diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 13:09:28 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:49 +0200 |
| commit | 9304b649a32c57e80f53913d7fbdee92fd76a251 (patch) | |
| tree | 7d87ea988f69bd644d7dd839ea7087f74e3dde32 /ipalib | |
| parent | a228d7a3cb32b14ff24b47adb14d896d317f6312 (diff) | |
| download | freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.gz freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.xz freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.zip | |
sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/sudorule.py | 54 |
1 files changed, 50 insertions, 4 deletions
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index a304373b3..935ffded7 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -132,7 +132,7 @@ class sudorule(LDAPObject): 'memberallowcmd', 'memberdenycmd', 'ipasudoopt', 'ipasudorunas', 'ipasudorunasgroup', 'ipasudorunasusercategory', 'ipasudorunasgroupcategory', - 'sudoorder', 'hostmask', + 'sudoorder', 'hostmask', 'ipasudorunasextusergroup', ] uuid_attribute = 'ipauniqueid' rdn_attribute = 'ipauniqueid' @@ -153,7 +153,8 @@ class sudorule(LDAPObject): 'cmdcategory', 'cn', 'description', 'externalhost', 'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag', 'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup', - 'ipasudorunasextuser', 'ipasudorunasgroup', + 'ipasudorunasextuser', 'ipasudorunasextusergroup', + 'ipasudorunasgroup', 'ipasudorunasgroupcategory', 'ipasudorunasusercategory', 'ipauniqueid', 'memberallowcmd', 'memberdenycmd', 'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore', @@ -193,6 +194,7 @@ class sudorule(LDAPObject): 'description', 'ipaenabledflag', 'usercategory', 'hostcategory', 'cmdcategory', 'ipasudorunasusercategory', 'ipasudorunasgroupcategory', 'externaluser', + 'ipasudorunasextusergroup', 'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd', 'memberallowcmd', 'memberuser', 'memberhost', 'externalhost', 'sudonotafter', 'hostmask', 'sudoorder', 'sudonotbefore', @@ -318,6 +320,12 @@ class sudorule(LDAPObject): label=_('RunAs External User'), doc=_('External User the commands can run as (sudorule-find only)'), ), + Str('ipasudorunasextusergroup?', + cli_name='runasexternalusergroup', + label=_('External Groups of RunAs Users'), + doc=_('External Groups of users that the command can run as'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipasudorunasextgroup?', validate_runasextgroup, cli_name='runasexternalgroup', label=_('RunAs External Group'), @@ -731,7 +739,26 @@ class sudorule_add_runasuser(LDAPAddMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - return add_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) + + # Since external_post_callback returns the total number of completed + # entries yet (that is, any external users it added plus the value of + # passed variable 'completed', we need to pass 0 as completed, + # so that the entries added by the framework are not counted twice + # (once in each call of add_external_post_callback) + + (completed_ex_users, dn) = add_external_post_callback( + 'ipasudorunas', 'user', + 'ipasudorunasextuser', + ldap, 0, failed, dn, entry_attrs, + keys, options) + + (completed_ex_groups, dn) = add_external_post_callback( + 'ipasudorunas', 'group', + 'ipasudorunasextusergroup', + ldap, 0, failed, dn, entry_attrs, + keys, options) + + return (completed + completed_ex_users + completed_ex_groups, dn) @register() @@ -744,7 +771,26 @@ class sudorule_remove_runasuser(LDAPRemoveMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) - return remove_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) + + # Since external_post_callback returns the total number of completed + # entries yet (that is, any external users it added plus the value of + # passed variable 'completed', we need to pass 0 as completed, + # so that the entries added by the framework are not counted twice + # (once in each call of remove_external_post_callback) + + (completed_ex_users, dn) = remove_external_post_callback( + 'ipasudorunas', 'user', + 'ipasudorunasextuser', + ldap, 0, failed, dn, entry_attrs, + keys, options) + + (completed_ex_groups, dn) = remove_external_post_callback( + 'ipasudorunas', 'group', + 'ipasudorunasextusergroup', + ldap, 0, failed, dn, entry_attrs, + keys, options) + + return (completed + completed_ex_users + completed_ex_groups, dn) @register() |