Add read permissions for automember tasks

Permission to read all tasks is given to high-level admins. Managed permission for automember tasks is given to automember task admins. "targetattr=*" is used because tasks are extensibleObject with attributes that aren't in the schema. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-05-30 14:03:13 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-02 13:04:59 +0200
commit: 93ad23912e3bb73fc3e54d2b6734748a55fc933a (patch)
tree: 837d2dfa0865393a3835f18dcb37b7cad6d09f8c /ipalib/plugins/automember.py
parent: 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (diff)
download: freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.gz
freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.xz
freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.zip
1 files changed, 16 insertions, 5 deletions
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index 3166c6958..143c6a80c 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -131,6 +131,11 @@ register = Registry()
 INCLUDE_RE = 'automemberinclusiveregex'
 EXCLUDE_RE = 'automemberexclusiveregex'
 
+REBUILD_TASK_CONTAINER = DN(('cn', 'automember rebuild membership'),
+                            ('cn', 'tasks'),
+                            ('cn', 'config'))
+
+
 regex_attrs = (
     Str('automemberinclusiveregex*',
         cli_name='inclusive_regex',
@@ -215,6 +220,16 @@ class automember(LDAPObject):
             'default_privileges': {'Automember Readers',
                                    'Automember Task Administrator'},
         },
+        'System: Read Automember Tasks': {
+            'non_object': True,
+            'ipapermlocation': DN('cn=tasks', 'cn=config'),
+            'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER),
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'Automember Task Administrator'},
+        },
     }
 
     label = _('Auto Membership Rule')
@@ -732,11 +747,7 @@ class automember_rebuild(Command):
         else:
             search_filter = '(%s=*)' % obj.primary_key.name
 
-        task_dn = DN(
-            ('cn', cn),
-            ('cn', 'automember rebuild membership'),
-            ('cn', 'tasks'),
-            ('cn', 'config'))
+        task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER)
 
         entry = ldap.make_entry(
             task_dn,
author	Petr Viktorin <pviktori@redhat.com>	2014-05-30 14:03:13 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-02 13:04:59 +0200
commit	93ad23912e3bb73fc3e54d2b6734748a55fc933a (patch)
tree	837d2dfa0865393a3835f18dcb37b7cad6d09f8c /ipalib/plugins/automember.py
parent	63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (diff)
download	freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.gz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.xz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.zip