Add support for managed permissions

This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 757c18565..b4fb3402d 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -353,6 +353,8 @@ class Param(ReadOnly):
               can be unspecified (unchanged) but cannot be deleted.
             * optional_create: do not require the parameter for crud.Create
               based commands
+            * allow_mod_for_managed_permission: permission-mod allows changing
+              the parameter for managed permissions
       - hint: this attribute is currently not used
       - alwaysask: when enabled, CLI asks for parameter value even when the
         parameter is not `required`