicode(newaci)
-entry['aci'].append(newaci_str)
+entry.setdefault('aci', []).append(newaci_str)
if not kw.get('test', False):
ldap.update_entry(entry)
--
1.9.0
From c328cc4e4230b389c698e67a258d302361ca97f7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 28 May 2014 12:42:02 +0200
Subject: [PATCH] Add managed read permission for the UPG Definition
Since user_add checks the UPG definition to see if UPG is enabled,
user admins need read access to add users correctly.
All attributes are allowed since UPG Definition is an extensibleObject;
the needed attributes are not in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
ipalib/plugins/user.py | 17 +
1 file changed, 17 insertions(+)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 604502ee77bc7d10a951335b423526949154392b..27ad36b7fdbee5b2c0dba10f1c381233e8059150 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -111,6 +111,12 @@
),
)
+UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'),
+ ('cn', 'Definitions'),
+ ('cn', 'Managed Entries'),
+ ('cn', 'etc'),
+ api.env.basedn)
+
# characters to be used for generating random user passwords
user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='
@@ -319,6 +325,17 @@ class user(LDAPObject):
'memberof',
},
},
+'System: Read UPG Definition': {
+# Required for adding users
+'replaces_global_anonymous_aci': True,
+'non_object': True,
+'ipapermlocation': UPG_DEFINITION_DN,
+'ipapermtarget': UPG_DEFINITION_DN,
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {'*'},
+'default_privileges': {'User Administrators'},
+},
}
label = _('Users')
--
1.9.0
From b853299f3d03dc6397f5ea18ab63c8f39354d9c9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 27 May 2014 17:07:13 +0200
Subject: [PATCH] ldap2.has_upg: Raise an error if the UPG definition is not
found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that