diff options
author | Petr Vobornik <pvoborni@redhat.com> | 2014-10-02 16:57:08 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2014-10-17 14:11:35 +0200 |
commit | 59ee6314afc7f0f7735ab1349caa970f0f00d78a (patch) | |
tree | f1269db1d7a48c144f0cb2824b25056514439490 /ACI.txt | |
parent | 6f81217c18a416dcbd23360ad3d7f3fea0174fc0 (diff) | |
download | freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.tar.gz freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.tar.xz freeipa-59ee6314afc7f0f7735ab1349caa970f0f00d78a.zip |
keytab manipulation permission management
Adds new API:
ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR
these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.
service|host-mod|show outputs these attrs only with --all option as:
Users allowed to retrieve keytab: user1
Groups allowed to retrieve keytab: group1
Users allowed to create keytab: user1
Groups allowed to create keytab: group1
Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.
https://fedorahosted.org/freeipa/ticket/4419
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ACI.txt')
-rw-r--r-- | ACI.txt | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -95,6 +95,8 @@ aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(versi dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example +aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "description || ipaassignedidview || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";) @@ -193,6 +195,8 @@ aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:Sys dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=services,cn=accounts,dc=ipa,dc=example +aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Service Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";) |