diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-06-09 17:53:22 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-11 13:21:29 +0200 |
| commit | 13bcd03fcfd0cb830f57df905d8c934867c18b6c (patch) | |
| tree | 43b4a4d48eb895dea9705f01647f51cc6822ae60 | |
| parent | 52a4b54635cca57ac19fb7f4dfa6031001ab925b (diff) | |
| download | freeipa-13bcd03fcfd0cb830f57df905d8c934867c18b6c.tar.gz freeipa-13bcd03fcfd0cb830f57df905d8c934867c18b6c.tar.xz freeipa-13bcd03fcfd0cb830f57df905d8c934867c18b6c.zip | |
Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index e6f852c09..417e4d9fc 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -274,6 +274,21 @@ class update_managed_permissions(PostUpdate): ldap.update_entry(base_entry) + def get_templates(self): + """Return (name, template, obj) triples for all managed permissions + + If the permission is not defined in an object plugin, obj is None. + Entries with the same obj are returned consecutively. + """ + for obj in sorted(self.api.Object(), key=lambda o: o.name): + managed_permissions = getattr(obj, 'managed_permissions', {}) + for name, template in sorted(managed_permissions.iteritems()): + yield name, template, obj + + for name, template in sorted(NONOBJECT_PERMISSIONS.iteritems()): + yield name, template, None + + def execute(self, **options): ldap = self.api.Backend[ldap2] @@ -284,21 +299,21 @@ class update_managed_permissions(PostUpdate): else: self.log.info('Anonymous ACI not found') - for obj in self.api.Object(): - managed_permissions = getattr(obj, 'managed_permissions', {}) - if managed_permissions: - self.log.info('Updating managed permissions for %s', obj.name) - for name, template in managed_permissions.items(): - self.update_permission(ldap, - obj, - unicode(name), - template, - anonymous_read_aci) - - self.log.info('Updating non-object managed permissions') - for name, template in NONOBJECT_PERMISSIONS.iteritems(): - self.update_permission(ldap, None, unicode(name), template, - anonymous_read_aci) + current_obj = () # initially distinct from any obj value, even None + for name, template, obj in self.get_templates(): + if current_obj != obj: + if obj: + self.log.info('Updating managed permissions for %s', + obj.name) + else: + self.log.info('Updating non-object managed permissions') + current_obj = obj + + self.update_permission(ldap, + obj, + unicode(name), + template, + anonymous_read_aci) if anonymous_read_aci: self.remove_anonymous_read_aci(ldap, anonymous_read_aci) |