summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipalib/plugins/hbac.py43
-rw-r--r--tests/test_xmlrpc/test_hbac_plugin.py49
2 files changed, 47 insertions, 45 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py
index 117b0753..8e3e44e4 100644
--- a/ipalib/plugins/hbac.py
+++ b/ipalib/plugins/hbac.py
@@ -21,16 +21,12 @@ Host-based access control
Control who can access what services on what hosts and from where. You
can use HBAC to control which users or groups on a source host can
-access a service, or group of services, on a target host. You can also
-control the times that the rule is active.
+access a service, or group of services, on a target host.
You can also specify a category of users, target hosts, and source
hosts. This is currently limited to "all", but might be expanded in the
future.
-The access time(s) of a host are cumulative and are not guaranteed to be
-applied in the order displayed.
-
Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
The available services and groups of services are controlled by the
@@ -46,13 +42,6 @@ EXAMPLES:
Display the properties of a named HBAC rule:
ipa hbac-show test1
- Specify that the rule "test1" be active every day between 0800 and 1400:
- ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1
-
- Specify that the rule "test1" be active once, from 10:32 until 10:33 on
- December 16, 2010:
- ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
-
Create a rule for a specific service. This lets the user john access
the sshd service on any machine from any machine:
ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd
@@ -75,6 +64,22 @@ EXAMPLES:
ipa hbac-del allow_server
"""
+
+# AccessTime support is being removed for now.
+#
+# You can also control the times that the rule is active.
+#
+# The access time(s) of a host are cumulative and are not guaranteed to be
+# applied in the order displayed.
+#
+# Specify that the rule "test1" be active every day between 0800 and 1400:
+# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1
+#
+# Specify that the rule "test1" be active once, from 10:32 until 10:33 on
+# December 16, 2010:
+# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
+
+
from ipalib import api, errors
from ipalib import AccessTime, Password, Str, StrEnum
from ipalib.plugins.baseldap import *
@@ -102,7 +107,7 @@ class hbac(LDAPObject):
object_class = ['ipaassociation', 'ipahbacrule']
default_attributes = [
'cn', 'accessruletype', 'ipaenabledflag',
- 'accesstime', 'description', 'usercategory', 'hostcategory',
+ 'description', 'usercategory', 'hostcategory',
'sourcehostcategory', 'servicecategory', 'ipaenabledflag',
'memberuser', 'sourcehost', 'memberhost', 'memberservice',
'memberhostgroup',
@@ -155,10 +160,10 @@ class hbac(LDAPObject):
doc=_('Service category the rule applies to'),
values=(u'all', ),
),
- AccessTime('accesstime?',
- cli_name='time',
- label=_('Access time'),
- ),
+# AccessTime('accesstime?',
+# cli_name='time',
+# label=_('Access time'),
+# ),
Str('description?',
cli_name='desc',
label=_('Description'),
@@ -346,7 +351,7 @@ class hbac_add_accesstime(LDAPQuery):
)
)
-api.register(hbac_add_accesstime)
+#api.register(hbac_add_accesstime)
class hbac_remove_accesstime(LDAPQuery):
@@ -386,7 +391,7 @@ class hbac_remove_accesstime(LDAPQuery):
)
)
-api.register(hbac_remove_accesstime)
+#api.register(hbac_remove_accesstime)
class hbac_add_user(LDAPAddMember):
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index 3c1cfaed..51591ea8 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -55,13 +55,11 @@ class test_hbac(XMLRPC_test):
ret = self.failsafe_add(api.Object.hbac,
self.rule_name,
accessruletype=self.rule_type,
- accesstime=self.rule_time,
description=self.rule_desc,
)
entry = ret['result']
assert_attr_equal(entry, 'cn', self.rule_name)
assert_attr_equal(entry, 'accessruletype', self.rule_type)
- assert_attr_equal(entry, 'accesstime', self.rule_time)
assert_attr_equal(entry, 'ipaenabledflag', 'TRUE')
assert_attr_equal(entry, 'description', self.rule_desc)
@@ -85,7 +83,6 @@ class test_hbac(XMLRPC_test):
entry = api.Command['hbac_show'](self.rule_name)['result']
assert_attr_equal(entry, 'cn', self.rule_name)
assert_attr_equal(entry, 'accessruletype', self.rule_type)
- assert_attr_equal(entry, 'accesstime', self.rule_time)
assert_attr_equal(entry, 'ipaenabledflag', 'TRUE')
assert_attr_equal(entry, 'description', self.rule_desc)
@@ -99,30 +96,30 @@ class test_hbac(XMLRPC_test):
entry = ret['result']
assert_attr_equal(entry, 'description', self.rule_desc_mod)
- def test_4_hbac_add_accesstime(self):
- """
- Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
- """
- return
- ret = api.Command['hbac_add_accesstime'](
- self.rule_name, accesstime=self.rule_time2
- )
- entry = ret['result']
- assert_attr_equal(entry, 'accesstime', self.rule_time);
- assert_attr_equal(entry, 'accesstime', self.rule_time2);
+# def test_4_hbac_add_accesstime(self):
+# """
+# Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
+# """
+# return
+# ret = api.Command['hbac_add_accesstime'](
+# self.rule_name, accesstime=self.rule_time2
+# )
+# entry = ret['result']
+# assert_attr_equal(entry, 'accesstime', self.rule_time);
+# assert_attr_equal(entry, 'accesstime', self.rule_time2);
- def test_5_hbac_add_accesstime(self):
- """
- Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
- """
- try:
- api.Command['hbac_add_accesstime'](
- self.rule_name, accesstime=self.rule_time_fail
- )
- except errors.ValidationError:
- pass
- else:
- assert False
+# def test_5_hbac_add_accesstime(self):
+# """
+# Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
+# """
+# try:
+# api.Command['hbac_add_accesstime'](
+# self.rule_name, accesstime=self.rule_time_fail
+# )
+# except errors.ValidationError:
+# pass
+# else:
+# assert False
def test_6_hbac_find(self):
"""