From 44cced658bde224957a605bfa083821d8fbf94c0 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Thu, 11 Jun 2015 13:18:27 +0200 Subject: Stage User: Fix permissions naming and split them where apropriate. Reviewed-By: David Kupka Reviewed-By: Martin Kosek --- ACI.txt | 26 +++++++------- VERSION | 4 +-- ipalib/plugins/stageuser.py | 82 ++++++++++++++++++++++----------------------- 3 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ACI.txt b/ACI.txt index 60e9ebb10..08fc05ebc 100644 --- a/ACI.txt +++ b/ACI.txt @@ -247,25 +247,27 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: dc=ipa,dc=example -aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User kerberos principal key and password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users by administrators";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read/Write delete Users by administrators";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Read/Write delete Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset userPassord and kerberos keys of delete users by administrator";allow (read,search,write) groupdn = "ldap:///cn=System: Reset userPassord and kerberos keys of delete users by administrator,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: dc=ipa,dc=example +aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Active Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Active Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Delete Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Delete Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example diff --git a/VERSION b/VERSION index a5f40747a..741d50f2d 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=131 -# Last change: pvoborni - toposegment direction restrictions +IPA_API_VERSION_MINOR=132 +# Last change: dkupka: User life cycle permissions naming and split diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py index c8c92f41b..18e09e957 100644 --- a/ipalib/plugins/stageuser.py +++ b/ipalib/plugins/stageuser.py @@ -112,12 +112,11 @@ class stageuser(baseuser): object_name = _('stage user') object_name_plural = _('stage users') managed_permissions = { - # - # Stage container - # - # Stage user provisioning and Stage user Administrators, - # allowed to create stage users - 'System: Add Stage Users by Provisioning and Administrators': { + # + # Stage container + # + # Allowed to create stage user + 'System: Add Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), @@ -126,33 +125,40 @@ class stageuser(baseuser): 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'}, }, - # Stage user administrators allowed to read kerberos/password - # when the user is activated (to copy them in the active entry) - 'System: Read Stage User kerberos principal key and password': { + # Allow to read kerberos/password + 'System: Read Stage User password': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'userPassword', 'krbPrincipalKey', + }, + 'default_privileges': {'Stage User Administrators'}, + }, + # Allow to update stage user + 'System: Modify Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=*)'}, - 'ipapermright': {'read', 'search', 'compare'}, - 'ipapermdefaultattr': { - 'userPassword', 'krbPrincipalKey', - }, + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allowed to delete stage users and - # to update them - 'System: Delete modify Stage Users by administrators': { + # Allow to delete stage user + 'System: Remove Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=*)'}, - 'ipapermright': {'delete','write'}, + 'ipapermright': {'delete'}, 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allowed to read any attributes - # of stage users - 'System: Read Stage Users by administrators': { + # Allow to read any attributes of stage users + 'System: Read Stage Users': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), @@ -162,36 +168,30 @@ class stageuser(baseuser): 'default_privileges': {'Stage User Administrators'}, }, # - # Delete container + # Preserve container # - # Stage user administrator allow to read all attributes (when delete - # an active user with preserve flag) - # We also need to reset some of the attributes syntax DN/credential - # so allowed write on all the attributes - 'System: Read/Write delete Users by administrators': { + # Allow to read Preserved User + 'System: Read Preserved Users': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, - 'ipapermright': {'read', 'search', 'compare', 'write'}, + 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # - # Stage user administrator allows to write the RDN - # when the delete user is undeleted - 'System: Write Delete Users RDN by administrators': { + # Allow to update Preserved User + 'System: Modify Preserved Users': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, 'ipapermright': {'write'}, - 'ipapermdefaultattr': {'uid'}, + 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allows to reset kerberos/password - # when a deleted user is preserved - 'System: Reset userPassord and kerberos keys of delete users by administrator': { + # Allow to reset Preserved User password + 'System: Reset Preserved User password': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), @@ -207,7 +207,7 @@ class stageuser(baseuser): # # Stage user administrators need write right on RDN when # the active user is deleted (preserved) - 'System: Write Active Users RDN by administrators': { + 'System: Modify User RDN': { 'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn), @@ -219,10 +219,9 @@ class stageuser(baseuser): # # Cross containers autorization # - # Stage user administrators need a moddn right when preserving - # a delete user. + # Allow to move active user to preserve container (user-del --preserve) # Note: targetfilter is the target parent container - 'System: Preserve an active user to a delete Users': { + 'System: Preserve User': { 'ipapermlocation': DN(api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn), @@ -231,10 +230,9 @@ class stageuser(baseuser): 'ipapermright': {'moddn'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrators need a moddn right when undelete - # a delete user. + # Allow to move preserved user to active container (user-undel) # Note: targetfilter is the target parent container - 'System: Reactive delete users': { + 'System: Undelete User': { 'ipapermlocation': DN(api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn), -- cgit