summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/aci.py
Commit message (Collapse)AuthorAgeFilesLines
* Fix typosYuri Chornoivan2011-09-071-2/+2
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* Typos in freeIPA messages and man pageYuri Chornoivan2011-05-101-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/1128
* Changed dns permission typesJan Zeleny2011-02-141-2/+2
| | | | | | | | Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646
* Fix changing membergroup in a delegation.Rob Crittenden2011-02-011-7/+18
| | | | | | | | This is mostly due to inconsistent option name usage but also due to the aci plugin not always treating memberof as a special kind of filter. ticket 869
* Fixed permission lookupJan Zeleny2011-01-311-1/+10
| | | | | | | | Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818
* ACI plugin supports prefixesMartin Kosek2011-01-261-20/+75
| | | | | | | | | | | | | | | | | | | | | | | | When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764
* Rename INTERNAL to NO_CLI for commands we hide from the cli.Rob Crittenden2011-01-211-7/+7
| | | | | | Also make i18n_messages and json_metadata NO_CLI. ticket 821
* Add some basic filter validation to permissions and disallow empty filtersRob Crittenden2011-01-211-4/+14
| | | | | | | Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808
* Display the entries that failed when deleting with --continue.Rob Crittenden2011-01-101-1/+1
| | | | | | | | | | | | We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
* Setting an empty set of target attributes should raise an exception.Rob Crittenden2011-01-101-29/+32
| | | | | | | | | | | It is possible to create an ACI with attributes and then try to set that to None via a mod command later. We need to catch this and raise an exception. If all attributes are set to None in an aci then the attr target is removed from the ACI. This could result in an illegal ACI if there are no other targets. Having no targets is a legal state, just not a legal final state. ticket 647
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-171-1/+2
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Add group to group delegation plugin.Rob Crittenden2010-12-131-7/+41
| | | | | | | This is a thin wrapper around the ACI plugin that manages granting group A the ability to write a set of attributes of group B. ticket 532
* Add plugin for manage self-service ACIsRob Crittenden2010-12-081-14/+23
| | | | | | | | | This is just a thin wrapper around the aci plugin, controlling what types of ACIs can be added. Right now only ACIs in the basedn can be managed with this plugin. ticket 531
* Add more information and examples on targets.Rob Crittenden2010-12-061-6/+33
| | | | ticket 310
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-36/+143
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Output ACI's broken out into attributes rather than a single text fieldRob Crittenden2010-11-041-73/+77
| | | | | | Also add validation to the List parameter type. ticket 357
* Update command documentation based on feedback from docs team.Rob Crittenden2010-08-271-14/+40
| | | | ticket #158
* Add support for ldap:///self bind rulesRob Crittenden2010-08-191-11/+37
| | | | | | | This is added mainly so the self service rules can be updated without resorting to ldapmodify. ticket 80
* Fix aci_mod command. It should handle more complex operations now.Rob Crittenden2010-06-241-12/+64
| | | | | | | | | | | The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation.
* Remove left-over debugging statementRob Crittenden2010-05-141-2/+0
|
* localize doc stringsJohn Dennis2010-03-081-1/+1
| | | | | | | | | | | | A number of doc strings were not localized, wrap them in _(). Some messages were not localized, wrap them in _() Fix a couple of failing tests: The method name in RPC should not be unicode. The doc attribute must use the .msg attribute for comparison. Also clean up imports of _() The import should come from ipalib or ipalib.text, not ugettext from request.
* Translatable Param.label, Param.docJason Gerard DeRose2010-02-241-11/+20
|
* Add Object.label class attribute, enable in webUIJason Gerard DeRose2010-02-121-0/+3
|
* Convert to using new result output handlingRob Crittenden2009-12-141-27/+83
| | | | | This also inserts the dn into the response when adding a record. We need this in the ACI plugin when adding a taskgroup
* Use correct attribute for hosts.Rob Crittenden2009-11-251-1/+1
|
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-19/+117
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Remove outstanding 2's from plugins.Pavel Zuna2009-07-021-6/+6
|
* Rename *-create/*-delete commands to *-add/*-del respectively.Pavel Zuna2009-07-021-7/+7
|
* Rename plugins2 to plugins.Pavel Zuna2009-07-021-14/+14
|
* Rename plugins2 files (remove '2' suffix').Pavel Zuna2009-07-021-0/+386
|
* Delete plugins using old LDAP backend.Pavel Zuna2009-07-021-462/+0
|
* Add a reason to the NotFound exception so we can provide more robust errorsRob Crittenden2009-05-131-5/+5
|
* trivial update to standardize terms in docstringDavid O'Brien2009-04-281-1/+1
|
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-14/+14
|
* Implement a few new targets for ACIsRob Crittenden2009-03-251-8/+32
| | | | | Also switch to the StrEnum parameter type for some options so we let the framework do the enforcement
* Update the ACI class to be more robust and the beginnings of an ACI pluginRob Crittenden2009-03-181-0/+438
The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.