| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.
The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.
Ticket #1249
|
|
|
|
|
|
|
| |
Since the broken-out components are just part of the aci just copy right
access rights for aci.
ticket 943
|
|
|
|
|
|
|
| |
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.
ticket 729
|
|
|
|
| |
Needed for xgettext/pygettext processing.
|
|
|
|
| |
ticket 996
|
|
|
|
|
|
|
|
| |
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.
https://fedorahosted.org/freeipa/ticket/646
|
|
|
|
|
|
|
|
|
| |
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
|
|
|
|
|
|
|
| |
This also drops description from permissions since it seems redundant and
fixes up the help text a little.
ticket 792
|
|
|
|
|
|
|
|
| |
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes nonfunctional rename operation in permission
plugin. Also makes sure, that no change is made to the underlying
ACI in pre_callback() when the target permission already exists.
Several tests for the rename operation have been created to ensure
that the it won't break again unnoticed.
https://fedorahosted.org/freeipa/ticket/814
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.
This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.
Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.
Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.
This change requires an IPA server reinstall since the default ACI
set has been changed.
https://fedorahosted.org/freeipa/ticket/764
|
|
|
|
|
|
|
| |
So far the only flag to enforce asking in interactive mode was the
alwaysask attribute, which is not sufficient any more. This patch adds
the ability to control for which actions the atrribute shall be asked
for.
|
|
|
|
|
|
|
| |
Either one of type, filter, subtree, targetgroup, attrs or memberof is
required.
https://fedorahosted.org/freeipa/ticket/819
|
|
|
|
|
|
| |
Also make i18n_messages and json_metadata NO_CLI.
ticket 821
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
|
|
|
|
|
|
|
| |
We create the aci with the --test flag to test its validity but it doesn't
do the same level of tests that actually adding an aci to LDAP does. Catch
any syntax errors that get thrown and clean up as best we can.
ticket 621
|
|
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
|
|
|
|
|
|
|
|
| |
permissions are a real group pointed to by an aci, managed by the same
plugin. Any given update can update one or both or neither. Do a better
job at determining what it is that needs to be updated and handle the
case where only the ACI is updated so that EmptyModList is not thrown.
ticket 603
|
|
|
|
|
|
|
|
|
| |
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.
Right now only ACIs in the basedn can be managed with this plugin.
ticket 531
|
|
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|