Make sure member* attrs are always granted together in read permissions

Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-10 12:31:29 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-11 13:21:30 +0200
commit: b6258d08d6c5605b32151654c6259f7c77f1a32b (patch)
tree: 7498bba33fa7f720e86ceec7203333da88a27719 /ipalib/plugins
parent: 2f3cdba54620989afba0ce1b423cddb56b841ab3 (diff)
download: freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.gz
freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.xz
freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.zip
11 files changed, 14 insertions, 9 deletions
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 0de577dd0..581ee70b6 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -157,7 +157,7 @@ class group(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'member', 'memberof', 'memberuid',
+                'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index b9b5cc87f..22844345b 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -144,7 +144,7 @@ class hbacrule(LDAPObject):
                 'externalhost', 'hostcategory', 'ipaenabledflag',
                 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
                 'servicecategory', 'sourcehost', 'sourcehostcategory',
-                'usercategory', 'objectclass',
+                'usercategory', 'objectclass', 'member',
             },
         },
     }
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 9884f2658..d0f25932e 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -70,6 +70,7 @@ class hbacsvcgroup(LDAPObject):
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipauniqueid',
                 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 6420fb3ad..711ed8972 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -91,7 +91,7 @@ class hostgroup(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'member', 'memberof',
+                'member', 'memberof', 'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 50f139990..8603f4cea 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -123,7 +123,8 @@ class netgroup(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'externalhost', 'member', 'memberof', 'memberuser'
+                'externalhost', 'member', 'memberof', 'memberuser',
+                'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index bd225b92a..3c2127fcc 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -192,7 +192,7 @@ class permission(baseldap.LDAPObject):
                 'ipapermdefaultattr', 'ipapermincludedattr',
                 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
                 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
-                'member', 'memberof',
+                'member', 'memberof', 'memberuser', 'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index c0ab96646..cff6fe197 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -70,7 +70,8 @@ class privilege(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
-                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+                'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index c881b5b8b..cd56f7f47 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -88,7 +88,8 @@ class role(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',
-                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
+                'memberhost',
             },
             'default_privileges': {'RBAC Readers'},
         },
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 7efabaaa6..d84503996 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -160,7 +160,7 @@ class selinuxusermap(LDAPObject):
                 'accesstime', 'cn', 'description', 'hostcategory',
                 'ipaenabledflag', 'ipaselinuxuser', 'ipauniqueid',
                 'memberhost', 'memberuser', 'seealso', 'usercategory',
-                'objectclass',
+                'objectclass', 'member',
             },
         },
     }
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 44883f430..adde3abdb 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -75,6 +75,7 @@ class sudocmdgroup(LDAPObject):
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipauniqueid',
                 'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'memberuser', 'memberhost',
             },
         },
     }
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index b6893310d..9c2e7c51e 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -133,7 +133,7 @@ class sudorule(LDAPObject):
                 'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
                 'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
                 'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
-                'sudoorder', 'usercategory', 'objectclass',
+                'sudoorder', 'usercategory', 'objectclass', 'member',
             },
         },
         'System: Read Sudoers compat tree': {
author	Petr Viktorin <pviktori@redhat.com>	2014-06-10 12:31:29 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-11 13:21:30 +0200
commit	b6258d08d6c5605b32151654c6259f7c77f1a32b (patch)
tree	7498bba33fa7f720e86ceec7203333da88a27719 /ipalib/plugins
parent	2f3cdba54620989afba0ce1b423cddb56b841ab3 (diff)
download	freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.gz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.xz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.zip