diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_164/krbtpolicy.py')
-rw-r--r-- | ipaclient/remote_plugins/2_164/krbtpolicy.py | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_164/krbtpolicy.py b/ipaclient/remote_plugins/2_164/krbtpolicy.py new file mode 100644 index 000000000..42a4b2bc7 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/krbtpolicy.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) |