diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-03 13:57:19 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-12-06 11:42:13 -0500 |
commit | bfb3e4699643308e4787fd52067b38f1cb278f47 (patch) | |
tree | 8750383dc1cc389bda1ed6305a1a495c424eb1e5 /ipalib/plugins/hbac.py | |
parent | 19049d1a64d55921980103cbb3ce36d40fc9ffff (diff) | |
download | freeipa-bfb3e4699643308e4787fd52067b38f1cb278f47.tar.gz freeipa-bfb3e4699643308e4787fd52067b38f1cb278f47.tar.xz freeipa-bfb3e4699643308e4787fd52067b38f1cb278f47.zip |
Remove accessTime from HBAC.
ticket 545
Diffstat (limited to 'ipalib/plugins/hbac.py')
-rw-r--r-- | ipalib/plugins/hbac.py | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 117b0753..8e3e44e4 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -21,16 +21,12 @@ Host-based access control Control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can -access a service, or group of services, on a target host. You can also -control the times that the rule is active. +access a service, or group of services, on a target host. You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future. -The access time(s) of a host are cumulative and are not guaranteed to be -applied in the order displayed. - Target hosts and source hosts in HBAC rules must be hosts managed by IPA. The available services and groups of services are controlled by the @@ -46,13 +42,6 @@ EXAMPLES: Display the properties of a named HBAC rule: ipa hbac-show test1 - Specify that the rule "test1" be active every day between 0800 and 1400: - ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 - - Specify that the rule "test1" be active once, from 10:32 until 10:33 on - December 16, 2010: - ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 - Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd @@ -75,6 +64,22 @@ EXAMPLES: ipa hbac-del allow_server """ + +# AccessTime support is being removed for now. +# +# You can also control the times that the rule is active. +# +# The access time(s) of a host are cumulative and are not guaranteed to be +# applied in the order displayed. +# +# Specify that the rule "test1" be active every day between 0800 and 1400: +# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 +# +# Specify that the rule "test1" be active once, from 10:32 until 10:33 on +# December 16, 2010: +# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 + + from ipalib import api, errors from ipalib import AccessTime, Password, Str, StrEnum from ipalib.plugins.baseldap import * @@ -102,7 +107,7 @@ class hbac(LDAPObject): object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ 'cn', 'accessruletype', 'ipaenabledflag', - 'accesstime', 'description', 'usercategory', 'hostcategory', + 'description', 'usercategory', 'hostcategory', 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', 'memberuser', 'sourcehost', 'memberhost', 'memberservice', 'memberhostgroup', @@ -155,10 +160,10 @@ class hbac(LDAPObject): doc=_('Service category the rule applies to'), values=(u'all', ), ), - AccessTime('accesstime?', - cli_name='time', - label=_('Access time'), - ), +# AccessTime('accesstime?', +# cli_name='time', +# label=_('Access time'), +# ), Str('description?', cli_name='desc', label=_('Description'), @@ -346,7 +351,7 @@ class hbac_add_accesstime(LDAPQuery): ) ) -api.register(hbac_add_accesstime) +#api.register(hbac_add_accesstime) class hbac_remove_accesstime(LDAPQuery): @@ -386,7 +391,7 @@ class hbac_remove_accesstime(LDAPQuery): ) ) -api.register(hbac_remove_accesstime) +#api.register(hbac_remove_accesstime) class hbac_add_user(LDAPAddMember): |