diff options
| author | Petr Vobornik <pvoborni@redhat.com> | 2014-12-01 10:15:21 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2014-12-03 11:34:10 +0000 |
| commit | 026c9eca0920e92e56148b808c851e9bde00ece8 (patch) | |
| tree | 9df18f9c70ce619c73dac66574bf710e2cda488a /ipalib/plugins | |
| parent | 08f8acd88c1858000f5a15c3838e1bfd78551c55 (diff) | |
| download | freeipa-026c9eca0920e92e56148b808c851e9bde00ece8.tar.gz freeipa-026c9eca0920e92e56148b808c851e9bde00ece8.tar.xz freeipa-026c9eca0920e92e56148b808c851e9bde00ece8.zip | |
add --hosts and --hostgroup options to allow/retrieve keytab methods
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib/plugins')
| -rw-r--r-- | ipalib/plugins/host.py | 28 | ||||
| -rw-r--r-- | ipalib/plugins/service.py | 28 |
2 files changed, 44 insertions, 12 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index c4d4bdf64..39a7d3c25 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -211,12 +211,24 @@ host_output_params = ( Str('ipaallowedtoperform_read_keys_group', label=_('Groups allowed to retrieve keytab'), ), + Str('ipaallowedtoperform_read_keys_host', + label=_('Hosts allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_read_keys_hostgroup', + label=_('Host Groups allowed to retrieve keytab'), + ), Str('ipaallowedtoperform_write_keys_user', label=_('Users allowed to create keytab'), ), Str('ipaallowedtoperform_write_keys_group', label=_('Groups allowed to create keytab'), ), + Str('ipaallowedtoperform_write_keys_host', + label=_('Hosts allowed to create keytab'), + ), + Str('ipaallowedtoperform_write_keys_hostgroup', + label=_('Host Groups allowed to create keytab'), + ), Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), @@ -284,8 +296,8 @@ class host(LDAPObject): 'managing': ['host'], 'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], - 'ipaallowedtoperform_read_keys': ['user', 'group'], - 'ipaallowedtoperform_write_keys': ['user', 'group'], + 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], + 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'], } bindable = True relationships = { @@ -1201,7 +1213,8 @@ class host_remove_managedby(LDAPRemoveMember): @register() class host_allow_retrieve_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to retrieve a keytab of this host.') + __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab' + ' of this host.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPAddMember.has_output_params + host_output_params @@ -1219,7 +1232,8 @@ class host_allow_retrieve_keytab(LDAPAddMember): @register() class host_disallow_retrieve_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to retrieve a keytab of this host.') + __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a ' + 'keytab of this host.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPRemoveMember.has_output_params + host_output_params @@ -1236,7 +1250,8 @@ class host_disallow_retrieve_keytab(LDAPRemoveMember): @register() class host_allow_create_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to create a keytab of this host.') + __doc__ = _('Allow users, groups, hosts or host groups to create a keytab ' + 'of this host.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPAddMember.has_output_params + host_output_params @@ -1254,7 +1269,8 @@ class host_allow_create_keytab(LDAPAddMember): @register() class host_disallow_create_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to create a keytab of this host.') + __doc__ = _('Disallow users, groups, hosts or host groups to create a ' + 'keytab of this host.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPRemoveMember.has_output_params + host_output_params diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2f7035444..b37dc7b4b 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -137,12 +137,24 @@ output_params = ( Str('ipaallowedtoperform_read_keys_group', label=_('Groups allowed to retrieve keytab'), ), + Str('ipaallowedtoperform_read_keys_host', + label=_('Hosts allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_read_keys_hostgroup', + label=_('Host Groups allowed to retrieve keytab'), + ), Str('ipaallowedtoperform_write_keys_user', label=_('Users allowed to create keytab'), ), Str('ipaallowedtoperform_write_keys_group', label=_('Groups allowed to create keytab'), ), + Str('ipaallowedtoperform_write_keys_host', + label=_('Hosts allowed to create keytab'), + ), + Str('ipaallowedtoperform_write_keys_hostgroup', + label=_('Host Groups allowed to create keytab'), + ), Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), @@ -350,8 +362,8 @@ class service(LDAPObject): attribute_members = { 'managedby': ['host'], 'memberof': ['role'], - 'ipaallowedtoperform_read_keys': ['user', 'group'], - 'ipaallowedtoperform_write_keys': ['user', 'group'], + 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], + 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'], } bindable = True relationships = { @@ -711,7 +723,8 @@ class service_remove_host(LDAPRemoveMember): @register() class service_allow_retrieve_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to retrieve a keytab of this service.') + __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab' + ' of this service.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPAddMember.has_output_params + output_params @@ -729,7 +742,8 @@ class service_allow_retrieve_keytab(LDAPAddMember): @register() class service_disallow_retrieve_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to retrieve a keytab of this service.') + __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a ' + 'keytab of this service.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPRemoveMember.has_output_params + output_params @@ -746,7 +760,8 @@ class service_disallow_retrieve_keytab(LDAPRemoveMember): @register() class service_allow_create_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to create a keytab of this service.') + __doc__ = _('Allow users, groups, hosts or host groups to create a keytab ' + 'of this service.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPAddMember.has_output_params + output_params @@ -764,7 +779,8 @@ class service_allow_create_keytab(LDAPAddMember): @register() class service_disallow_create_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to create a keytab of this service.') + __doc__ = _('Disallow users, groups, hosts or host groups to create a ' + 'keytab of this service.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPRemoveMember.has_output_params + output_params |