Added CLI param and ACL for vault service operations.

The CLIs to manage vault owners and members have been modified to accept services with a new parameter. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Endi S. Dewata <edewata@redhat.com> 2015-08-11 08:19:59 +0200
committer: Jan Cholasta <jcholast@redhat.com> 2015-08-17 08:10:59 +0200
commit: f2117475b8a49b37845529089ea2d5b48f27bfda (patch)
tree: e5cc121c3cd7988492bd35057a5bec9c992a7e0e
parent: ef8f431c93b5587247eeb7de9e74d15e5fc6f616 (diff)
download: freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.tar.gz
freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.tar.xz
freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.zip
4 files changed, 94 insertions, 100 deletions
diff --git a/API.txt b/API.txt
index 2e19d6b2f..71df3a565 100644
--- a/API.txt
+++ b/API.txt
@@ -5434,13 +5434,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_add_member
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
 option: Str('username?', cli_name='user')
@@ -5449,13 +5450,14 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: vault_add_owner
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
 option: Str('username?', cli_name='user')
@@ -5547,13 +5549,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_remove_member
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
 option: Str('username?', cli_name='user')
@@ -5562,13 +5565,14 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: vault_remove_owner
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
 option: Str('username?', cli_name='user')
diff --git a/VERSION b/VERSION
index ca43f3e0c..69351a8fa 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=148
-# Last change: ftweedal - add --out option to user-show
+IPA_API_VERSION_MINOR=149
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index 61a8940b5..14421b518 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
 default: objectClass: ipaVaultContainer
 default: cn: vaults
 default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index f6d81b750..01c609633 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -44,7 +44,7 @@ from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
     LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\
-    pkey_to_value
+    LDAPModMember, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -93,122 +93,91 @@ The secret can only be retrieved using the private key.
 """) + _("""
 EXAMPLES:
 """) + _("""
- List private vaults:
+ List vaults:
    ipa vault-find
+       [--user <user>|--service <service>|--shared]
 """) + _("""
- List service vaults:
-   ipa vault-find --service <service name>
-""") + _("""
- List shared vaults:
-   ipa vault-find --shared
-""") + _("""
- List user vaults:
-   ipa vault-find --user <username>
-""") + _("""
- Add a private vault:
+ Add a standard vault:
    ipa vault-add <name>
-""") + _("""
- Add a service vault:
-   ipa vault-add <name> --service <service name>
-""") + _("""
- Add a shared vault:
-   ipa vault-add <name> --shared
-""") + _("""
- Add a user vault:
-   ipa vault-add <name> --user <username>
+       [--user <user>|--service <service>|--shared]
 """) + _("""
  Add a symmetric vault:
-   ipa vault-add <name> --type symmetric --password-file password.txt
+   ipa vault-add <name>
+       [--user <user>|--service <service>|--shared]
+       --type symmetric --password-file password.txt
 """) + _("""
  Add an asymmetric vault:
-   ipa vault-add <name> --type asymmetric --public-key-file public.pem
+   ipa vault-add <name>
+       [--user <user>|--service <service>|--shared]
+       --type asymmetric --public-key-file public.pem
 """) + _("""
- Show a private vault:
+ Show a vault:
    ipa vault-show <name>
+       [--user <user>|--service <service>|--shared]
 """) + _("""
- Show a service vault:
-   ipa vault-show <name> --service <service name>
+ Modify a vault:
+   ipa vault-mod <name>
+       [--user <user>|--service <service>|--shared]
+       --desc <description>
 """) + _("""
- Show a shared vault:
-   ipa vault-show <name> --shared
-""") + _("""
- Show a user vault:
-   ipa vault-show <name> --user <username>
-""") + _("""
- Modify a private vault:
-   ipa vault-mod <name> --desc <description>
-""") + _("""
- Modify a service vault:
-   ipa vault-mod <name> --service <service name> --desc <description>
-""") + _("""
- Modify a shared vault:
-   ipa vault-mod <name> --shared --desc <description>
-""") + _("""
- Modify a user vault:
-   ipa vault-mod <name> --user <username> --desc <description>
-""") + _("""
- Delete a private vault:
+ Delete a vault:
    ipa vault-del <name>
-""") + _("""
- Delete a service vault:
-   ipa vault-del <name> --service <service name>
-""") + _("""
- Delete a shared vault:
-   ipa vault-del <name> --shared
-""") + _("""
- Delete a user vault:
-   ipa vault-del <name> --user <username>
+       [--user <user>|--service <service>|--shared]
 """) + _("""
  Display vault configuration:
    ipa vaultconfig-show
 """) + _("""
- Archive data into private vault:
-   ipa vault-archive <name> --in <input file>
-""") + _("""
- Archive data into service vault:
-   ipa vault-archive <name> --service <service name> --in <input file>
-""") + _("""
- Archive data into shared vault:
-   ipa vault-archive <name> --shared --in <input file>
-""") + _("""
- Archive data into user vault:
-   ipa vault-archive <name> --user <username> --in <input file>
+ Archive data into standard vault:
+   ipa vault-archive <name>
+       [--user <user>|--service <service>|--shared]
+       --in <input file>
 """) + _("""
  Archive data into symmetric vault:
-   ipa vault-archive <name> --in <input file>
+   ipa vault-archive <name>
+       [--user <user>|--service <service>|--shared]
+       --in <input file>
+       --password-file password.txt
 """) + _("""
  Archive data into asymmetric vault:
-   ipa vault-archive <name> --in <input file>
-""") + _("""
- Retrieve data from private vault:
-   ipa vault-retrieve <name> --out <output file>
-""") + _("""
- Retrieve data from service vault:
-   ipa vault-retrieve <name> --service <service name> --out <output file>
-""") + _("""
- Retrieve data from shared vault:
-   ipa vault-retrieve <name> --shared --out <output file>
+   ipa vault-archive <name>
+       [--user <user>|--service <service>|--shared]
+       --in <input file>
 """) + _("""
- Retrieve data from user vault:
-   ipa vault-retrieve <name> --user <username> --out <output file>
+ Retrieve data from standard vault:
+   ipa vault-retrieve <name>
+       [--user <user>|--service <service>|--shared]
+       --out <output file>
 """) + _("""
  Retrieve data from symmetric vault:
-   ipa vault-retrieve <name> --out data.bin
+   ipa vault-retrieve <name>
+       [--user <user>|--service <service>|--shared]
+       --out <output file>
+       --password-file password.txt
 """) + _("""
  Retrieve data from asymmetric vault:
-   ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
+   ipa vault-retrieve <name>
+       [--user <user>|--service <service>|--shared]
+       --out <output file> --private-key-file private.pem
 """) + _("""
- Add a vault owner:
-   ipa vault-add-owner <name> --users <usernames>
+ Add vault owners:
+   ipa vault-add-owner <name>
+       [--user <user>|--service <service>|--shared]
+       [--users <users>]  [--groups <groups>] [--services <services>]
 """) + _("""
- Delete a vault owner:
-   ipa vault-remove-owner <name> --users <usernames>
+ Delete vault owners:
+   ipa vault-remove-owner <name>
+       [--user <user>|--service <service>|--shared]
+       [--users <users>] [--groups <groups>] [--services <services>]
 """) + _("""
- Add a vault member:
-   ipa vault-add-member <name> --users <usernames>
+ Add vault members:
+   ipa vault-add-member <name>
+       [--user <user>|--service <service>|--shared]
+       [--users <users>] [--groups <groups>] [--services <services>]
 """) + _("""
- Delete a vault member:
-   ipa vault-remove-member <name> --users <usernames>
+ Delete vault members:
+   ipa vault-remove-member <name>
+       [--user <user>|--service <service>|--shared]
+       [--users <users>] [--groups <groups>] [--services <services>]
 """)
 
 
@@ -285,8 +254,8 @@ class vault(LDAPObject):
         'ipavaulttype',
     ]
     attribute_members = {
-        'owner': ['user', 'group'],
-        'member': ['user', 'group'],
+        'owner': ['user', 'group', 'service'],
+        'member': ['user', 'group', 'service'],
     }
 
     label = _('Vaults')
@@ -340,6 +309,11 @@ class vault(LDAPObject):
             label=_('Owner groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        Str(
+            'owner_service?',
+            label=_('Owner services'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
     )
 
     def get_dn(self, *keys, **options):
@@ -1432,8 +1406,23 @@ class vault_retrieve_internal(PKQuery):
         return response
 
 
+class VaultModMember(LDAPModMember):
+    def get_options(self):
+        for param in super(VaultModMember, self).get_options():
+            if param.name == 'service' and param not in vault_options:
+                param = param.clone_rename('services')
+            yield param
+
+    def get_member_dns(self, **options):
+        if 'services' in options:
+            options['service'] = options.pop('services')
+        else:
+            options.pop('service', None)
+        return super(VaultModMember, self).get_member_dns(**options)
+
+
 @register()
-class vault_add_owner(LDAPAddMember):
+class vault_add_owner(VaultModMember, LDAPAddMember):
     __doc__ = _('Add owners to a vault.')
 
     takes_options = LDAPAddMember.takes_options + vault_options
@@ -1457,7 +1446,7 @@ class vault_add_owner(LDAPAddMember):
 
 
 @register()
-class vault_remove_owner(LDAPRemoveMember):
+class vault_remove_owner(VaultModMember, LDAPRemoveMember):
     __doc__ = _('Remove owners from a vault.')
 
     takes_options = LDAPRemoveMember.takes_options + vault_options
@@ -1481,14 +1470,14 @@ class vault_remove_owner(LDAPRemoveMember):
 
 
 @register()
-class vault_add_member(LDAPAddMember):
+class vault_add_member(VaultModMember, LDAPAddMember):
     __doc__ = _('Add members to a vault.')
 
     takes_options = LDAPAddMember.takes_options + vault_options
 
 
 @register()
-class vault_remove_member(LDAPRemoveMember):
+class vault_remove_member(VaultModMember, LDAPRemoveMember):
     __doc__ = _('Remove members from a vault.')
 
     takes_options = LDAPRemoveMember.takes_options + vault_options
author	Endi S. Dewata <edewata@redhat.com>	2015-08-11 08:19:59 +0200
committer	Jan Cholasta <jcholast@redhat.com>	2015-08-17 08:10:59 +0200
commit	f2117475b8a49b37845529089ea2d5b48f27bfda (patch)
tree	e5cc121c3cd7988492bd35057a5bec9c992a7e0e
parent	ef8f431c93b5587247eeb7de9e74d15e5fc6f616 (diff)
download	freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.tar.gz freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.tar.xz freeipa-f2117475b8a49b37845529089ea2d5b48f27bfda.zip