Make 'permission' the default bind type for managed permissions

This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-09 17:59:53 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-11 13:21:29 +0200
commit: 2f3cdba54620989afba0ce1b423cddb56b841ab3 (patch)
tree: 9a2375c4dbdb117f39bc3f6f0a86130b20f190d4
parent: 6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (diff)
download: freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.tar.gz
freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.tar.xz
freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.zip
9 files changed, 1 insertions, 23 deletions
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index ddcd5210c..0f4739316 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -199,7 +199,6 @@ class automember(LDAPObject):
             'ipapermlocation': DN(container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=automemberdefinition)'},
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'objectclass', 'cn', 'automemberscope', 'automemberfilter',
@@ -211,7 +210,6 @@ class automember(LDAPObject):
         },
         'System: Read Automember Rules': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'cn', 'objectclass', 'automembertargetgroup', 'description',
@@ -225,7 +223,6 @@ class automember(LDAPObject):
             'ipapermlocation': DN('cn=tasks', 'cn=config'),
             'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER),
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Automember Task Administrator'},
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index 8ddc3b08e..fad03beab 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -90,7 +90,6 @@ class krbtpolicy(baseldap.LDAPObject):
             'replaces_global_anonymous_aci': True,
             'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
             'ipapermlocation': DN(container_dn, api.env.basedn),
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krbdefaultencsalttypes', 'krbmaxrenewableage',
@@ -106,7 +105,6 @@ class krbtpolicy(baseldap.LDAPObject):
             'replaces_global_anonymous_aci': True,
             'ipapermlocation': DN(api.env.container_user, api.env.basedn),
             'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krbmaxrenewableage', 'krbmaxticketlife',
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 814bf191b..bd225b92a 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -185,7 +185,6 @@ class permission(baseldap.LDAPObject):
     managed_permissions = {
         'System: Read Permissions': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipapermissiontype',
@@ -202,7 +201,6 @@ class permission(baseldap.LDAPObject):
             'non_object': True,
             'ipapermlocation': api.env.basedn,
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'aci'},
             'default_privileges': {'RBAC Readers'},
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index b65af28c2..c0ab96646 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -67,7 +67,6 @@ class privilege(LDAPObject):
     managed_permissions = {
         'System: Read Privileges': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index ee7f388ba..a0850ccf4 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -87,7 +87,6 @@ class cosentry(LDAPObject):
     managed_permissions = {
         'System: Read Group Password Policy costemplate': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'cn', 'cospriority', 'krbpwdpolicyreference', 'objectclass',
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index 66a77227d..c881b5b8b 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -85,7 +85,6 @@ class role(LDAPObject):
     managed_permissions = {
         'System: Read Roles': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 98353c029..b6893310d 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -150,7 +150,6 @@ class sudorule(LDAPObject):
             },
         },
         'System: Add Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'add'},
             'replaces': [
                 '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -158,7 +157,6 @@ class sudorule(LDAPObject):
             'default_privileges': {'Sudo Administrator'},
         },
         'System: Delete Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -166,7 +164,6 @@ class sudorule(LDAPObject):
             'default_privileges': {'Sudo Administrator'},
         },
         'System: Modify Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'description', 'ipaenabledflag', 'usercategory',
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 73203405e..a1b0643a3 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -310,7 +310,6 @@ class user(LDAPObject):
         },
         'System: Read User Kerberos Login Attributes': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krblastsuccessfulauth', 'krblastfailedauth',
@@ -334,13 +333,11 @@ class user(LDAPObject):
             'non_object': True,
             'ipapermlocation': UPG_DEFINITION_DN,
             'ipapermtarget': UPG_DEFINITION_DN,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'User Administrators'},
         },
         'System: Add Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'add'},
             'replaces': [
                 '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -349,7 +346,6 @@ class user(LDAPObject):
         },
         'System: Add User to default group': {
             'non_object': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermlocation': DN(api.env.container_group, api.env.basedn),
             'ipapermtarget': DN('cn=ipausers', api.env.container_group,
@@ -361,7 +357,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Change User password': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermtargetfilter': [
                 '(objectclass=posixaccount)',
@@ -383,7 +378,6 @@ class user(LDAPObject):
             },
         },
         'System: Manage User SSH Public Keys': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {'ipasshpubkey'},
             'replaces': [
@@ -392,7 +386,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Modify Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'businesscategory', 'carlicense', 'cn', 'description',
@@ -413,7 +406,6 @@ class user(LDAPObject):
             },
         },
         'System: Remove Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -421,7 +413,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Unlock User': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 417e4d9fc..7b1405a19 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -533,7 +533,7 @@ class update_managed_permissions(PostUpdate):
             entry['ipapermtarget'] = ipapermtarget
 
         # Attributes from template
-        bindruletype = template.pop('ipapermbindruletype')
+        bindruletype = template.pop('ipapermbindruletype', 'permission')
         if is_new:
             entry.single_value['ipapermbindruletype'] = bindruletype
author	Petr Viktorin <pviktori@redhat.com>	2014-06-09 17:59:53 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-11 13:21:29 +0200
commit	2f3cdba54620989afba0ce1b423cddb56b841ab3 (patch)
tree	9a2375c4dbdb117f39bc3f6f0a86130b20f190d4
parent	6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (diff)
download	freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.tar.gz freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.tar.xz freeipa-2f3cdba54620989afba0ce1b423cddb56b841ab3.zip