summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--install/share/60basev2.ldif2
-rw-r--r--install/share/delegation.ldif49
-rw-r--r--ipalib/plugins/permission.py30
-rw-r--r--tests/test_xmlrpc/objectclasses.py1
4 files changed, 80 insertions, 2 deletions
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 7eb346b02..f5f7a6563 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case
attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
@@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to
attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index e154f6b00..18d045d8d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Change a user password
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add user to default group
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
+objectClass: ipapermission
cn: Unlock user accounts
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Group membership
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hostgroup membership
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Role membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify privilege membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify netgroup membership
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Manage host keytab
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Manage service keytab
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Enroll a host
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management
@@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: addentitlements
description: Add Entitlements
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Retrieve Certificates from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Request Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Request Certificates from a different host
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Get Certificates status from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Revoke Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Certificate Remove Hold
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efdab0..61aba5260 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
from ipalib.request import context
+from ipalib import errors
ACI_PREFIX=u"permission"
+output_params = (
+ Str('ipapermissiontype',
+ label=_('Permission Type'),
+ ),
+)
+
class permission(LDAPObject):
"""
Permission object.
@@ -83,9 +90,9 @@ class permission(LDAPObject):
container_dn = api.env.container_permission
object_name = 'permission'
object_name_plural = 'permissions'
- object_class = ['groupofnames']
+ object_class = ['groupofnames', 'ipapermission']
default_attributes = ['cn', 'member', 'memberof',
- 'memberindirect',
+ 'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
'filter', 'subtree', 'targetgroup',
@@ -150,6 +157,17 @@ class permission(LDAPObject):
),
)
+ # Don't allow SYSTEM permissions to be modified or removed
+ def check_system(self, ldap, dn, *keys):
+ try:
+ (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+ except errors.NotFound:
+ self.handle_not_found(*keys)
+ if 'ipapermissiontype' in entry_attrs:
+ if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+ return False
+ return True
+
api.register(permission)
@@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
msg_summary = _('Deleted permission "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be removed')
# remove permission even when the underlying ACI is missing
try:
self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
"""
msg_summary = _('Modified permission "%(value)s"')
+ has_output_params = LDAPUpdate.has_output_params + output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
# check if permission is in LDAP
try:
(dn, attrs) = ldap.get_entry(
@@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d permission matched', '%(count)d permissions matched'
)
+ has_output_params = LDAPSearch.has_output_params + output_params
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
@@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
"""
Display information about a permission.
"""
+ has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py
index 20b008c5c..0d03b47e3 100644
--- a/tests/test_xmlrpc/objectclasses.py
+++ b/tests/test_xmlrpc/objectclasses.py
@@ -68,6 +68,7 @@ role = [
permission = [
u'groupofnames',
+ u'ipapermission',
u'top'
]