diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-05-14 09:37:54 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-05-17 13:47:37 -0400 |
| commit | 58fed697684931e66ed054d0d5899301fd47b04d (patch) | |
| tree | 6c56d25c839977d2dd8aa754f17bfe63d23a0c80 /ipalib/plugins/hbac.py | |
| parent | 194399373795cf297ffae48588598d9585ae0ad4 (diff) | |
| download | freeipa-58fed697684931e66ed054d0d5899301fd47b04d.tar.gz freeipa-58fed697684931e66ed054d0d5899301fd47b04d.tar.xz freeipa-58fed697684931e66ed054d0d5899301fd47b04d.zip | |
Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.
588574
Diffstat (limited to 'ipalib/plugins/hbac.py')
| -rw-r--r-- | ipalib/plugins/hbac.py | 65 |
1 files changed, 56 insertions, 9 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 7a76f72c..1438ea95 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -34,16 +34,18 @@ class hbac(LDAPObject): object_name_plural = 'HBAC rules' object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ - 'cn', 'accessruletype', 'ipaenabledflag', 'servicename', + 'cn', 'accessruletype', 'ipaenabledflag', 'accesstime', 'description', 'usercategory', 'hostcategory', - 'sourcehostcategory', 'ipaenabledflag', - + 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', + 'memberuser', 'sourcehost', 'memberhost', 'memberservice', + 'memberhostgroup', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'sourcehost': ['host', 'hostgroup'], + 'memberservice': ['hbacsvc', 'hbacsvcgroup'], } label = _('HBAC') @@ -60,12 +62,7 @@ class hbac(LDAPObject): label=_('Rule type'), values=(u'allow', u'deny'), ), - Str('servicename?', - cli_name='service', - label=_('Service name'), - doc=_('Name of service the rule applies to (e.g. ssh)'), - ), - # FIXME: {user,host,sourcehost}categories should expand in the future + # FIXME: {user,host,sourcehost,service}categories should expand in the future StrEnum('usercategory?', cli_name='usercat', label=_('User category'), @@ -84,6 +81,12 @@ class hbac(LDAPObject): doc=_('Source host category the rule applies to'), values=(u'all', ), ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the rule applies to'), + values=(u'all', ), + ), AccessTime('accesstime?', cli_name='time', label=_('Access time'), @@ -96,6 +99,30 @@ class hbac(LDAPObject): label=_('Enabled'), flags=['no_create', 'no_update', 'no_search'], ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('sourcehost_host?', + label=_('Source hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_servicegroup?', + label=_('Service Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **kwargs): @@ -351,3 +378,23 @@ class hbac_remove_sourcehost(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') api.register(hbac_remove_sourcehost) + + +class hbac_add_service(LDAPAddMember): + """ + Add services affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(hbac_add_service) + + +class hbac_remove_service(LDAPRemoveMember): + """ + Remove source hosts and hostgroups affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(hbac_remove_service) |