diff options
-rw-r--r-- | install/share/60basev2.ldif | 2 | ||||
-rw-r--r-- | install/share/delegation.ldif | 49 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 30 | ||||
-rw-r--r-- | tests/test_xmlrpc/objectclasses.py | 1 |
4 files changed, 80 insertions, 2 deletions
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 7eb346b02..f5f7a6563 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2') objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) @@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index e154f6b00..18d045d8d 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Change a user password member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add user to default group member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectclass: top objectclass: groupofnames +objectClass: ipapermission cn: Unlock user accounts member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX @@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Group membership member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hostgroup membership member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Role membership member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify privilege membership member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Automount maps member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Automount maps member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Automount keys member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Automount keys member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify netgroup membership member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Manage host keytab member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX @@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Manage service keytab member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX @@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Enroll a host member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX @@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX # Entitlement management @@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: addentitlements description: Add Entitlements member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX @@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Retrieve Certificates from the CA member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Request Certificate member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Request Certificates from a different host member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Get Certificates status from the CA member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Revoke Certificate member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Certificate Remove Hold member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index b11efdab0..61aba5260 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import * from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum from ipalib.request import context +from ipalib import errors ACI_PREFIX=u"permission" +output_params = ( + Str('ipapermissiontype', + label=_('Permission Type'), + ), +) + class permission(LDAPObject): """ Permission object. @@ -83,9 +90,9 @@ class permission(LDAPObject): container_dn = api.env.container_permission object_name = 'permission' object_name_plural = 'permissions' - object_class = ['groupofnames'] + object_class = ['groupofnames', 'ipapermission'] default_attributes = ['cn', 'member', 'memberof', - 'memberindirect', + 'memberindirect', 'ipapermissiontype', ] aci_attributes = ['group', 'permissions', 'attrs', 'type', 'filter', 'subtree', 'targetgroup', @@ -150,6 +157,17 @@ class permission(LDAPObject): ), ) + # Don't allow SYSTEM permissions to be modified or removed + def check_system(self, ldap, dn, *keys): + try: + (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype']) + except errors.NotFound: + self.handle_not_found(*keys) + if 'ipapermissiontype' in entry_attrs: + if 'SYSTEM' in entry_attrs['ipapermissiontype']: + return False + return True + api.register(permission) @@ -220,6 +238,8 @@ class permission_del(LDAPDelete): msg_summary = _('Deleted permission "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + if not self.obj.check_system(ldap, dn, *keys): + raise errors.ACIError(info='A SYSTEM permission may not be removed') # remove permission even when the underlying ACI is missing try: self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX) @@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate): """ msg_summary = _('Modified permission "%(value)s"') + has_output_params = LDAPUpdate.has_output_params + output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if not self.obj.check_system(ldap, dn, *keys): + raise errors.ACIError(info='A SYSTEM permission may not be modified') + # check if permission is in LDAP try: (dn, attrs) = ldap.get_entry( @@ -330,6 +354,7 @@ class permission_find(LDAPSearch): msg_summary = ngettext( '%(count)d permission matched', '%(count)d permissions matched' ) + has_output_params = LDAPSearch.has_output_params + output_params def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: @@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve): """ Display information about a permission. """ + has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): try: aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result'] diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index 20b008c5c..0d03b47e3 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -68,6 +68,7 @@ role = [ permission = [ u'groupofnames', + u'ipapermission', u'top' ] |