diff options
author | Thierry Bordaz <tbordaz@redhat.com> | 2015-05-08 10:41:44 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-05-18 09:37:21 +0200 |
commit | 51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b (patch) | |
tree | 814d8c84a4e54d817164208858425c3db42f15a0 /ipalib/plugins/stageuser.py | |
parent | c9e1ad0dbc28c6c5b0e7381144a969f6b77d504d (diff) | |
download | freeipa-51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b.tar.gz freeipa-51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b.tar.xz freeipa-51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b.zip |
User life cycle: Stage user Administrators permission/priviledge
Creation of stage user administrator
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipalib/plugins/stageuser.py')
-rw-r--r-- | ipalib/plugins/stageuser.py | 123 |
1 files changed, 122 insertions, 1 deletions
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py index 01166af30..c4d9bb687 100644 --- a/ipalib/plugins/stageuser.py +++ b/ipalib/plugins/stageuser.py @@ -111,7 +111,128 @@ class stageuser(baseuser): label_singular = _('Stage User') object_name = _('stage user') object_name_plural = _('stage users') - managed_permissions = {} + managed_permissions = { + # + # Stage container + # + # Stage user administrators allowed to read kerberos/password + # when the user is activated (to copy them in the active entry) + 'System: Read Stage User kerberos principal key and password': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'userPassword', 'krbPrincipalKey', + }, + 'default_privileges': {'Stage User Administrators'}, + }, + # Stage user administrator allowed to create/delete stage users and + # to update them + 'System: Add delete modify Stage Users by administrators': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'add','delete','write'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # Stage user administrator allowed to read any attributes + # of stage users + 'System: Read Stage Users by administrators': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # + # Delete container + # + # Stage user administrator allow to read all attributes (when delete + # an active user with preserve flag) + # We also need to reset some of the attributes syntax DN/credential + # so allowed write on all the attributes + 'System: Read/Write delete Users by administrators': { + 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, + 'ipapermright': {'read', 'search', 'compare', 'write'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # + # Stage user administrator allows to write the RDN + # when the delete user is undeleted + 'System: Write Delete Users RDN by administrators': { + 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'uid'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # Stage user administrator allows to reset kerberos/password + # when a deleted user is preserved + 'System: Reset userPassord and kerberos keys of delete users by administrator': { + 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, + 'ipapermright': {'read', 'search', 'write'}, + 'ipapermdefaultattr': { + 'userPassword', 'krbPrincipalKey','krbPasswordExpiration','krbLastPwdChange' + }, + 'default_privileges': {'Stage User Administrators'}, + }, + # + # Active container + # + # Stage user administrators need write right on RDN when + # the active user is deleted (preserved) + 'System: Write Active Users RDN by administrators': { + 'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'uid'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # + # Cross containers autorization + # + # Stage user administrators need a moddn right when preserving + # a delete user. + # Note: targetfilter is the target parent container + 'System: Preserve an active user to a delete Users': { + 'ipapermlocation': DN(api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn), + 'ipapermtargetto': DN(baseuser.delete_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=nsContainer)'}, + 'ipapermright': {'moddn'}, + 'default_privileges': {'Stage User Administrators'}, + }, + # Stage user administrators need a moddn right when undelete + # a delete user. + # Note: targetfilter is the target parent container + 'System: Reactive delete users': { + 'ipapermlocation': DN(api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn), + 'ipapermtargetto': DN(baseuser.active_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=nsContainer)'}, + 'ipapermright': {'moddn'}, + 'default_privileges': {'Stage User Administrators'}, + }, + } @register() class stageuser_add(baseuser_add): |