diff options
Diffstat (limited to 'ipalib/plugins/service.py')
-rw-r--r-- | ipalib/plugins/service.py | 134 |
1 files changed, 129 insertions, 5 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 55f412625..2f7035444 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -86,7 +86,10 @@ EXAMPLES: Request a certificate for an IPA service: ipa cert-request --principal=HTTP/web.example.com example.csr - +""") + _(""" + Allow user to create a keytab: + ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1 +""") + _(""" Generate and retrieve a keytab for an IPA service: ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab @@ -127,7 +130,25 @@ output_params = ( ), Str('revocation_reason?', label=_('Revocation reason'), - ) + ), + Str('ipaallowedtoperform_read_keys_user', + label=_('Users allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_read_keys_group', + label=_('Groups allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_write_keys_user', + label=_('Users allowed to create keytab'), + ), + Str('ipaallowedtoperform_write_keys_group', + label=_('Groups allowed to create keytab'), + ), + Str('ipaallowedtoperform_read_keys', + label=_('Failed allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_write_keys', + label=_('Failed allowed to create keytab'), + ), ) ticket_flags_params = ( @@ -290,6 +311,23 @@ def set_kerberos_attrs(entry_attrs, options): if name in options or all_opt: entry_attrs[name] = bool(ticket_flags & value) +def rename_ipaallowedtoperform_from_ldap(entry_attrs, options): + if options.get('raw', False): + return + + for subtype in ('read_keys', 'write_keys'): + name = 'ipaallowedtoperform;%s' % subtype + if name in entry_attrs: + new_name = 'ipaallowedtoperform_%s' % subtype + entry_attrs[new_name] = entry_attrs.pop(name) + +def rename_ipaallowedtoperform_to_ldap(entry_attrs): + for subtype in ('read_keys', 'write_keys'): + name = 'ipaallowedtoperform_%s' % subtype + if name in entry_attrs: + new_name = 'ipaallowedtoperform;%s' % subtype + entry_attrs[new_name] = entry_attrs.pop(name) + @register() class service(LDAPObject): """ @@ -302,19 +340,24 @@ class service(LDAPObject): 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser' ] - possible_objectclasses = ['ipakrbprincipal'] + possible_objectclasses = ['ipakrbprincipal', 'ipaallowedoperations'] permission_filter_objectclasses = ['ipaservice'] - search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] + search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata', + 'ipaallowedtoperform'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', - 'ipakrbauthzdata', 'memberof'] + 'ipakrbauthzdata', 'memberof', 'ipaallowedtoperform'] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], 'memberof': ['role'], + 'ipaallowedtoperform_read_keys': ['user', 'group'], + 'ipaallowedtoperform_write_keys': ['user', 'group'], } bindable = True relationships = { 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), + 'ipaallowedtoperform_read_keys': ('Allow to retrieve keytab by', 'retrieve_keytab_by_', 'not_retrieve_keytab_by_'), + 'ipaallowedtoperform_write_keys': ('Allow to create keytab by', 'write_keytab_by_', 'not_write_keytab_by'), } password_attributes = [('krbprincipalkey', 'has_keytab')] managed_permissions = { @@ -346,6 +389,14 @@ class service(LDAPObject): ], 'default_privileges': {'Service Administrators', 'Host Administrators'}, }, + 'System: Manage Service Keytab Permissions': { + 'ipapermright': {'read', 'search', 'compare', 'write'}, + 'ipapermdefaultattr': { + 'ipaallowedtoperform;write_keys', + 'ipaallowedtoperform;read_keys', 'objectclass' + }, + 'default_privileges': {'Service Administrators', 'Host Administrators'}, + }, 'System: Modify Services': { 'ipapermright': {'write'}, 'ipapermdefaultattr': {'usercertificate'}, @@ -469,6 +520,7 @@ class service_add(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): set_kerberos_attrs(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return dn @@ -561,6 +613,7 @@ class service_mod(LDAPUpdate): assert isinstance(dn, DN) set_certificate_attrs(entry_attrs) set_kerberos_attrs(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return dn @@ -598,6 +651,7 @@ class service_find(LDAPSearch): self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs) set_certificate_attrs(entry_attrs) set_kerberos_attrs(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return truncated @@ -620,6 +674,7 @@ class service_show(LDAPRetrieve): set_certificate_attrs(entry_attrs) set_kerberos_attrs(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return dn @@ -654,6 +709,75 @@ class service_remove_host(LDAPRemoveMember): has_output_params = LDAPRemoveMember.has_output_params + output_params +@register() +class service_allow_retrieve_keytab(LDAPAddMember): + __doc__ = _('Allow users or groups to retrieve a keytab of this service.') + member_attributes = ['ipaallowedtoperform_read_keys'] + has_output_params = LDAPAddMember.has_output_params + output_params + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + rename_ipaallowedtoperform_to_ldap(found) + rename_ipaallowedtoperform_to_ldap(not_found) + add_missing_object_class(ldap, u'ipaallowedoperations', dn) + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(failed, options) + return (completed, dn) + + +@register() +class service_disallow_retrieve_keytab(LDAPRemoveMember): + __doc__ = _('Disallow users or groups to retrieve a keytab of this service.') + member_attributes = ['ipaallowedtoperform_read_keys'] + has_output_params = LDAPRemoveMember.has_output_params + output_params + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + rename_ipaallowedtoperform_to_ldap(found) + rename_ipaallowedtoperform_to_ldap(not_found) + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(failed, options) + return (completed, dn) + + +@register() +class service_allow_create_keytab(LDAPAddMember): + __doc__ = _('Allow users or groups to create a keytab of this service.') + member_attributes = ['ipaallowedtoperform_write_keys'] + has_output_params = LDAPAddMember.has_output_params + output_params + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + rename_ipaallowedtoperform_to_ldap(found) + rename_ipaallowedtoperform_to_ldap(not_found) + add_missing_object_class(ldap, u'ipaallowedoperations', dn) + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(failed, options) + return (completed, dn) + + +@register() +class service_disallow_create_keytab(LDAPRemoveMember): + __doc__ = _('Disallow users or groups to create a keytab of this service.') + member_attributes = ['ipaallowedtoperform_write_keys'] + has_output_params = LDAPRemoveMember.has_output_params + output_params + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + rename_ipaallowedtoperform_to_ldap(found) + rename_ipaallowedtoperform_to_ldap(not_found) + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + rename_ipaallowedtoperform_from_ldap(entry_attrs, options) + rename_ipaallowedtoperform_from_ldap(failed, options) + return (completed, dn) + @register() class service_disable(LDAPQuery): |