From bfb3e4699643308e4787fd52067b38f1cb278f47 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 3 Dec 2010 13:57:19 -0500 Subject: Remove accessTime from HBAC. ticket 545 --- ipalib/plugins/hbac.py | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) (limited to 'ipalib') diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 117b07535..8e3e44e43 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -21,16 +21,12 @@ Host-based access control Control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can -access a service, or group of services, on a target host. You can also -control the times that the rule is active. +access a service, or group of services, on a target host. You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future. -The access time(s) of a host are cumulative and are not guaranteed to be -applied in the order displayed. - Target hosts and source hosts in HBAC rules must be hosts managed by IPA. The available services and groups of services are controlled by the @@ -46,13 +42,6 @@ EXAMPLES: Display the properties of a named HBAC rule: ipa hbac-show test1 - Specify that the rule "test1" be active every day between 0800 and 1400: - ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 - - Specify that the rule "test1" be active once, from 10:32 until 10:33 on - December 16, 2010: - ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 - Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd @@ -75,6 +64,22 @@ EXAMPLES: ipa hbac-del allow_server """ + +# AccessTime support is being removed for now. +# +# You can also control the times that the rule is active. +# +# The access time(s) of a host are cumulative and are not guaranteed to be +# applied in the order displayed. +# +# Specify that the rule "test1" be active every day between 0800 and 1400: +# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 +# +# Specify that the rule "test1" be active once, from 10:32 until 10:33 on +# December 16, 2010: +# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 + + from ipalib import api, errors from ipalib import AccessTime, Password, Str, StrEnum from ipalib.plugins.baseldap import * @@ -102,7 +107,7 @@ class hbac(LDAPObject): object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ 'cn', 'accessruletype', 'ipaenabledflag', - 'accesstime', 'description', 'usercategory', 'hostcategory', + 'description', 'usercategory', 'hostcategory', 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', 'memberuser', 'sourcehost', 'memberhost', 'memberservice', 'memberhostgroup', @@ -155,10 +160,10 @@ class hbac(LDAPObject): doc=_('Service category the rule applies to'), values=(u'all', ), ), - AccessTime('accesstime?', - cli_name='time', - label=_('Access time'), - ), +# AccessTime('accesstime?', +# cli_name='time', +# label=_('Access time'), +# ), Str('description?', cli_name='desc', label=_('Description'), @@ -346,7 +351,7 @@ class hbac_add_accesstime(LDAPQuery): ) ) -api.register(hbac_add_accesstime) +#api.register(hbac_add_accesstime) class hbac_remove_accesstime(LDAPQuery): @@ -386,7 +391,7 @@ class hbac_remove_accesstime(LDAPQuery): ) ) -api.register(hbac_remove_accesstime) +#api.register(hbac_remove_accesstime) class hbac_add_user(LDAPAddMember): -- cgit