Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/18/2014 02:23 PM, Martin Kosek wrote: On 06/18/2014 02:20 PM, Petr Viktorin wrote: On 06/18/2014 02:05 PM, Martin Kosek wrote: [...] 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. Thanks for the catch, I'll fix it before pushing. 2) What would you like to do with per-zone permissions? # ipa dnszone-add-permission example.com -- Added system permission "Manage DNS zone example.com." -- Manage DNS zone example.com. # ipa permission-show 'Manage DNS zone example.com.' Permission name: Manage DNS zone example.com. Granted to Privilege: test2 Indirect Member of roles: test2 Should the command be converted to add V2 permissions? We would have to also deal with conversion from old DNS zone permissions to permissionsv2 though. 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS entries in a zone" permissions to managed? It would make their maintenance and updates much easier, we would also get rid of more updates in update files. The only problem I see is how to define 'userattr = "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be rough at the moment. I'd like to leave these two cases until after the "regular" default permissions are done. The regular permissions must be converted now because when you "touch" them with 4.0 permission-mod, they get converted to V2 and the updater will no longer count them as old default permissions. So we need to convert all of them right now. The SYSTEM ones can't be modified so they could theoretically wait till 4.1+. There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'. Ok, not a blocker. I opened [#4384] for 1). For the second case, yes, adding more bind rule types will need some work (and a new permission flag). I'd like to combine that work with the selfservice/delegation, which also need special bind rules. Ok, please make sure that we have the ideas and missing TODOs reflected in tickets. I'm tracking 3) as part of [#4346] now. These show up in a simple grep or ldapsearch. Given these arrangements, ACK to the patch set as is (with the typo fix). Martin Thanks, pushed to master: 700ac6c11627137db758ad376c44745db579dc84 [#4384] https://fedorahosted.org/freeipa/ticket/4384 [#4346] https://fedorahosted.org/freeipa/ticket/4346 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/18/2014 02:23 PM, Martin Kosek wrote: On 06/18/2014 02:20 PM, Petr Viktorin wrote: On 06/18/2014 02:05 PM, Martin Kosek wrote: [...] 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. Thanks for the catch, I'll fix it before pushing. 2) What would you like to do with per-zone permissions? # ipa dnszone-add-permission example.com -- Added system permission "Manage DNS zone example.com." -- Manage DNS zone example.com. # ipa permission-show 'Manage DNS zone example.com.' Permission name: Manage DNS zone example.com. Granted to Privilege: test2 Indirect Member of roles: test2 Should the command be converted to add V2 permissions? We would have to also deal with conversion from old DNS zone permissions to permissionsv2 though. 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS entries in a zone" permissions to managed? It would make their maintenance and updates much easier, we would also get rid of more updates in update files. The only problem I see is how to define 'userattr = "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be rough at the moment. I'd like to leave these two cases until after the "regular" default permissions are done. The regular permissions must be converted now because when you "touch" them with 4.0 permission-mod, they get converted to V2 and the updater will no longer count them as old default permissions. So we need to convert all of them right now. The SYSTEM ones can't be modified so they could theoretically wait till 4.1+. There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'. Ok, not a blocker. I opened [#4384] for 1). For the second case, yes, adding more bind rule types will need some work (and a new permission flag). I'd like to combine that work with the selfservice/delegation, which also need special bind rules. Ok, please make sure that we have the ideas and missing TODOs reflected in tickets. I'm tracking 3) as part of [#4346] now. These show up in a simple grep or ldapsearch. Given these arrangements, ACK to the patch set as is (with the typo fix). Martin Thanks, pushed to master: 700ac6c11627137db758ad376c44745db579dc84 [#4384] https://fedorahosted.org/freeipa/ticket/4384 [#4346] https://fedorahosted.org/freeipa/ticket/4346 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/18/2014 02:20 PM, Petr Viktorin wrote: > On 06/18/2014 02:05 PM, Martin Kosek wrote: >> On 06/16/2014 05:43 PM, Petr Viktorin wrote: >>> On 06/13/2014 05:25 PM, Petr Viktorin wrote: With the first patch, old SYSTEM permissions can be replaced. The "Read DNS Entries" did not have an associated ACI, but was rather rolled into a single ACI with the managedBy rule used for per-zone access. (and before that it was part of a deny rule.) We can't remove this permission in an update file, because we need to check that it is indeed an old SYSTEM perm and not a new one with the same name. The second patch converts DNS permissions to managed. The ACIs are put directly in $SUFFIX, because the cn=dns subtree does not exist in all installations. I hope to change this for https://fedorahosted.org/freeipa/ticket/4058, when I've thought more about relationships between plugins, packages, install options, and the updater. >>> >>> Testing more, I found a benign bug: the updater complained if the cn=dns >>> container was missing. Fixed here. >>> >>> Also, the update_dns_permissions plugin is now now obsolete, the third patch >>> removes it. >>> >> >> 583.2: OK >> >> 584.2: >> >> 1) Typo in description: >> Convewrt the existing default permissions. > > Thanks for the catch, I'll fix it before pushing. > >> >> 2) What would you like to do with per-zone permissions? >> >> # ipa dnszone-add-permission example.com >> -- >> Added system permission "Manage DNS zone example.com." >> -- >>Manage DNS zone example.com. >> >> # ipa permission-show 'Manage DNS zone example.com.' >>Permission name: Manage DNS zone example.com. >>Granted to Privilege: test2 >>Indirect Member of roles: test2 >> >> Should the command be converted to add V2 permissions? We would have to also >> deal with conversion from old DNS zone permissions to permissionsv2 though. >> >> 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS >> entries in a zone" permissions to managed? It would make their maintenance >> and >> updates much easier, we would also get rid of more updates in update files. >> >> The only problem I see is how to define 'userattr = >> "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be >> rough at the moment. > > I'd like to leave these two cases until after the "regular" default > permissions > are done. > The regular permissions must be converted now because when you "touch" them > with 4.0 permission-mod, they get converted to V2 and the updater will no > longer count them as old default permissions. So we need to convert all of > them > right now. The SYSTEM ones can't be modified so they could theoretically wait > till 4.1+. > There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'. Ok, not a blocker. > For the second case, yes, adding more bind rule types will need some work (and > a new permission flag). I'd like to combine that work with the > selfservice/delegation, which also need special bind rules. Ok, please make sure that we have the ideas and missing TODOs reflected in tickets. Given these arrangements, ACK to the patch set as is (with the typo fix). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/18/2014 02:05 PM, Martin Kosek wrote: On 06/16/2014 05:43 PM, Petr Viktorin wrote: On 06/13/2014 05:25 PM, Petr Viktorin wrote: With the first patch, old SYSTEM permissions can be replaced. The "Read DNS Entries" did not have an associated ACI, but was rather rolled into a single ACI with the managedBy rule used for per-zone access. (and before that it was part of a deny rule.) We can't remove this permission in an update file, because we need to check that it is indeed an old SYSTEM perm and not a new one with the same name. The second patch converts DNS permissions to managed. The ACIs are put directly in $SUFFIX, because the cn=dns subtree does not exist in all installations. I hope to change this for https://fedorahosted.org/freeipa/ticket/4058, when I've thought more about relationships between plugins, packages, install options, and the updater. Testing more, I found a benign bug: the updater complained if the cn=dns container was missing. Fixed here. Also, the update_dns_permissions plugin is now now obsolete, the third patch removes it. 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. Thanks for the catch, I'll fix it before pushing. 2) What would you like to do with per-zone permissions? # ipa dnszone-add-permission example.com -- Added system permission "Manage DNS zone example.com." -- Manage DNS zone example.com. # ipa permission-show 'Manage DNS zone example.com.' Permission name: Manage DNS zone example.com. Granted to Privilege: test2 Indirect Member of roles: test2 Should the command be converted to add V2 permissions? We would have to also deal with conversion from old DNS zone permissions to permissionsv2 though. 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS entries in a zone" permissions to managed? It would make their maintenance and updates much easier, we would also get rid of more updates in update files. The only problem I see is how to define 'userattr = "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be rough at the moment. I'd like to leave these two cases until after the "regular" default permissions are done. The regular permissions must be converted now because when you "touch" them with 4.0 permission-mod, they get converted to V2 and the updater will no longer count them as old default permissions. So we need to convert all of them right now. The SYSTEM ones can't be modified so they could theoretically wait till 4.1+. There'll be a few more SYSTEM permissions to convert like 'Modify DNA Range'. For the second case, yes, adding more bind rule types will need some work (and a new permission flag). I'd like to combine that work with the selfservice/delegation, which also need special bind rules. Otherwise the changes worked fine, thanks! Martin -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/16/2014 05:43 PM, Petr Viktorin wrote: > On 06/13/2014 05:25 PM, Petr Viktorin wrote: >> >> With the first patch, old SYSTEM permissions can be replaced. The "Read >> DNS Entries" did not have an associated ACI, but was rather rolled into >> a single ACI with the managedBy rule used for per-zone access. >> (and before that it was part of a deny rule.) >> We can't remove this permission in an update file, because we need to >> check that it is indeed an old SYSTEM perm and not a new one with the >> same name. >> >> >> The second patch converts DNS permissions to managed. >> >> The ACIs are put directly in $SUFFIX, because the cn=dns subtree does >> not exist in all installations. >> >> I hope to change this for https://fedorahosted.org/freeipa/ticket/4058, >> when I've thought more about relationships between plugins, packages, >> install options, and the updater. > > Testing more, I found a benign bug: the updater complained if the cn=dns > container was missing. Fixed here. > > Also, the update_dns_permissions plugin is now now obsolete, the third patch > removes it. > 583.2: OK 584.2: 1) Typo in description: Convewrt the existing default permissions. 2) What would you like to do with per-zone permissions? # ipa dnszone-add-permission example.com -- Added system permission "Manage DNS zone example.com." -- Manage DNS zone example.com. # ipa permission-show 'Manage DNS zone example.com.' Permission name: Manage DNS zone example.com. Granted to Privilege: test2 Indirect Member of roles: test2 Should the command be converted to add V2 permissions? We would have to also deal with conversion from old DNS zone permissions to permissionsv2 though. 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS entries in a zone" permissions to managed? It would make their maintenance and updates much easier, we would also get rid of more updates in update files. The only problem I see is how to define 'userattr = "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be rough at the moment. Otherwise the changes worked fine, thanks! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed
On 06/13/2014 05:25 PM, Petr Viktorin wrote:
With the first patch, old SYSTEM permissions can be replaced. The "Read
DNS Entries" did not have an associated ACI, but was rather rolled into
a single ACI with the managedBy rule used for per-zone access.
(and before that it was part of a deny rule.)
We can't remove this permission in an update file, because we need to
check that it is indeed an old SYSTEM perm and not a new one with the
same name.
The second patch converts DNS permissions to managed.
The ACIs are put directly in $SUFFIX, because the cn=dns subtree does
not exist in all installations.
I hope to change this for https://fedorahosted.org/freeipa/ticket/4058,
when I've thought more about relationships between plugins, packages,
install options, and the updater.
Testing more, I found a benign bug: the updater complained if the cn=dns
container was missing. Fixed here.
Also, the update_dns_permissions plugin is now now obsolete, the third
patch removes it.
--
Petr³
From 2d213434a065c18943b8b33e921bb5b9995a581d Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 13 Jun 2014 15:58:24 +0200
Subject: [PATCH] managed permission updater: Add mechanism to replace SYSTEM
permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.
Add a mechanism for the updater to replace old SYSTEM permissions.
This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
.../install/plugins/update_managed_permissions.py | 18 ++
1 file changed, 18 insertions(+)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 7b1405a1974826fd90acd0d5082f51d8b25034cd..2ca054d50d11eec9527e0ef1e5d53d2f8e479ed0 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -67,6 +67,8 @@
* replaces
- A list of ACIs corresponding to legacy default permissions replaced
by this permission.
+* replaces_system
+ - A list of names of old SYSTEM permissions this replaces.
* fixup_function
- A callable that may modify the template in-place before it is applied.
- Called with the permission name, template dict, and keyword arguments:
@@ -410,6 +412,21 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
self.log.info("Removing legacy permission '%s'", legacy_name)
self.api.Command[permission_del](unicode(legacy_name))
+for name in template.get('replaces_system', ()):
+name = unicode(name)
+try:
+entry = ldap.get_entry(permission_plugin.get_dn(name),
+ ['ipapermissiontype'])
+except errors.NotFound:
+self.log.info("Legacy permission '%s' not found", name)
+else:
+flags = entry.get('ipapermissiontype', [])
+if list(flags) == ['SYSTEM']:
+self.log.info("Removing legacy permission '%s'", name)
+self.api.Command[permission_del](name, force=True)
+else:
+self.log.info("Ignoring V2 permission '%s'", name)
+
def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
"""Compute included and excluded attributes for a new permission
@@ -497,6 +514,7 @@ def update_entry(self, obj, entry, template,
template = dict(template)
template.pop('replaces', None)
+template.pop('replaces_system', None)
fixup_function = template.pop('fixup_function', None)
if fixup_function:
--
1.9.0
From 2878c7dbebc2352b91fc091aae3c4010c5243fb4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Mon, 9 Jun 2014 15:06:35 +0200
Subject: [PATCH] Convert DNS default permissions to managed
Convewrt the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
ACI.txt | 12 +
install/share/dns.ldif | 59
install/updates/40-delegation.update | 6 +--
install/updates/40-dns.update| 28 +-
ipalib/plugins/dns.py| 101 +++
5 files changed, 118 insertions(+), 88 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 2ceaacc077467b6ef54e09d0aa7d3d5695c8fd40..6b75e79c3d771d33558750958f61ada82fd1e5eb 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -10,6 +10,18 @@ dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=exampl
aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell ||
