From e3c225317be2e4849f0f5f8b35f9872d28379330 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 3 Jul 2015 10:05:40 -0400 Subject: caacl: fix incorrect construction of HbacRequest for hosts The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. Reviewed-By: David Kupka --- ipalib/plugins/caacl.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'ipalib/plugins') diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 6bf39d233..247d6df14 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -55,13 +55,15 @@ register = Registry() def _acl_make_request(principal_type, principal, ca_ref, profile_id): """Construct HBAC request for the given principal, CA and profile""" + service, name, realm = split_any_principal(principal) + req = pyhbac.HbacRequest() req.targethost.name = ca_ref req.service.name = profile_id if principal_type == 'user': req.user.name = principal elif principal_type == 'host': - req.user.name = principal[:5] # strip 'host/' + req.user.name = name elif principal_type == 'service': req.user.name = normalize_principal(principal) groups = [] @@ -70,8 +72,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): groups = user_obj.get('memberof_group', []) groups += user_obj.get('memberofindirect_group', []) elif principal_type == 'host': - service, hostname, realm = split_any_principal(principal) - host_obj = api.Command.host_show(hostname)['result'] + host_obj = api.Command.host_show(name)['result'] groups = host_obj.get('memberof_hostgroup', []) groups += host_obj.get('memberofindirect_hostgroup', []) req.user.groups = sorted(set(groups)) -- cgit