diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_164/permission.py')
| -rw-r--r-- | ipaclient/remote_plugins/2_164/permission.py | 1099 |
1 files changed, 1099 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_164/permission.py b/ipaclient/remote_plugins/2_164/permission.py new file mode 100644 index 000000000..94cd1bbaa --- /dev/null +++ b/ipaclient/remote_plugins/2_164/permission.py @@ -0,0 +1,1099 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable wrapper around a 389-ds Access Control Rule, +or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add, delete, read, search, + or compare. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. search - search on one or more attributes +4. compare - compare one or more attributes +5. add - add a new entry to the tree +6. delete - delete an existing entry +7. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. subtree: a DN; the permission applies to the subtree under this DN +2. target filter: an LDAP filter +3. target: DN with possible wildcards, specifies entries permission applies to + +Additionally, there are the following convenience options. +Setting one of these options will set the corresponding attribute(s). +1. type: a type of object (user, group, etc); sets subtree and target filter. +2. memberof: apply to members of a group; sets target filter +3. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership); sets target. + +Managed permissions + +Permissions that come with IPA by default can be so-called "managed" +permissions. These have a default set of attributes they apply to, +but the administrator can add/remove individual attributes to/from the set. + +Deleting or renaming a managed permission, as well as changing its target, +is not allowed. + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + label=_(u'Bind rule type'), + ), + parameters.Str( + 'ipapermlocation', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + alwaysask=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermbindruletype', + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + autofill=True, + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + alwaysask=True, + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI (internal command)") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermissiontype', + multivalue=True, + label=_(u'Permission flags'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + cli_name='defaultattrs', + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) |