summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/permission.py
Commit message (Collapse)AuthorAgeFilesLines
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-171-0/+1
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
* Catch ACI errors better when adding a permission.Rob Crittenden2010-12-171-3/+17
| | | | | | | | We create the aci with the --test flag to test its validity but it doesn't do the same level of tests that actually adding an aci to LDAP does. Catch any syntax errors that get thrown and clean up as best we can. ticket 621
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-171-1/+1
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Better handle permission object updates versus aci object updates.Rob Crittenden2010-12-131-7/+10
| | | | | | | | | permissions are a real group pointed to by an aci, managed by the same plugin. Any given update can update one or both or neither. Do a better job at determining what it is that needs to be updated and handle the case where only the ACI is updated so that EmptyModList is not thrown. ticket 603
* Add plugin for manage self-service ACIsRob Crittenden2010-12-081-1/+2
| | | | | | | | | This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. ticket 531
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-0/+363
The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
generated by cgit (git 2.34.1) at 2024-05-27 19:33:51 +0000