diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2011-09-13 11:49:27 +0300 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-09-13 13:15:29 +0200 |
| commit | e77bc923c6f7839a38e2af43efd87b92a669c86e (patch) | |
| tree | 94a5d69942992787faf4695618dd61a505adb447 /ipalib | |
| parent | 17777c1a455bdae7c7b84cdbbd9b68cfe9a67b10 (diff) | |
| download | freeipa-e77bc923c6f7839a38e2af43efd87b92a669c86e.tar.gz freeipa-e77bc923c6f7839a38e2af43efd87b92a669c86e.tar.xz freeipa-e77bc923c6f7839a38e2af43efd87b92a669c86e.zip | |
When external host is specified in HBAC rule, allow its use in simulation
https://fedorahosted.org/freeipa/ticket/1763
When external host is specified in HBAC rule, it needs to be added to
the set of source hosts this rule applies to. Add (list of external hosts)
explicitly when converting FreeIPA rules to PyHBAC objects.
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/hbactest.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 5fce2e5fb..43151e340 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -131,7 +131,8 @@ def convert_to_ipa_rule(rule): ipa_rule = pyhbac.HbacRule(rule['cn'][0]) ipa_rule.enabled = rule['ipaenabledflag'][0] # Following code attempts to process rule systematically - structure = (('user', 'memberuser', 'user', 'group', ipa_rule.users), + structure = \ + (('user', 'memberuser', 'user', 'group', ipa_rule.users), ('host', 'memberhost', 'host', 'hostgroup', ipa_rule.targethosts), ('sourcehost', 'sourcehost', 'host', 'hostgroup', ipa_rule.srchosts), ('service', 'memberservice', 'hbacsvc', 'hbacsvcgroup', ipa_rule.services), @@ -151,6 +152,8 @@ def convert_to_ipa_rule(rule): attr_name = '%s_%s' % (element[1], element[3]) if attr_name in rule: element[4].groups = rule[attr_name] + if 'externalhost' in rule: + ipa_rule.srchosts.names.extend(rule['externalhost']) return ipa_rule |