diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-05-30 14:03:13 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-02 13:04:59 +0200 |
commit | 93ad23912e3bb73fc3e54d2b6734748a55fc933a (patch) | |
tree | 837d2dfa0865393a3835f18dcb37b7cad6d09f8c /ipalib/plugins/automember.py | |
parent | 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (diff) | |
download | freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.gz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.xz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.zip |
Add read permissions for automember tasks
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/automember.py')
-rw-r--r-- | ipalib/plugins/automember.py | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index 3166c6958..143c6a80c 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -131,6 +131,11 @@ register = Registry() INCLUDE_RE = 'automemberinclusiveregex' EXCLUDE_RE = 'automemberexclusiveregex' +REBUILD_TASK_CONTAINER = DN(('cn', 'automember rebuild membership'), + ('cn', 'tasks'), + ('cn', 'config')) + + regex_attrs = ( Str('automemberinclusiveregex*', cli_name='inclusive_regex', @@ -215,6 +220,16 @@ class automember(LDAPObject): 'default_privileges': {'Automember Readers', 'Automember Task Administrator'}, }, + 'System: Read Automember Tasks': { + 'non_object': True, + 'ipapermlocation': DN('cn=tasks', 'cn=config'), + 'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER), + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Automember Task Administrator'}, + }, } label = _('Auto Membership Rule') @@ -732,11 +747,7 @@ class automember_rebuild(Command): else: search_filter = '(%s=*)' % obj.primary_key.name - task_dn = DN( - ('cn', cn), - ('cn', 'automember rebuild membership'), - ('cn', 'tasks'), - ('cn', 'config')) + task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER) entry = ldap.make_entry( task_dn, |