From c63b675de813381de32f9e8b7f78a59cd35bd7dc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 10 Dec 2008 13:23:21 +0100 Subject: finished with updates to tree example --- policy_dit.txt | 365 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 205 insertions(+), 160 deletions(-) diff --git a/policy_dit.txt b/policy_dit.txt index 39e19c0..0c21316 100644 --- a/policy_dit.txt +++ b/policy_dit.txt @@ -1,3 +1,9 @@ +# Changelog: after the call 2008-12-04 I've made the follwoing changes: +# - introduced a 'uniqueName' attribute for all objects with nsuniqueid as +# RDN. So far this attribute does not exist in a commen schema, maybe we +# should call it ipaUniqueName if we define it ourself. +# - introducded policygroups +# - renamed cn=IPAAction,cn=applications,... to cn=allApps,cn=applications,... dn: cn=policies_and_roles,... | objectclass: | cn: policies_and_roles, @@ -26,7 +32,7 @@ dn: cn=policies_and_roles,... | | \--- dn: nsuniqueid=9123751325,... | | | objectclass: IPAPolicyTemplate | | | nsuniqueid: 9123751325 -| | | cn: sudo_config_1 +| | | uniqueName: sudo_config_1 | | | description: blahblah | | | policytype: config | | | schema: file:///var/lib/ipa/policy/sudo_config_1.rng @@ -35,21 +41,21 @@ dn: cn=policies_and_roles,... | | \--- dn: nsuniqueid=3124324214,... | | objectclass: IPAPolicyTemplate | | nsuniqueid: 3124324214 +| | uniqueName: sudo_config_2 | | description: yadayada -| | cn: sudo_config_2 | | policytype: config | | schema: file:///var/lib/ipa/policy/sudo_config_2.rng | | transformation: file:///var/lib/ipa/policy/sudo_config_2.xslt | | -| \--- dn: cn=IPAAction,... +| \--- dn: cn=allApps,... | | | objectclass: -| | | cn: IPAAction -| | | description: Location of the generic policy template for action policies +| | | cn: allApps +| | | description: Location of the generic policy template for action policies and maybe other templates which are valid for all applications | | | | | \--- dn: nsuniqueid=0432412,... | | objectclass: IPAPolicyTemplate | | nsuniqueid: 0432412 -| | cn: IPAAction +| | uniqueName: IPAAction | | description: Template for action policies | | policytype: action | | schema: file:///var/lib/ipa/policy/ipaaction.rng @@ -63,193 +69,232 @@ dn: cn=policies_and_roles,... | \--- dn: nsuniqueid=324624365,... | objectclass: IPAPolicyTemplate | nsuniqueid: 324624365 +| uniqueName: role_example_1 | description: An example of a role policy template -| cn: role_example_1 | policytype: role | schema: file:///var/lib/ipa/policy/role_example_1.rng | transformation: file:///var/lib/ipa/policy/role_example_1.xslt | -\--- dn: cn=policies,... +\--- dn: cn=policygroups,... | | objectclass: -| | cn: policies -| | # The container "policies" is used to store the policy objects. -| | # These object mainly define a connection between the policy templates -| | # and the blobs containing the actual, user defined policies. But -| | # because of the importance of these objects and the necessity of -| | # some specific attributes we will not use the generic association -| | # object here, but the objectclass IPAPolicy. +| | cn: policygroups +| | # A policy group is a collection of one or more policies which can be +| | # associated as a whole to a host or a groups of hosts. Besides this +| | # another reason to introduce policy groups is delegation. With the +| | # proposed structure it is easy to set ACIs and delegate the +| | # administration. +| | # To define an order if more than one policy group is assigned to a +| | # host we use an order attribute holding the nsuniqueid of all policy +| | # groups +| | order: nsuniqueid=..., nsuniqueid=..., nsuniqueid=... +| | # Each policy group will have an order attribute, too. This is use to +| | # give a priority to the policies in the policy group. +| | # +| | # +| | # | | -| \--- dn: nsuniqueid=943943594351,... -| | objectclass: IPAPolicy -| | nsuniqueid=943943594351 -| | description: A Sudo Policy -| | policytemplate: ldap://.../nsuniqueid=9123751325,... -| | # policytemplate links the policy to its template, this can be -| | # used to access the type of the policy for the UI or the schema -| | # file to validate the policy. -| | priority: 1 -| | # priority defines the priority of the policy with respect to -| | # the other policies from the same template. I would suggest to -| | # define 1 or 0 as the highest priority. This way you can easy -| | # add new policies to the end, i.e. with the lowest priority. -| | enabledPolicy: true -| | appliedPolicy: ldap://.../nsuniqueid=1324242,... -| | # this is the blob of the currently applied policy, single-value -| | # attribute -| | editedPolicy: ldap://.../nsuniqueid=6454235,... -| | # multi-value attribute with pointers to other versions of the -| | # blob. The idea is to store a lastChangeType with the blob to -| | # reflect the state of the blob: -| | # -| | # edited: last action was a change of the blob -| | # rolledback: blob was applied, but replaced by the latest -| | # 'superseded' one -| | # applied: the currently active blob -| | # superseded: blob was applied, but replaye by a newer version -| | # -| | # With this classification the following action are allowed: -| | # -| | # edit: edit a 'edited', 'rolledback' or 'superseded' policy. -| | # New state: edited. -| | # copy: create a new blob from any existing. New state: edited. -| | # apply: make an 'edited' blob 'applied'. Old 'applied' is now -| | # 'superseded'. -| | # rollback: make the lastest 'supersede' active. Old 'applied' -| | # is now 'rolledback'. -| | # -| | policyVersion: 11 -| | # version of the policy, updated every time appliedPolicy or -| | # priority change -| | -| \--- dn: nsuniqueid=3565435,... -| | objectclass: IPAPolicy -| | nsuniqueid=3565435 -| | description: Another Sudo Policy -| | policytemplate: ldap://.... -| | priority: 2 -| | enabledPolicy: true -| | appliedPolicy: ldap://..... -| | editedPolicy: ldap://............. -| | policyVersion: 16 -| | -| \--- dn: nsuniqueid=4555555,... -| | objectclass: IPAPolicy -| | nsuniqueid=4555555 -| | description: An example of a role policy -| | policytemplate: ldap://.../nsuniqueid=324624365,... -| | priority: 1 -| | enabledPolicy: true -| | appliedPolicy: ldap://.../nsuniqueid=3213122312,... -| | editedPolicy: ldap://.../nsuniqueid=,... -| | policyVersion: 12 -| | -| \--- dn: nsuniqueid=87887888,... -| objectclass: IPAPolicy -| nsuniqueid=87887888,... -| description: An example of an action policy -| policytemplate: ldap://.../nsuniqueid=0432412,... -| priority: 1 -| enabledPolicy: true -| appliedPolicy: ldap://.../nsuniqueid=2121332432,... -| editedPolicy: ldap://.../nsuniqueid=,... -| policyVersion: 16 -| -\--- dn: cn=policydata,... -| | objectclass: -| | cn: policydata -| | # policydata is a container for the compressed XML policy blobs -| | # together with some metadata. If the blob should not be stored in -| | # the DS an attribute like policyBlobUri can be used. -| | -| \--- dn: nsuniqueid=1324242,... -| | objectlass: IPAPolicyData -| | nsuniqueid: 1324242 -| | policyBlob: -| | lastChageBy: sbose -| | lastChanged: 4214425532 -| | lastChangeType: activated -| | policy: ldap://.../nsuniqueid=943943594351,... -| | -| \--- dn: nsuniqueid=6454235,... -| | objectlass: IPAPolicyData -| | nsuniqueid: 6454235 -| | policyBlob: -| | lastChageBy: sbose -| | lastChanged: 4214425532 -| | lastChangeType: superseded -| | policy: ldap://.../nsuniqueid=943943594351,... +| \--- dn: nsuniqueid=90093212,... +| | | objectclass: ipaPolicyGroup +| | | nsuniqueid: 90093212 +| | | uniqueName: Example_PolGrp +| | | description: this is an example of a policy group +| | | order: nsuniqueid=..., nsuniqueid=..., nsuniqueid=... +| | | enabledPolicyGroup: true +| | | allowedTemplate: nsuniqueid= +| | | allowedTemplate: nsuniqueid= +| | | allowedTemplate: nsuniqueid= +| | | # allowedTemplate is a multi value attribute where the +| | | # administrator can list policy templates which are allowed to +| | | # be added to the policy group. This restriction should be +| | | # checked by the UL/CLI and by the client, too. +| | | # The policies belonging to a policy group will be stored as +| | | # children of the policy group object: +| | | # +| | \--- dn: nsuniqueid=943943594351,... +| | | | objectclass: IPAPolicy +| | | | nsuniqueid=943943594351 +| | | | uniqueName=sudoPolicy_1 +| | | | description: A Sudo Policy +| | | | policytemplate: ldap://.../nsuniqueid=9123751325,... +| | | | # policytemplate links the policy to its template, this can be +| | | | # used to access the type of the policy for the UI or the schema +| | | | # file to validate the policy. +| | | | priority: 1 +| | | | # priority defines the priority of the policy with respect to +| | | | # the other policies from the same template. I would suggest to +| | | | # define 1 or 0 as the highest priority. This way you can easy +| | | | # add new policies to the end, i.e. with the lowest priority. +| | | | enabledPolicy: true +| | | | appliedPolicy: ldap://.../nsuniqueid=1324242,... +| | | | # this is the blob of the currently applied policy, single-value +| | | | # attribute +| | | | editedPolicy: ldap://.../nsuniqueid=6454235,... +| | | | # multi-value attribute with pointers to other versions of the +| | | | # blob. The idea is to store a lastChangeType with the blob to +| | | | # reflect the state of the blob: +| | | | # +| | | | # edited: last action was a change of the blob +| | | | # rolledback: blob was applied, but replaced by the latest +| | | | # 'superseded' one +| | | | # applied: the currently active blob +| | | | # superseded: blob was applied, but replaye by a newer version +| | | | # +| | | | # With this classification the following action are allowed: +| | | | # +| | | | # edit: edit a 'edited', 'rolledback' or 'superseded' policy. +| | | | # New state: edited. +| | | | # copy: create a new blob from any existing. New state: edited. +| | | | # apply: make an 'edited' blob 'applied'. Old 'applied' is now +| | | | # 'superseded'. +| | | | # rollback: make the lastest 'supersede' active. Old 'applied' +| | | | # is now 'rolledback'. +| | | | # +| | | | policyVersion: 11 +| | | | # version of the policy, updated every time appliedPolicy or +| | | | # priority change +| | | \--- dn: nsuniqueid=1324242,... +| | | | # I still not see the necessity for an extra blob object. +| | | | # What do you think about this, make policyBlob a MAY attribute +| | | | # and policyBlobUrl a MUST. If the blob is stored in the DS +| | | | # policyBlobUrl will point to itself? +| | | | # +| | | | objectlass: IPAPolicyData +| | | | nsuniqueid: 1324242 +| | | | uniqueName: sudoPolicyData_1 +| | | | policyBlobUrl: ldap://.../nsuniqueid=1324242,... +| | | | policyBlob: +| | | | lastChageBy: sbose +| | | | lastChanged: 4214425532 +| | | | lastChangeType: activated +| | | | +| | | \--- dn: nsuniqueid=6454235,... +| | | objectlass: IPAPolicyData +| | | nsuniqueid: 6454235 +| | | uniqueName: sudoPolicyData_2 +| | | policyBlobUrl: ldap://.../nsuniqueid=6454235,... +| | | policyBlob: +| | | lastChageBy: sbose +| | | lastChanged: 4214425532 +| | | lastChangeType: superseded +| | | +| | \--- dn: nsuniqueid=3565435,... +| | | objectclass: IPAPolicy +| | | nsuniqueid=3565435 +| | | uniqueName=sudoPolicy_2 +| | | description: Another Sudo Policy +| | | policytemplate: ldap://.... +| | | priority: 2 +| | | enabledPolicy: true +| | | appliedPolicy: ldap://..... +| | | editedPolicy: ldap://............. +| | | policyVersion: 16 +| | | +| | \--- dn: nsuniqueid=4555555,... +| | | | objectclass: IPAPolicy +| | | | nsuniqueid=4555555 +| | | | uniqueName=app1_role1 +| | | | description: An example of a role policy +| | | | policytemplate: ldap://.../nsuniqueid=324624365,... +| | | | priority: 1 +| | | | enabledPolicy: true +| | | | appliedPolicy: ldap://.../nsuniqueid=3213122312,... +| | | | editedPolicy: ldap://.../nsuniqueid=,... +| | | | policyVersion: 12 +| | | | +| | | \--- dn: nsuniqueid=3213122312,... +| | | objectlass: IPAPolicyData +| | | nsuniqueid: 3213122312 +| | | uniqueName: role_data_4_app1 +| | | policyBlobUrl: ldap://.../nsuniqueid=3213122312,... +| | | policyBlob: +| | | lastChageBy: sbose +| | | lastChanged: 4214425532 +| | | lastChangeType: activated +| | | +| | \--- dn: nsuniqueid=87887888,... +| | | objectclass: IPAPolicy +| | | nsuniqueid=87887888 +| | | uniqueName=app2_action1 +| | | description: An example of an action policy +| | | policytemplate: ldap://.../nsuniqueid=0432412,... +| | | priority: 1 +| | | enabledPolicy: true +| | | appliedPolicy: ldap://.../nsuniqueid=2121332432,... +| | | editedPolicy: ldap://.../nsuniqueid=,... +| | | policyVersion: 16 +| | | +| | \--- dn: nsuniqueid=2121332432,... +| | objectlass: IPAPolicyData +| | nsuniqueid: 2121332432 +| | uniqueName: action1_app2 +| | policyBlobUrl: ldap://.../nsuniqueid=2121332432,... +| | policyBlob: +| | lastChageBy: sbose +| | lastChanged: 4214425532 +| | lastChangeType: activated +| | | | -| \--- dn: nsuniqueid=3213122312,... -| | objectlass: IPAPolicyData -| | nsuniqueid: 3213122312 -| | policyBlob: -| | lastChageBy: sbose -| | lastChanged: 4214425532 -| | lastChangeType: activated -| | policy: ldap://.../nsuniqueid=4555555,... | | -| \--- dn: nsuniqueid=2121332432,... -| objectlass: IPAPolicyData -| nsuniqueid: 2121332432 -| policyBlob: -| lastChageBy: sbose -| lastChanged: 4214425532 -| lastChangeType: activated -| policy: ldap://.../nsuniqueid=943943594351,... | -\--- dn: cn=policy_and_role_links,... +\--- dn: cn=policylinks,... | | objectclass: -| | cn: policy_and_role_links -| | # policy_and_role_links contains the policy links, i.e. the -| | # connection between policies and hosts. This example tries to use -| | # the generic ipaAssociation objectclass to make the connection. Here -| | # we have the attributes memberWho, memberWhat, memberWhere, -| | # memberContext, memberFrom and memberWhen. -| | # With respect to the mapping of policies to host the attribute -| | # memberWhere clearly will hold the hosts the policies should be -| | # applied to. For the policies I think memberWhat might be the best -| | # choice (What? apply this policy). -| | # When coming to role policies we have to include a list of users and -| | # groups, clearly memberWho, and the name of a role. While memberFrom -| | # and memberWhen does not seem to fit we still have memberContext for -| | # the name of the role. -| | # It would still be possible not to use ipaAssociation for this -| | # purpose, but a special IPAPolicyLink class together with an -| | # auxilary class to hold the additional attributes for role policies. +| | cn: policylinks +| | # policylinks contains the policy links, i.e. the +| | # connection between policy groups and hosts. This example uses +| | # the objectclass ipaPolicyLink which is an extension to the generic +| | # ipaAssociation objectclass. | | | \--- dn: nsuniqueid=58958437,... -| | objectclass: ipaAssociation +| | objectclass: ipaPolicyLink | | nsuniqueid: 58958437 +| | uniqueName: link_sudo_1 | | memberWhere: ldap://..... # hosts and hostsgroups -| | memberWhat: ldap://.../nsuniqueid=943943594351,... # corresponding config or action policy +| | memberPolicyGroup: ldap://.../nsuniqueid=943943594351,... # corresponding config or action policy | | enabledFlag: true | | description: Link a sudo policy and other policies to a number of hosts | | | \--- dn: nsuniqueid=435143511,... -| | objectclass: ipaAssociation +| | objectclass: ipaPolicyLink | | nsuniqueid: 435143511 +| | uniqueName: link_sudo_2 | | memberWhere: ldap://..... -| | memberWhat: ldap://.... +| | memberPolicyGroup: ldap://.... | | enabledFlag: true | | description: Another policy link +| +\--- dn: cn=roleRelations,... +| | objectclass: +| | cn: roleRelations +| | # This container will store the individual role relations of a role +| | # policy. The role policies in the policy groups has to be access +| | # separately, because in general it might not be disireable to have a +| | # common relation for all role policies in a policy group. +| | # By role relation we meant the association between a user and its role, +| | # with respect to a role policy/an application on a specific host. +| | # The objectclass ipaRoleRelation is used here which is an extentions of +| | # the generic ipaAssociation. | | | \--- dn: nsuniqueid=59435949843,... -| | objectclass: ipaAssociation +| | objectclass: ipaRoleRelation | | nsuniqueid: 59435949843 -| | memberWhere: ldap://.... # hosts and hostsgroups -| | memberWhat: ldap://.../nsuniqueid=4555555,... # corresponding role policy -| | memberWho: ldap://.... # users and group -| | memberContext: ipa://rolenames/guest # name of the role +| | uniqueName: role_relation_4_app1 +| | memberWhere: ldap://.... # hosts and hostsgroups +| | memberRolePolicy: ldap://.../nsuniqueid=4555555,... # corresponding role policy +| | memberWho: ldap://.... # users and group +| | memberRole: ipa://rolenames/guest # name of the role | | enabledFlag: true | | description: A role relation | | | \--- dn: nsuniqueid=45324324,... -| objectclass: ipaAssociation +| objectclass: rolipaRoleRelation | nsuniqueid: 45324324 +| uniqueName: role2_relation_4_app1 | memberWhere: ldap://.... -| memberWhat: ldap://.../nsuniqueid=4555555,... +| memberRolePolicy: ldap://.../nsuniqueid=4555555,... | memberWho: ldap://.... -| memberContext: ipa://rolename/author +| memberRole: ipa://rolename/author | enabledFlag: false | description: Another role relation | +| +| -- cgit