diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-06-13 15:58:24 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-18 14:45:50 +0200 |
| commit | 16ee6847e493df0d28b6c1baa9a48ea29752bef5 (patch) | |
| tree | 1533edbc1fbd1b3cbb4e86611f16eff1f98e05eb /ipaserver/install/plugins | |
| parent | 637ef11109600d87bfb783eadd4b6401fa58d468 (diff) | |
| download | freeipa-16ee6847e493df0d28b6c1baa9a48ea29752bef5.tar.gz freeipa-16ee6847e493df0d28b6c1baa9a48ea29752bef5.tar.xz freeipa-16ee6847e493df0d28b6c1baa9a48ea29752bef5.zip | |
managed permission updater: Add mechanism to replace SYSTEM permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.
Add a mechanism for the updater to replace old SYSTEM permissions.
This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipaserver/install/plugins')
| -rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 7b1405a19..2ca054d50 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -67,6 +67,8 @@ The template dictionary can have the following keys: * replaces - A list of ACIs corresponding to legacy default permissions replaced by this permission. +* replaces_system + - A list of names of old SYSTEM permissions this replaces. * fixup_function - A callable that may modify the template in-place before it is applied. - Called with the permission name, template dict, and keyword arguments: @@ -410,6 +412,21 @@ class update_managed_permissions(PostUpdate): self.log.info("Removing legacy permission '%s'", legacy_name) self.api.Command[permission_del](unicode(legacy_name)) + for name in template.get('replaces_system', ()): + name = unicode(name) + try: + entry = ldap.get_entry(permission_plugin.get_dn(name), + ['ipapermissiontype']) + except errors.NotFound: + self.log.info("Legacy permission '%s' not found", name) + else: + flags = entry.get('ipapermissiontype', []) + if list(flags) == ['SYSTEM']: + self.log.info("Removing legacy permission '%s'", name) + self.api.Command[permission_del](name, force=True) + else: + self.log.info("Ignoring V2 permission '%s'", name) + def get_upgrade_attr_lists(self, current_acistring, default_acistrings): """Compute included and excluded attributes for a new permission @@ -497,6 +514,7 @@ class update_managed_permissions(PostUpdate): template = dict(template) template.pop('replaces', None) + template.pop('replaces_system', None) fixup_function = template.pop('fixup_function', None) if fixup_function: |