diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-01-31 11:01:56 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-31 13:17:38 -0500 |
commit | bf4f77d98590c049842715f51968d1e7e2ac9516 (patch) | |
tree | 347fce66dfb33b4f8ded67c0df711afcca013a41 /ipalib | |
parent | c281e786c805f400ca23d4412e29d396632d5441 (diff) | |
download | freeipa-bf4f77d98590c049842715f51968d1e7e2ac9516.tar.gz freeipa-bf4f77d98590c049842715f51968d1e7e2ac9516.tar.xz freeipa-bf4f77d98590c049842715f51968d1e7e2ac9516.zip |
Rename permissions and privileges to be more readable.
This also drops description from permissions since it seems redundant and
fixes up the help text a little.
ticket 792
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/permission.py | 36 |
1 files changed, 16 insertions, 20 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c76ec5a9..b11efdab0 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -33,9 +33,8 @@ A permission may not be members of other permissions. A permission is made up of a number of different parts: 1. The name of the permission. -2. The description of the permission. -3. The target of the permission. -4. The permissions granted by the permission. +2. The target of the permission. +3. The permissions granted by the permission. The permissions define what operations are allowed and are one or more of: 1. write - write one or more attributes @@ -44,24 +43,29 @@ The permissions define what operations are allowed and are one or more of: 4. delete - delete an existing entry 5. all - all permissions are granted +Read permission is granted for most attributes by default so the read +permission is not expected to be used very often. + Note the distinction between attributes and entries. The permissions are independent, so being able to add a user does not mean that the user will be editabe. There are a number of allowed targets: 1. type: a type of object (user, group, etc). -2. memberof: a memberof a group or hostgroup +2. memberof: a member of a group or hostgroup 3. filter: an LDAP filter -4. subtree: an LDAP filter specifying part of the LDAP DIT -5. targetgroup +4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a + super-set of the type option. +5. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership) EXAMPLES: Add a permission that grants the creation of users: - ipa permission-add --desc="Add a User" --type=user --permissions=add adduser + ipa permission-add --type=user --permissions=add "Add Users" Add a permission that grants the ability to manage group membership: - ipa permission-add --desc='Manage group members' --attrs=member --permissions=write --type=group manage_group_members + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" """ import copy @@ -80,7 +84,7 @@ class permission(LDAPObject): object_name = 'permission' object_name_plural = 'permissions' object_class = ['groupofnames'] - default_attributes = ['cn', 'description', 'member', 'memberof', + default_attributes = ['cn', 'member', 'memberof', 'memberindirect', ] aci_attributes = ['group', 'permissions', 'attrs', 'type', @@ -88,7 +92,6 @@ class permission(LDAPObject): ] attribute_members = { 'member': ['privilege'], -# 'memberindirect': ['user', 'group', 'role'], } rdnattr='cn' @@ -101,11 +104,6 @@ class permission(LDAPObject): primary_key=True, normalizer=lambda value: value.lower(), ), - Str('description', - cli_name='desc', - label=_('Description'), - doc=_('Permission description'), - ), List('permissions', cli_name='permissions', label=_('Permissions'), @@ -165,7 +163,6 @@ class permission_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # Test the ACI before going any further opts = copy.copy(options) - del opts['description'] opts['test'] = True opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX @@ -177,7 +174,7 @@ class permission_add(LDAPCreate): # Clear the aci attributes out of the permission entry for o in options: try: - if o not in ['description', 'objectclass']: + if o not in ['objectclass']: del entry_attrs[o] except: pass @@ -186,7 +183,6 @@ class permission_add(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): # Now actually add the aci. opts = copy.copy(options) - del opts['description'] opts['test'] = False opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX @@ -263,7 +259,7 @@ class permission_mod(LDAPUpdate): pass # permission may be renamed, continue opts = copy.copy(options) - for o in ['all', 'raw', 'rights', 'description', 'rename']: + for o in ['all', 'raw', 'rights', 'rename']: if o in opts: del opts[o] setattr(context, 'aciupdate', False) @@ -389,7 +385,7 @@ class permission_show(LDAPRetrieve): if attr in aci: entry_attrs[attr] = aci[attr] except errors.NotFound: - self.debug('ACI not found for %s' % entry_attrs['description'][0]) + self.debug('ACI not found for %s' % entry_attrs['cn'][0]) return dn api.register(permission_show) |