diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-05-30 14:03:13 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-02 13:04:59 +0200 |
commit | 93ad23912e3bb73fc3e54d2b6734748a55fc933a (patch) | |
tree | 837d2dfa0865393a3835f18dcb37b7cad6d09f8c | |
parent | 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (diff) | |
download | freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.gz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.xz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.zip |
Add read permissions for automember tasks
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | install/updates/20-aci.update | 3 | ||||
-rw-r--r-- | ipalib/plugins/automember.py | 21 |
2 files changed, 19 insertions, 5 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 34cba4cc8..6af800111 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -47,6 +47,9 @@ add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLi # Read-only add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' +dn: cn=tasks,cn=config +add:aci:'(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index 3166c6958..143c6a80c 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -131,6 +131,11 @@ register = Registry() INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' +REBUILD_TASK_CONTAINER = DN(('cn', 'automember rebuild membership'), + ('cn', 'tasks'), + ('cn', 'config')) + + regex_attrs = ( Str('automemberinclusiveregex*', cli_name='inclusive_regex', @@ -215,6 +220,16 @@ class automember(LDAPObject): 'default_privileges': {'Automember Readers', 'Automember Task Administrator'}, }, + 'System: Read Automember Tasks': { + 'non_object': True, + 'ipapermlocation': DN('cn=tasks', 'cn=config'), + 'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER), + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Automember Task Administrator'}, + }, } label = _('Auto Membership Rule') @@ -732,11 +747,7 @@ class automember_rebuild(Command): else: search_filter = '(%s=*)' % obj.primary_key.name - task_dn = DN( - ('cn', cn), - ('cn', 'automember rebuild membership'), - ('cn', 'tasks'), - ('cn', 'config')) + task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER) entry = ldap.make_entry( task_dn, |