freeipa.git/ipalib/plugins/role.py, branch webui_isolate FreeIPA patches ipalib: move server-side plugins to ipaserver 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-04-28T08:30:05+00:00 6e44557b601f769d23ee74555a72e8b5cc62c0c9 Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
ipalib: use relative imports for cross-plugin imports 2016-05-25T14:06:26+00:00 Jan Cholasta jcholast@redhat.com 2016-04-20T13:41:34+00:00 9e3c16e322ffc65e7d0799bcfbadec5df0ce1ad6 This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
Remove wildcard imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T18:04:20+00:00 e1192ebd975bc17aa600030eecbaed6660dc7733 Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Wildcard imports should not be used.

Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove unused imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T15:06:03+00:00 e4075b1fe26a608cd1f3778ee1f655a5f5700c65 This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
speed up indirect member processing 2015-04-27T05:55:04+00:00 Petr Vobornik pvoborni@redhat.com 2015-03-31T08:59:37+00:00 4364ac08c538e3a4253804f523707092b34c2ed2 the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.

New implementation reduces the search only to entries which have members.

Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.

https://fedorahosted.org/freeipa/ticket/4947

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Do not require description in UI. 2014-09-29T10:53:43+00:00 David Kupka dkupka@redhat.com 2014-09-26T06:54:28+00:00 cd9a4cca1fe17998a342fde000ece5bf46d13d27 Description attribute is not required in LDAP schema so there is no reason to require it in UI. Modified tests to reflect this change. https://fedorahosted.org/freeipa/ticket/4387 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.

https://fedorahosted.org/freeipa/ticket/4387

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Support delegating RBAC roles to service principals 2014-08-21T12:07:01+00:00 Petr Viktorin pviktori@redhat.com 2014-08-18T14:49:40+00:00 8fabd6dde152fc394bd4f093d93c8a46e5b2851b https://fedorahosted.org/freeipa/ticket/3164 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3164

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert Role default permissions to managed 2014-06-24T11:53:40+00:00 Petr Viktorin pviktori@redhat.com 2014-06-04T15:39:10+00:00 820a60420da09dc52c7bd739d47b3bfad4da1b42 Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Make sure member* attrs are always granted together in read permissions 2014-06-11T11:21:30+00:00 Petr Viktorin pviktori@redhat.com 2014-06-10T10:31:29+00:00 b6258d08d6c5605b32151654c6259f7c77f1a32b Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Make 'permission' the default bind type for managed permissions 2014-06-11T11:21:29+00:00 Petr Viktorin pviktori@redhat.com 2014-06-09T15:59:53+00:00 2f3cdba54620989afba0ce1b423cddb56b841ab3 This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>