diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-07-03 10:05:40 -0400 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 17:13:25 +0200 |
commit | e3c225317be2e4849f0f5f8b35f9872d28379330 (patch) | |
tree | b666726dae9dbfe2302c92d598d18c0b2cfd614e | |
parent | f13cce2d9c7d0b31b366fd7b5af518fbccb10ee8 (diff) | |
download | freeipa-e3c225317be2e4849f0f5f8b35f9872d28379330.tar.gz freeipa-e3c225317be2e4849f0f5f8b35f9872d28379330.tar.xz freeipa-e3c225317be2e4849f0f5f8b35f9872d28379330.zip |
caacl: fix incorrect construction of HbacRequest for hosts
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it. Use split_any_principal to do the
splitting correctly, also taking realm into account.
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | ipalib/plugins/caacl.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 6bf39d233..247d6df14 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -55,13 +55,15 @@ register = Registry() def _acl_make_request(principal_type, principal, ca_ref, profile_id): """Construct HBAC request for the given principal, CA and profile""" + service, name, realm = split_any_principal(principal) + req = pyhbac.HbacRequest() req.targethost.name = ca_ref req.service.name = profile_id if principal_type == 'user': req.user.name = principal elif principal_type == 'host': - req.user.name = principal[:5] # strip 'host/' + req.user.name = name elif principal_type == 'service': req.user.name = normalize_principal(principal) groups = [] @@ -70,8 +72,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): groups = user_obj.get('memberof_group', []) groups += user_obj.get('memberofindirect_group', []) elif principal_type == 'host': - service, hostname, realm = split_any_principal(principal) - host_obj = api.Command.host_show(hostname)['result'] + host_obj = api.Command.host_show(name)['result'] groups = host_obj.get('memberof_hostgroup', []) groups += host_obj.get('memberofindirect_hostgroup', []) req.user.groups = sorted(set(groups)) |