Convert Service default permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-04 17:39:10 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-06-24 13:53:41 +0200
commit: 439dd7fa74de9acd920ca060788190e71eeadf2b (patch)
tree: e805daee5f4defc431f1880615952c7d1e28c252 /ipalib/plugins/service.py
parent: f8dc51860c4ec006e25314d934e530cdcdfa4dda (diff)
download: freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.gz
freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.xz
freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 0572a0ae2..8d6a14711 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -330,6 +330,36 @@ class service(LDAPObject):
                 'krbobjectreferences',
             },
         },
+        'System: Add Services': {
+            'ipapermright': {'add'},
+            'replaces': [
+                '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Service Administrators'},
+        },
+        'System: Manage Service Keytab': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+            'replaces': [
+                '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Service Administrators'},
+        },
+        'System: Modify Services': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'usercertificate'},
+            'replaces': [
+                '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Service Administrators'},
+        },
+        'System: Remove Services': {
+            'ipapermright': {'delete'},
+            'replaces': [
+                '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Service Administrators'},
+        },
     }
 
     label = _('Services')
author	Petr Viktorin <pviktori@redhat.com>	2014-06-04 17:39:10 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-06-24 13:53:41 +0200
commit	439dd7fa74de9acd920ca060788190e71eeadf2b (patch)
tree	e805daee5f4defc431f1880615952c7d1e28c252 /ipalib/plugins/service.py
parent	f8dc51860c4ec006e25314d934e530cdcdfa4dda (diff)
download	freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.gz freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.xz freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.zip