Add managed read permissions to RBAC objects

Add default read permissions to roles, privileges and permissions. Also add permission to read ACIs. This is required for legacy permissions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
author: Petr Viktorin <pviktori@redhat.com> 2014-03-26 17:11:23 +0100
committer: Martin Kosek <mkosek@redhat.com> 2014-04-11 10:17:41 +0200
commit: a185d45d87539559876f7b0b4f75b904339a5b90 (patch)
tree: 79fa64aca6cefceab54e137d74bb48a5d74157bd /ipalib/plugins/permission.py
parent: 50c7f3b2366aa48a966a958a7f95941c917ad3fa (diff)
download: freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.gz
freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.xz
freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index e2f842810..5a22acdb6 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
     # For use the complete object_class list, including 'top', so
     # the updater doesn't try to delete 'top' every time.
     object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
+    permission_filter_objectclasses = ['ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
         'memberindirect', 'ipapermissiontype', 'objectclass',
         'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject):
         'memberindirect': ['role'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Permissions': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipapermissiontype',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'ipapermdefaultattr', 'ipapermincludedattr',
+                'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
+                'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
+                'member', 'memberof',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+        'System: Read ACIs': {
+            # Readable ACIs are needed for reading legacy permissions.
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'aci'},
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Permissions')
     label_singular = _('Permission')
author	Petr Viktorin <pviktori@redhat.com>	2014-03-26 17:11:23 +0100
committer	Martin Kosek <mkosek@redhat.com>	2014-04-11 10:17:41 +0200
commit	a185d45d87539559876f7b0b4f75b904339a5b90 (patch)
tree	79fa64aca6cefceab54e137d74bb48a5d74157bd /ipalib/plugins/permission.py
parent	50c7f3b2366aa48a966a958a7f95941c917ad3fa (diff)
download	freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.gz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.xz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.zip