diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-11 10:17:41 +0200 |
commit | a185d45d87539559876f7b0b4f75b904339a5b90 (patch) | |
tree | 79fa64aca6cefceab54e137d74bb48a5d74157bd /ipalib/plugins/permission.py | |
parent | 50c7f3b2366aa48a966a958a7f95941c917ad3fa (diff) | |
download | freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.gz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.xz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.zip |
Add managed read permissions to RBAC objects
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e2f842810..5a22acdb6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject): # For use the complete object_class list, including 'top', so # the updater doesn't try to delete 'top' every time. object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'] + permission_filter_objectclasses = ['ipapermission'] default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', @@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject): 'memberindirect': ['role'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Permissions': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'ipapermissiontype', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + 'ipapermdefaultattr', 'ipapermincludedattr', + 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget', + 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', + 'member', 'memberof', + }, + 'default_privileges': {'RBAC Readers'}, + }, + 'System: Read ACIs': { + # Readable ACIs are needed for reading legacy permissions. + 'non_object': True, + 'ipapermlocation': api.env.basedn, + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'aci'}, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Permissions') label_singular = _('Permission') |