Add managed read permissions to RBAC objects

Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

1 files changed, 13 insertions, 0 deletions

diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 678eb2416..b65af28c2 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -54,6 +54,7 @@ class privilege(LDAPObject):
     object_name = _('privilege')
     object_name_plural = _('privileges')
     object_class = ['nestedgroup', 'groupofnames']
+    permission_filter_objectclasses = ['groupofnames']
     default_attributes = ['cn', 'description', 'member', 'memberof']
     attribute_members = {
         'member': ['role'],
@@ -63,6 +64,18 @@ class privilege(LDAPObject):
         'member': ['permission'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Privileges': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'member', 'memberof',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Privileges')
     label_singular = _('Privilege')