| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
| |
|
|
|
|
|
| |
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.
ticket 532
|
| |
|
|
|
|
|
|
|
| |
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.
Right now only ACIs in the basedn can be managed with this plugin.
ticket 531
|
| |
|
|
| |
ticket 310
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
| |
|
|
|
|
| |
Also add validation to the List parameter type.
ticket 357
|
| |
|
|
| |
ticket #158
|
| |
|
|
|
|
|
| |
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.
ticket 80
|
| |
|
|
|
|
|
|
|
|
|
| |
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.
I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()
Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.
Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
|
| | |
|
| | |
|
| |
|
|
|
| |
This also inserts the dn into the response when adding a record.
We need this in the ACI plugin when adding a taskgroup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
in the regex altogether. This now lets us handle all current ACIs in IPA
(some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
can write attributes x,y,z in group B). It is actually quite a lot more
flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Also switch to the StrEnum parameter type for some options so we let the
framework do the enforcement
|
|
|
The ACI plugin is really meant for developers to help manage the ACIs.
It may or may not be shipped. If it is it will be disabled by default.
It is very much a shoot-in-foot problem waiting to happen.
|
