diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-01 11:23:52 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-12-01 20:42:31 -0500 |
commit | 4ad8055341b9f12c833abdf757755ed95f1b375e (patch) | |
tree | 1733fffdfe47574f2c5eb723e52f88cd58a7e0a4 | |
parent | 85d5bfd1b19b0ed6282a8c6cc056e8e550dde79d (diff) | |
download | freeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.gz freeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.xz freeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.zip |
Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
32 files changed, 3073 insertions, 2525 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 11c2f51df..423922754 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -39,6 +39,7 @@ dn: cn=services,cn=accounts,$SUFFIX changetype: modify add: aci aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) # Define which hosts can edit services # The managedby attribute stores the DN of hosts that are allowed to manage @@ -63,3 +64,7 @@ changetype: modify add: aci aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) +dn: cn=computers,cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 1539ae1d5..7881a029d 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -1,348 +1,757 @@ -dn: cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Configure the DIT +############################################ +dn: cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: rolegroups +cn: roles -dn: cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: taskgroups +cn: privileges +dn: cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: permissions + +############################################ # Add the default roles -dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: helpdesk description: Helpdesk -dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Add the default privileges +############################################ +dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: certadmin +description: Certificate Administrators + +dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: replicaadmin +description: Replication Administrators +member: cn=admins,cn=groups,cn=accounts,$SUFFIX + +dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsadmin -description: DNS Administrators +objectClass: nestedgroup +cn: enrollhost +description: Host Enrollment -dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsserver -description: DNS Servers +objectClass: nestedgroup +cn: entitlementadmin +description: Entitlement Administrators + +############################################ +# Default permissions. +############################################ + +# User administration -dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description: Add Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: change_password description: Change a user password -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: add_user_to_default_group description: Add user to default group -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeusers description: Remove Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyusers description: Modify Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for group administration -dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Group administration + +dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addgroups description: Add Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removegroups description: Remove Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroups description: Modify Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroupmembership description: Modify Group membership -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Host administration -# Add the taskgroups referenced by the ACIs for host administration -dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhosts description: Add Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehosts description: Remove Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhosts description: Modify Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for hostgroup administration -dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Hostgroup administration + +dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhostgroups -description: Add Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Add Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehostgroups -description: Remove Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Remove Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroups -description: Modify Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroupmembership -description: Modify Host Group membership -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroup membership +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Service administration -# Add the taskgroups referenced by the ACIs for service administration -dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addservices description: Add Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeservices description: Remove Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for delegation administration -# This just lets one manage taskgroup membership and create and delete roles -dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addhrole +cn: modifyservices +description: Modify Services +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX + +# Delegation administration + +dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addroles description: Add Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeroles description: Remove Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyroles description: Modify Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyrolegroupmembership +cn: modifyrolemembership description: Modify Role Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nestedgroup +cn: modifyprivilegemembership +description: Modify privilege membership +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +# Automount administration -dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifytaskgroupmembership -description: Modify Task Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountmaps +description: Add Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for automount administration -dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addautomount -description: Add Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: removeautomountmaps +description: Remove Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeautomount -description: Remove Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountkeys +description: Add Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for netgroup administration -dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeautomountkeys +description: Remove Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX + +# Netgroup administration + +dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addnetgroups description: Add netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removenetgroups description: Remove netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroups description: Modify netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroupmembership description: Modify netgroup membership -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Keytab access -# Taskgroup for retrieving host keytabs -dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: manage_host_keytab description: Manage host keytab -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX -# Taskgroup for updating the DNS entries -dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: manage_host_keytab -description: Updates DNS -member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +cn: manage_service_keytab +description: Manage service keytab +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=admins,cn=privileges,cn=accounts,$SUFFIX + +# DNS administration + +# The permission and aci for this is in install/updates/dns.ldif + +dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: enroll_host +description: Enroll a host +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX + +# Replica administration + +dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: managereplica +description: Manage Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: deletereplica +description: Delete Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +# Entitlement management + +dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addentitlements +description: Add Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeentitlements +description: Remove Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyentitlements +description: Modify Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +############################################ +# Default permissions (ACIs) +############################################ + +# User administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) + +# Group administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) +# We need objectclass and gidnumber in modify so a non-posix group can be +# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. +aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) + +# Host administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";) + +# Hostgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Service administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) + +# Delegation administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Automount administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) + +# Netgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Host keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Service keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Allow enrolledBy to be removed when a host is not enrolled + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Add the ACI needed to do host enrollment. When this occurs we +# set the krbPrincipalName, add krbPrincipalAux to objectClass and +# set enrolledBy to whoever ran join. + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Replica administration + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";) + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";) + +# Entitlement administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +# Create virtual operations entry. This is used to control access to +# operations that don't rely on LDAP directly. +dn: cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: virtual operations + +# Retrieve Certificate virtual op +dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: retrieve certificate + +dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: retrieve_certs +description: Retrieve Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate virtual op +dn: cn=request certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate + +dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_certs +description: Request Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate from different host virtual op +dn: cn=request certificate different host,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate different host + +dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_cert_different_host +description: Request Certificates from a different host +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Status virtual op +dn: cn=certificate status,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate status + +dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_status +description: Get Certificates status from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) + +# Revoke Certificate virtual op +dn: cn=revoke certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: revoke certificate + +dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: revoke_certificate +description: Revoke Certificate +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Remove Hold virtual op +dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate remove hold + +dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_remove_hold +description: Certificate Remove Hold +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index cb783b889..da58955f5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -3,4 +3,29 @@ changetype: add objectClass: nsContainer objectClass: top cn: dns -aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";) +aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=permissions,cn=accounts,$SUFFIX";) + +dn: cn=update_dns,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: update_dns +description: DNS Servers Updates +member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: dnsadmin +description: DNS Administrators + +dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: dnsserver +description: DNS Servers diff --git a/install/updates/30-rolegroup.update b/install/updates/30-rolegroup.update deleted file mode 100644 index 1417167de..000000000 --- a/install/updates/30-rolegroup.update +++ /dev/null @@ -1,6 +0,0 @@ -# Add the rolegroup container - -dn: cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: rolegroups - diff --git a/install/updates/30-taskgroup.update b/install/updates/30-taskgroup.update deleted file mode 100644 index a98960657..000000000 --- a/install/updates/30-taskgroup.update +++ /dev/null @@ -1,5 +0,0 @@ -# Add the taskgroup container - -dn: cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: taskgroups diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update deleted file mode 100644 index 7dc12d8c9..000000000 --- a/install/updates/40-delegation.update +++ /dev/null @@ -1,732 +0,0 @@ -# Add the default roles - -dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: helpdesk -add:description: Helpdesk - -dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: useradmin -add:description: User Administrators - -dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: groupadmin -add:description: Group Administrators - -dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: hostadmin -add:description: Host Administrators - -dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: hostgroupadmin -add:description: Host Group Administrators - -dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: delegationadmin -add:description: Role administration - -dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: serviceadmin -add:description: Service Administrators - -dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: automountadmin -add:description: Automount Administrators - -dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: netgroupadmin -add:description: Netgroups Administrators - -dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: dnsadmin -add:description: DNS Administrators - -dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: dnsserver -add:description: DNS Servers - -dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certadmin -add:description: Certificate Administrators - -dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: replicaadmin -add:description: Replication Administrators -add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX' - -dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: enrollhost -add:description: Host Enrollment - -dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: entitlementadmin -add:description: Entitlement Administrators - -# Add the taskgroups referenced by the ACIs for user administration - -dn: cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:objectClass: top -add:cn: taskgroups - -dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addusers -add:description: Add Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: change_password -add:description: Change a user password -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: add_user_to_default_group -add:description: Add user to default group -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeusers -add:description: Remove Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyusers -add:description: Modify Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for user administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb - aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri - te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX - ";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri - te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t - askgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials - || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN - umber || telephoneNumber || street || roomNumber || l || st || postalCode || - manager || secretary || description || carLicense || labeledURI || inetUserHT - TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry - || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") - (version 3.0;acl "Modify Users";allow (write) groupdn = - "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for group administration - -dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addgroups -add:description: Add Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removegroups -add:description: Remove Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifygroups -add:description: Modify Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifygroupmembership -add:description: Modify Group membership -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for group administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri - te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t - askgroups,cn=accounts,$SUFFIX";)' -# we need objectclass and gidnumber in modify so a non-posix group can be -# promoted -add:aci: '(targetattr = "cn || description || gidnumber || objectclass || - mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX") - (version 3.0;acl "Modify Groups";allow (write) groupdn = - "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for host administration - -dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhosts -add:description: Add Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removehosts -add:description: Remove Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhosts -add:description: Modify Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for host administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "description || l || nshostlocation || - nshardwareplatform || nsosversion") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; - acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for hostgroup administration - -dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhostgroups -add:description: Add Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removehostgroups -add:description: Remove Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhostgroups -add:description: Modify Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhostgroupmembership -add:description: Modify Host Group membership -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for hostgroup administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn= - removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn= - hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow - (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups, - cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri - te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for service administration - -dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addservices -add:description: Add Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeservices -add:description: Remove Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyservices -add:description: Modify Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for service administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, - $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn - =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, - $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap - :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal - name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services" - ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco - unts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for delegation administration -# This just lets one manage taskgroup membership and create and delete roles - -dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhrole -add:description: Add Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeroles -add:description: Remove Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyroles -add:description: Modify Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyrolegroupmembership -add:description: Modify Role Group membership -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifytaskgroupmembership -add:description: Modify Task Group membership -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for delegation administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro - ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou - pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri - te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri - te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for automount administration - -dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addautomount -add:description: Add Automount maps/keys -add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeautomount -add:description: Remove Automount maps/keys -add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for service administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for netgroup administration - -dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addnetgroups -add:description: Add netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removenetgroups -add:description: Remove netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifynetgroups -add:description: Modify netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifynetgroupmembership -add:description: Modify netgroup membership -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for netgroup administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version - 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version - 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn= - removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng, - cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn - = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "memberhost || externalhost || memberuser || member") - (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo - dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou - pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Taskgroup for retrieving host keytabs -dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: manage_host_keytab -add:description: Manage host keytab -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACI needed to do host keytab admin -dn: $SUFFIX -add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") - (version 3.0;acl "Manage host keytab"; - allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Taskgroup for enrolling hosts. Note that this also requires -# manage_host_keytab access -dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: enroll_host -add:description: Enroll a host -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACI needed to do host enrollment. When this occurs we -# set the krbPrincipalName, add krbPrincipalAux to objectClass and -# set enrolledBy to whoever ran join. -dn: $SUFFIX -add:aci: '(targetattr = "enrolledBy || objectClass") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") - (version 3.0;acl "Enroll a host"; - allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Taskgroup for updating the DNS entries -dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: update_sn -add:description: Updates DNS -add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX' - -# Create virtual operations entry. This is used to control access to -# operations that don't rely on LDAP directly. -dn: cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: virtual operations - -# Retrieve Certificate virtual op -dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: retrieve certificate - -# Taskgroup for retrieving certs -dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: retrieve_certs -add:description: Retrieve SSL Certificates -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=retrieve certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the - CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Request Certificate virtual op -dn: cn=request certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: request certificate - -# Taskgroup for requesting certs -dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: request_certs -add:description: Request a SSL Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=request certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Request Certificates from the - CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Request Certificate from different host virtual op -dn: cn=request certificate different host,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: request certificate different host - -# Taskgroup for requesting certs from a different host -dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: request_cert_different_host -add:description: Request a SSL Certificate from a different host -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=request certificate different host,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Request Certificates from a - different host" ; allow (write) groupdn = "ldap:///cn=request_cert - _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Certificate Status virtual op -dn: cn=certificate status,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: certificate status - -# Taskgroup for requesting certs -dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certificate_status -add:description: Status of cert request -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=certificate status,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the - CA" ; allow (write) groupdn = "ldap:///cn=certificate_status, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Revoke Certificate virtual op -dn: cn=revoke certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: revoke certificate - -# Taskgroup for requesting certs -dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: revoke_certificate -add:description: Revoke Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=revoke certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" - ; allow (write) groupdn = "ldap:///cn=revoke_certificate, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Revoke Certificate virtual op -dn: cn=revoke certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: revoke certificate - -# Taskgroup for requesting certs -dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: revoke_certificate -add:description: Revoke Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=revoke certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" - ; allow (write) groupdn = "ldap:///cn=revoke_certificate, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Certificate Remove Hold virtual op -dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: certificate remove hold - -# Taskgroup for requesting certs -dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certificate_remove_hold -add:description: Certificate Remove Hold -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=certificate remove hold,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold" - ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Taskgroup for managing replicas -dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: managereplica -add:description: Manage Replication Agreements -add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Taskgroup for deleting replicas -dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: deletereplica -add:description: Delete Replication Agreements -add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add acis allowing admins to read/write/delete replicas -dn: cn="$SUFFIX",cn=mapping tree,cn=config -add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica) - (objectclass=nsds5replicationagreement)(objectclass= - nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage - replication agreements"; allow (read, write, search) groupdn = - "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: cn="$SUFFIX",cn=mapping tree,cn=config -add: aci: '(targetattr=*)(targetfilter="(|(objectclass= - nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement - ))")(version 3.0;acl "Delete replication agreements";allow (delete) - groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Entitlement management -dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addentitlements -add:description: Add Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeentitlements -add:description: Remove Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyentitlements -add:description: Modify Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: $SUFFIX -add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 72acf7f4a..48f53d21d 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -13,9 +13,6 @@ app_DATA = \ 30-hbacsvc.update \ 30-groupofhosts.update \ 30-netgroups.update \ - 30-rolegroup.update \ - 30-taskgroup.update \ - 40-delegation.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 77a30aa57..32c6450dd 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -84,8 +84,9 @@ DEFAULT_CONFIG = ( ('container_service', 'cn=services,cn=accounts'), ('container_host', 'cn=computers,cn=accounts'), ('container_hostgroup', 'cn=hostgroups,cn=accounts'), - ('container_rolegroup', 'cn=rolegroups,cn=accounts'), - ('container_taskgroup', 'cn=taskgroups,cn=accounts'), + ('container_rolegroup', 'cn=roles,cn=accounts'), + ('container_permission', 'cn=permissions,cn=accounts'), + ('container_privilege', 'cn=privileges,cn=accounts'), ('container_automount', 'cn=automount'), ('container_policies', 'cn=policies'), ('container_configs', 'cn=configs,cn=policies'), diff --git a/ipalib/errors.py b/ipalib/errors.py index 86cd60d11..58799628d 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -961,12 +961,12 @@ class NotGroupMember(ExecutionError): >>> raise NotGroupMember() Traceback (most recent call last): ... - NotGroupMember: This entry is not a member of the group + NotGroupMember: This entry is not a member """ errno = 4012 - format = _('This entry is not a member of the group') + format = _('This entry is not a member') class RecursiveGroup(ExecutionError): """ @@ -993,12 +993,12 @@ class AlreadyGroupMember(ExecutionError): >>> raise AlreadyGroupMember() Traceback (most recent call last): ... - AlreadyGroupMember: This entry is already a member of the group + AlreadyGroupMember: This entry is already a member """ errno = 4014 - format = _('This entry is already a member of the group') + format = _('This entry is already a member') class Base64DecodeError(ExecutionError): """ diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 153798924..c0f47e301 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -28,11 +28,11 @@ existing entries or adding or deleting new ones. The goal of the ACIs that ship with IPA is to provide a set of low-level permissions that grant access to special groups called taskgroups. These low-level permissions can be combined into roles that grant broader access. These -roles are another type of group, rolegroups. +roles are another type of group, roles. For example, if you have taskgroups that allow adding and modifying users you -could create a rolegroup, useradmin. You would assign users to the useradmin -rolegroup to allow them to do the operations defined by the taskgroups. +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. You can create ACIs that delegate permission so users in group A can write attributes on group B. @@ -64,7 +64,7 @@ be editabe. The bind rule defines who this ACI grants permissions to. The LDAP server allows this to be any valid LDAP entry but we encourage the use of -taskgroups so that the rights can be easily shared through rolegroups. +taskgroups so that the rights can be easily shared through roles. For a more thorough description of access controls see http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html @@ -80,6 +80,9 @@ EXAMPLES: Add an ACI that allows members of the "addusers" taskgroup to add new users: ipa aci-add --type=user --taskgroup=addusers --permissions=add "Add new users" + Add an ACI that lets members of the edotors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors "Editors manage admins" + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI you @@ -148,25 +151,25 @@ def _make_aci(current, aciname, kw): raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required')) group = 'group' in kw - taskgroup = 'taskgroup' in kw + permission = 'permission' in kw selfaci = 'selfaci' in kw and kw['selfaci'] == True - if group + taskgroup + selfaci > 1: - raise errors.ValidationError(name='target', error=_('group, taskgroup and self are mutually exclusive')) - elif group + taskgroup + selfaci == 0: - raise errors.ValidationError(name='target', error=_('One of group, taskgroup or self is required')) + if group + permission + selfaci > 1: + raise errors.ValidationError(name='target', error=_('group, permission and self are mutually exclusive')) + elif group + permission + selfaci == 0: + raise errors.ValidationError(name='target', error=_('One of group, permission or self is required')) # Grab the dn of the group we're granting access to. This group may be a - # taskgroup or a user group. + # permission or a user group. entry_attrs = [] - if taskgroup: + if permission: + # This will raise NotFound if the permission doesn't exist try: - entry_attrs = api.Command['taskgroup_show'](kw['taskgroup'])['result'] - except errors.NotFound: - # The task group doesn't exist, let's be helpful and add it - tgkw = {'description': aciname} - entry_attrs = api.Command['taskgroup_add']( - kw['taskgroup'], **tgkw - )['result'] + entry_attrs = api.Command['permission_show'](kw['permission'])['result'] + except errors.NotFound, e: + if 'test' in kw and not kw.get('test'): + raise e + else: + entry_attrs = {'dn': 'cn=%s,%s' % (kw['permission'], api.env.container_permission)} elif group: # Not so friendly with groups. This will raise try: @@ -186,7 +189,7 @@ def _make_aci(current, aciname, kw): a.set_target_attr(kw['attrs']) if 'memberof' in kw: entry_attrs = api.Command['group_show'](kw['memberof'])['result'] - a.set_target_filter('memberOf=%s' % dn) + a.set_target_filter('memberOf=%s' % entry_attrs['dn']) if 'filter' in kw: a.set_target_filter(kw['filter']) if 'type' in kw: @@ -195,7 +198,7 @@ def _make_aci(current, aciname, kw): if 'targetgroup' in kw: # Purposely no try here so we'll raise a NotFound entry_attrs = api.Command['group_show'](kw['targetgroup'])['result'] - target = 'ldap:///%s' % dn + target = 'ldap:///%s' % entry_attrs['dn'] a.set_target(target) if 'subtree' in kw: # See if the subtree is a full URI @@ -206,7 +209,7 @@ def _make_aci(current, aciname, kw): return a -def _aci_to_kw(ldap, a): +def _aci_to_kw(ldap, a, test=False): """Convert an ACI into its equivalent keywords. This is used for the modify operation so we can merge the @@ -254,11 +257,20 @@ def _aci_to_kw(ldap, a): pass else: if groupdn.startswith('cn='): - (dn, entry_attrs) = ldap.get_entry(groupdn, ['cn']) - if api.env.container_taskgroup in dn: - kw['taskgroup'] = entry_attrs['cn'][0] + dn = '' + entry_attrs = {} + try: + (dn, entry_attrs) = ldap.get_entry(groupdn, ['cn']) + except errors.NotFound, e: + # FIXME, use real name here + if test: + dn = 'cn=%s,%s' % ('test', api.env.container_permission) + entry_attrs = {'cn': [u'test']} + if api.env.container_permission in dn: + kw['permission'] = entry_attrs['cn'][0] else: - kw['group'] = entry_attrs['cn'][0] + if 'cn' in entry_attrs: + kw['group'] = entry_attrs['cn'][0] return kw @@ -299,6 +311,7 @@ class aci(Object): """ ACI object. """ + INTERNAL = True label = _('ACIs') @@ -308,10 +321,10 @@ class aci(Object): label=_('ACI name'), primary_key=True, ), - Str('taskgroup?', - cli_name='taskgroup', - label=_('Taskgroup'), - doc=_('Taskgroup ACI grants access to'), + Str('permission?', + cli_name='permission', + label=_('Permission'), + doc=_('Permission ACI grants access to'), ), Str('group?', cli_name='group', @@ -370,8 +383,16 @@ class aci_add(crud.Create): """ Create new ACI. """ + INTERNAL = True msg_summary = _('Created ACI "%(value)s"') + takes_options = ( + Flag('test?', + doc=_('Test the ACI syntax but don\'t write anything'), + default=False, + ), + ) + def execute(self, aciname, **kw): """ Execute the aci-create operation. @@ -390,18 +411,20 @@ class aci_add(crud.Create): acis = _convert_strings_to_acis(entry_attrs.get('aci', [])) for a in acis: - if a.isequal(newaci): + # FIXME: add check for permission_group = permission_group + if a.isequal(newaci) or newaci.name == a.name: raise errors.DuplicateEntry() newaci_str = unicode(newaci) entry_attrs['aci'].append(newaci_str) - ldap.update_entry(dn, entry_attrs) + if not kw.get('test', False): + ldap.update_entry(dn, entry_attrs) if kw.get('raw', False): result = dict(aci=unicode(newaci_str)) else: - result = _aci_to_kw(ldap, newaci) + result = _aci_to_kw(ldap, newaci, kw.get('test', False)) return dict( result=result, value=aciname, @@ -414,6 +437,7 @@ class aci_del(crud.Delete): """ Delete ACI. """ + INTERNAL = True has_output = output.standard_delete msg_summary = _('Deleted ACI "%(value)s"') @@ -454,6 +478,7 @@ class aci_mod(crud.Update): """ Modify ACI. """ + INTERNAL = True has_output_params = ( Str('aci', label=_('ACI'), @@ -485,6 +510,8 @@ class aci_mod(crud.Update): # _make_aci is what is run in aci_add and validates the input. # Do this before we delete the existing ACI. newaci = _make_aci(None, aciname, newkw) + if aci.isequal(newaci): + raise errors.EmptyModlist() self.api.Command['aci_del'](aciname) @@ -522,6 +549,7 @@ class aci_find(crud.Search): have ipausers as a memberof. There may be other ACIs that apply to members of that group indirectly. """ + INTERNAL = True msg_summary = ngettext('%(count)d ACI matched', '%(count)d ACIs matched', 0) def execute(self, term, **kw): @@ -560,10 +588,10 @@ class aci_find(crud.Search): results.remove(a) acis = list(results) - if 'taskgroup' in kw: + if 'permission' in kw: try: - self.api.Command['taskgroup_show']( - kw['taskgroup'] + self.api.Command['permission_show']( + kw['permission'] ) except errors.NotFound: pass @@ -600,7 +628,24 @@ class aci_find(crud.Search): # uncomment next line if you add more search criteria # acis = list(results) - # TODO: searching by: type, filter, subtree + for a in acis: + if 'target' in a.target: + target = a.target['target']['expression'] + else: + results.remove(a) + continue + found = False + for k in _type_map.keys(): + if _type_map[k] == target and 'type' in kw and kw['type'] == k: + found = True + break; + if not found: + try: + results.remove(a) + except ValueError: + pass + + # TODO: searching by: filter, subtree acis = [] for result in results: @@ -623,6 +668,7 @@ class aci_show(crud.Retrieve): """ Display a single ACI given an ACI name. """ + INTERNAL = True has_output_params = ( Str('aci', @@ -656,3 +702,64 @@ class aci_show(crud.Retrieve): ) api.register(aci_show) + + +class aci_rename(crud.Update): + """ + Rename an ACI. + """ + INTERNAL = True + has_output_params = ( + Str('aci', + label=_('ACI'), + ), + ) + + takes_options = ( + Str('newname', + doc=_('New ACI name'), + ), + ) + + msg_summary = _('Renameed ACI to "%(value)s"') + + def execute(self, aciname, **kw): + ldap = self.api.Backend.ldap2 + + (dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci']) + + acis = _convert_strings_to_acis(entry_attrs.get('aci', [])) + aci = _find_aci_by_name(acis, aciname) + + for a in acis: + if kw['newname'] == a.name: + raise errors.DuplicateEntry() + + # The strategy here is to convert the ACI we're updating back into + # a series of keywords. Then we replace any keywords that have been + # updated and convert that back into an ACI and write it out. + newkw = _aci_to_kw(ldap, aci) + if 'selfaci' in newkw and newkw['selfaci'] == True: + # selfaci is set in aci_to_kw to True only if the target is self + kw['selfaci'] = True + if 'aciname' in newkw: + del newkw['aciname'] + + # _make_aci is what is run in aci_add and validates the input. + # Do this before we delete the existing ACI. + newaci = _make_aci(None, kw['newname'], newkw) + + self.api.Command['aci_del'](aciname) + + result = self.api.Command['aci_add'](kw['newname'], **newkw)['result'] + + if kw.get('raw', False): + result = dict(aci=unicode(newaci)) + else: + result = _aci_to_kw(ldap, newaci) + return dict( + result=result, + value=kw['newname'], + ) + +api.register(aci_rename) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index a67b84d09..3894e18de 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -42,17 +42,29 @@ global_output_params = ( Str('member_group?', label=_('Member groups'), ), + Str('memberof_group?', + label=_('Member of groups'), + ), Str('member_host?', label=_('Member hosts'), ), Str('memberof_hostgroup?', label=_('Member of host-groups'), ), - Str('memberof_taskgroup?', - label=_('Member of task-groups'), + Str('memberof_permission?', + label=_('Permissions'), + ), + Str('memberof_privilege?', + label='Privileges', + ), + Str('memberof_role?', + label=_('Roles'), ), - Str('member_rolegroup?', - label=_('Member role-groups'), + Str('member_privilege?', + label='Granted to Privilege', + ), + Str('member_role?', + label=_('Granting privilege to roles'), ), Str('member_netgroup?', label=_('Member netgroups'), @@ -93,11 +105,11 @@ global_output_params = ( Str('memberindirect_hostgroup?', label=_('Indirect Member host-groups'), ), - Str('memberindirect_rolegroup?', - label=_('Indirect Member role-groups'), + Str('memberindirect_role?', + label=_('Indirect Member of roles'), ), - Str('memberindirect_taskgroup?', - label=_('Indirect Member role-groups'), + Str('memberindirect_permission?', + label=_('Indirect Member permissions'), ), Str('memberindirect_hbacsvc?', label=_('Indirect Member HBAC service'), @@ -1192,9 +1204,11 @@ class LDAPSearch(CallbackInterface, crud.Search): for callback in self.POST_CALLBACKS: if hasattr(callback, 'im_self'): - callback(ldap, entries, truncated, *args, **options) + more = callback(ldap, entries, truncated, *args, **options) else: - callback(self, ldap, entries, truncated, *args, **options) + more = callback(self, ldap, entries, truncated, *args, **options) + if more: + entries = entries + more if not options.get('raw', False): for e in entries: @@ -1214,8 +1228,236 @@ class LDAPSearch(CallbackInterface, crud.Search): return (filter, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): - pass + return [] def exc_callback(self, args, options, exc, call_func, *call_args, **call_kwargs): raise exc + +class LDAPModReverseMember(LDAPQuery): + """ + Base class for reverse member manipulation. + """ + reverse_attributes = ['member'] + reverse_param_doc = 'comma-separated list of %s' + reverse_count_out = ('%i member processed.', '%i members processed.') + + has_output_params = global_output_params + + def get_options(self): + for option in super(LDAPModReverseMember, self).get_options(): + yield option + for attr in self.reverse_attributes: + for ldap_obj_name in self.obj.reverse_members[attr]: + ldap_obj = self.api.Object[ldap_obj_name] + name = to_cli(ldap_obj_name) + doc = self.reverse_param_doc % ldap_obj.object_name_plural + yield List('%s?' % name, cli_name='%ss' % name, doc=doc, + label=ldap_obj.object_name) + + +class LDAPAddReverseMember(LDAPModReverseMember): + """ + Add other LDAP entries to members in reverse. + + The call looks like "add A to B" but in fact executes + add B to A to handle reverse membership. + """ + member_param_doc = 'comma-separated list of %s to add' + member_count_out = ('%i member added.', '%i members added.') + + show_command = None + member_command = None + reverse_attr = None + member_attr = None + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be added'), + ), + output.Output('completed', + type=int, + doc=_('Number of members added'), + ), + ) + + has_output_params = global_output_params + + def execute(self, *keys, **options): + ldap = self.obj.backend + + # Ensure our target exists + result = self.api.Command[self.show_command](keys[-1])['result'] + dn = result['dn'] + + for callback in self.PRE_CALLBACKS: + if hasattr(callback, 'im_self'): + dn = callback(ldap, dn, *keys, **options) + else: + dn = callback( + self, ldap, dn, *keys, **options + ) + + if options.get('all', False): + attrs_list = ['*'] + self.obj.default_attributes + else: + attrs_list = self.obj.default_attributes + + completed = 0 + failed = {'member': {self.reverse_attr: []}} + for attr in options.get(self.reverse_attr, []): + try: + options = {'%s' % self.member_attr: keys[-1]} + try: + result = self.api.Command[self.member_command](attr, **options) + if result['completed'] == 1: + completed = completed + 1 + else: + failed['member'][self.reverse_attr].append((attr, result['failed']['member'][self.member_attr][0][1])) + except errors.ExecutionError, e: + try: + (dn, entry_attrs) = self._call_exc_callbacks( + keys, options, e, self.member_command, dn, attrs_list, + normalize=self.obj.normalize_dn + ) + except errors.NotFound, e: + msg = str(e) + (attr, msg) = msg.split(':', 1) + failed['member'][self.reverse_attr].append((attr, unicode(msg.strip()))) + + except errors.PublicError, e: + failed['member'][self.reverse_attr].append((attr, unicode(msg))) + + entry_attrs = self.api.Command[self.show_command](keys[-1])['result'] + + for callback in self.POST_CALLBACKS: + if hasattr(callback, 'im_self'): + (completed, dn) = callback( + ldap, completed, failed, dn, entry_attrs, *keys, **options + ) + else: + (completed, dn) = callback( + self, ldap, completed, failed, dn, entry_attrs, *keys, + **options + ) + + entry_attrs['dn'] = dn + return dict( + completed=completed, + failed=failed, + result=entry_attrs, + ) + + def pre_callback(self, ldap, dn, *keys, **options): + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + return (completed, dn) + + def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): + raise exc + +class LDAPRemoveReverseMember(LDAPModReverseMember): + """ + Remove other LDAP entries from members in reverse. + + The call looks like "remove A from B" but in fact executes + remove B from A to handle reverse membership. + """ + member_param_doc = 'comma-separated list of %s to remove' + member_count_out = ('%i member removed.', '%i members removed.') + + show_command = None + member_command = None + reverse_attr = None + member_attr = None + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be removed'), + ), + output.Output('completed', + type=int, + doc=_('Number of members removed'), + ), + ) + + has_output_params = global_output_params + + def execute(self, *keys, **options): + ldap = self.obj.backend + + # Ensure our target exists + result = self.api.Command[self.show_command](keys[-1])['result'] + dn = result['dn'] + + for callback in self.PRE_CALLBACKS: + if hasattr(callback, 'im_self'): + dn = callback(ldap, dn, *keys, **options) + else: + dn = callback( + self, ldap, dn, *keys, **options + ) + + if options.get('all', False): + attrs_list = ['*'] + self.obj.default_attributes + else: + attrs_list = self.obj.default_attributes + + completed = 0 + failed = {'member': {self.reverse_attr: []}} + for attr in options.get(self.reverse_attr, []): + try: + options = {'%s' % self.member_attr: keys[-1]} + try: + result = self.api.Command[self.member_command](attr, **options) + if result['completed'] == 1: + completed = completed + 1 + else: + failed['member'][self.reverse_attr].append((attr, result['failed']['member'][self.member_attr][0][1])) + except errors.ExecutionError, e: + try: + (dn, entry_attrs) = self._call_exc_callbacks( + keys, options, e, self.member_command, dn, attrs_list, + normalize=self.obj.normalize_dn + ) + except errors.NotFound, e: + msg = str(e) + (attr, msg) = msg.split(':', 1) + failed['member'][self.reverse_attr].append((attr, unicode(msg.strip()))) + + except errors.PublicError, e: + failed['member'][self.reverse_attr].append((attr, unicode(msg))) + + entry_attrs = self.api.Command[self.show_command](keys[-1])['result'] + + for callback in self.POST_CALLBACKS: + if hasattr(callback, 'im_self'): + (completed, dn) = callback( + ldap, completed, failed, dn, entry_attrs, *keys, **options + ) + else: + (completed, dn) = callback( + self, ldap, completed, failed, dn, entry_attrs, *keys, + **options + ) + + entry_attrs['dn'] = dn + return dict( + completed=completed, + failed=failed, + result=entry_attrs, + ) + + def pre_callback(self, ldap, dn, *keys, **options): + return dn + + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + return (completed, dn) + + def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): + raise exc diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index f26792a56..290d7ba1d 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -89,8 +89,8 @@ class group(LDAPObject): uuid_attribute = 'ipauniqueid' attribute_members = { 'member': ['user', 'group'], - 'memberof': ['group', 'netgroup', 'rolegroup', 'taskgroup'], - 'memberindirect': ['user', 'group', 'netgroup', 'rolegroup', 'taskgroup'], + 'memberof': ['group', 'netgroup', 'role',], + 'memberindirect': ['user', 'group', 'netgroup', 'role'], } rdnattr = 'cn' diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index b3caf1851..a9589c6ec 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -31,10 +31,10 @@ ENROLLMENT: There are three enrollment scenarios when enrolling a new client: 1. You are enrolling as a full administrator. The host entry may exist - or not. A full administrator is a member of the hostadmin rolegroup + or not. A full administrator is a member of the hostadmin role or the admins group. 2. You are enrolling as a limited administrator. The host must already - exist. A limited administrator is a member of the enrollhost rolegroup. + exist. A limited administrator is a member of the enrollhost role. 3. The host has been created with a one-time password. A host can only be enrolled once. If a client has enrolled and needs to @@ -162,7 +162,7 @@ class host(LDAPObject): uuid_attribute = 'ipauniqueid' attribute_members = { 'enrolledby': ['user'], - 'memberof': ['hostgroup', 'netgroup', 'rolegroup'], + 'memberof': ['hostgroup', 'netgroup', 'role'], 'managedby': ['host'], } diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py new file mode 100644 index 000000000..c2264aaf3 --- /dev/null +++ b/ipalib/plugins/permission.py @@ -0,0 +1,363 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A permission may not be members of other permissions. + +* A permissions grants access to read, write, add or delete. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The description of the permission. +3. The target of the permission. +4. The permissions granted by the permission. + +The permissions define what operations are allowed and are one or more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editabe. + +There are a number of allowed targets: +1. type: a type of object (user, group, etc). +2. memberof: a memberof a group or hostgroup +3. filter: an LDAP filter +4. subtree: an LDAP filter specifying part of the LDAP DIT +5. targetgroup + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --desc="Add a User" --type=user --permissions=add adduser + + Add a permission that grants the ability to manage group membership: + ipa permission-add --desc='Manage group members' --attrs=member --permissions=-write --type=group manage_group_members +""" + +import copy +from ipalib.plugins.baseldap import * +from ipalib import api, _, ngettext +from ipalib import Flag, Str, StrEnum +from ipalib.request import context + + +class permission(LDAPObject): + """ + Permission object. + """ + container_dn = api.env.container_permission + object_name = 'permission' + object_name_plural = 'permissions' + object_class = ['groupofnames'] + default_attributes = ['cn', 'description', 'member', 'memberof', + 'memberindirect', + ] + aci_attributes = ['group', 'permissions', 'attrs', 'type', + 'filter', 'subtree', 'targetgroup', + ] + attribute_members = { + 'member': ['privilege'], +# 'memberindirect': ['user', 'group', 'role'], + } + rdnattr='cn' + + label = _('Permissions') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Permission name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('Permission description'), + ), + List('permissions', + cli_name='permissions', + label=_('Permissions'), + doc=_('Comma-separated list of permissions to grant ' \ + '(read, write, add, delete, all)'), + ), + List('attrs?', + cli_name='attrs', + label=_('Attributes'), + doc=_('Comma-separated list of attributes'), + ), + StrEnum('type?', + cli_name='type', + label=_('Type'), + doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup)'), + values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup'), + ), + Str('memberof?', + cli_name='memberof', + label=_('Member of group'), # FIXME: Does this label make sense? + doc=_('Target members of a group'), + ), + Str('filter?', + cli_name='filter', + label=_('Filter'), + doc=_('Legal LDAP filter (e.g. ou=Engineering)'), + ), + Str('subtree?', + cli_name='subtree', + label=_('Subtree'), + doc=_('Subtree to apply permissions to'), + ), + Str('targetgroup?', + cli_name='targetgroup', + label=_('Target group'), + doc=_('User group to apply permissions to'), + ), + ) + +api.register(permission) + + +class permission_add(LDAPCreate): + """ + Add a new permission. + """ + + msg_summary = _('Added permission "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # Test the ACI before going any further + opts = copy.copy(options) + del opts['description'] + opts['test'] = True + opts['permission'] = keys[-1] + try: + self.api.Command.aci_add(options['description'], **opts) + except Exception, e: + raise e + + # Clear the aci attributes out of the permission entry + for o in options: + try: + if o not in ['description', 'objectclass']: + del entry_attrs[o] + except: + pass + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + # Now actually add the aci. + opts = copy.copy(options) + del opts['description'] + opts['test'] = False + opts['permission'] = keys[-1] + try: + result = self.api.Command.aci_add(options['description'], **opts)['result'] + for attr in self.obj.aci_attributes: + if attr in result: + entry_attrs[attr] = result[attr] + except Exception, e: + self.api.Command.aci_del(keys[-1]) + raise e + return dn + +api.register(permission_add) + + +class permission_del(LDAPDelete): + """ + Delete a permission. + """ + + msg_summary = _('Deleted permission "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, ['*']) + if 'description' in entry_attrs: + try: + self.api.Command.aci_del(entry_attrs['description'][0]) + except errors.NotFound: + pass + return dn + +api.register(permission_del) + + +class permission_mod(LDAPUpdate): + """ + Modify a permission. + """ + + msg_summary = _('Modified permission "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + (dn, attrs) = ldap.get_entry( + dn, attrs_list, normalize=self.obj.normalize_dn + ) + opts = copy.copy(options) + if 'description' in opts: + del opts['description'] + for o in self.obj.aci_attributes + ['all', 'raw', 'rights']: + if o in opts: + del opts[o] + setattr(context, 'aciupdate', False) + # If there are no options left we don't need to do anything to the + # underlying ACI. + if len(opts) > 0: + opts['test'] = False + opts['permission'] = keys[-1] + try: + self.api.Command.aci_mod(attrs['description'][0], **opts) + setattr(context, 'aciupdate', True) + except Exception, e: + raise e + + # Clear the aci attributes out of the permission entry + for o in self.obj.aci_attributes: + try: + del entry_attrs[o] + except: + pass + + if 'description' in options: + (dn, attrs) = ldap.get_entry(dn, ['description']) + self.api.Command.aci_rename(attrs['description'][0], newname=options['description']) + + return dn + + def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): + if isinstance(exc, errors.EmptyModlist): + aciupdate = getattr(context, 'aciupdate') + opts = copy.copy(options) + # Clear the aci attributes out of the permission entry + for o in self.obj.aci_attributes + ['all', 'raw', 'rights']: + try: + del opts[o] + except: + pass + + if len(opts) > 0: + raise exc + else: + raise exc + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + result = self.api.Command.permission_show(keys[-1])['result'] + for r in result: + if not r.startswith('member'): + entry_attrs[r] = result[r] + return dn + +api.register(permission_mod) + + +class permission_find(LDAPSearch): + """ + Search for permissions. + """ + + msg_summary = ngettext( + '%(count)d permission matched', '%(count)d permissions matched' + ) + + def post_callback(self, ldap, entries, truncated, *args, **options): + newentries = [] + for entry in entries: + (dn, attrs) = entry + try: + aci = self.api.Command.aci_show(attrs['description'][0])['result'] + for attr in self.obj.aci_attributes: + if attr in aci: + attrs[attr] = aci[attr] + except errors.NotFound: + self.debug('ACI not found for %s' % attrs['description'][0]) + + # Now find all the ACIs that match. Once we find them, add any that + # aren't already in the list along with their permission info. + aciresults = self.api.Command.aci_find(*args, **options) + truncated = truncated or aciresults['truncated'] + results = aciresults['result'] + for aci in results: + found = False + if 'permission' in aci: + for entry in entries: + if aci['permission'] == entry['cn']: + found = True + break + if not found in aci: + permission = self.api.Command.permission_show(aci['permission']) + attrs = permission['result'] + for attr in self.obj.aci_attributes: + if attr in aci: + attrs[attr] = aci[attr] + dn = attrs['dn'] + del attrs['dn'] + newentries.append((dn, attrs)) + + return newentries + +api.register(permission_find) + + +class permission_show(LDAPRetrieve): + """ + Display information about a permission. + """ + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + try: + aci = self.api.Command.aci_show(entry_attrs['description'][0])['result'] + for attr in self.obj.aci_attributes: + if attr in aci: + entry_attrs[attr] = aci[attr] + except errors.NotFound: + self.debug('ACI not found for %s' % entry_attrs['description'][0]) + return dn + +api.register(permission_show) + + +class permission_add_member(LDAPAddMember): + """ + Add members to a permission. + """ + INTERNAL = True + +api.register(permission_add_member) + + +class permission_remove_member(LDAPRemoveMember): + """ + Remove members from a permission. + """ + INTERNAL = True + +api.register(permission_remove_member) diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py new file mode 100644 index 000000000..f412448fc --- /dev/null +++ b/ipalib/plugins/privilege.py @@ -0,0 +1,191 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Privileges + +A privilege enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to privileges to perform +given tasks such as adding a user, modifying a group, etc. + +A privilege may not be members of other privileges. + +See role and permission for additional information. +""" + +from ipalib.plugins.baseldap import * +from ipalib import api, _, ngettext + + +class privilege(LDAPObject): + """ + Privilege object. + """ + container_dn = api.env.container_privilege + object_name = 'privilege' + object_name_plural = 'privileges' + object_class = ['nestedgroup', 'groupofnames'] + default_attributes = ['cn', 'description', 'member', 'memberof', + 'memberindirect' + ] + attribute_members = { + 'member': ['permission', 'role'], + 'memberof': ['permission'], +# 'memberindirect': ['permission'], + # FIXME: privilege can be member of ??? + } + reverse_members = { + 'member': ['permission'], + } + rdnattr='cn' + + label = _('Privileges') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Privilege name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('Privilege description'), + ), + ) + +api.register(privilege) + + +class privilege_add(LDAPCreate): + """ + Add a new privilege. + """ + + msg_summary = _('Added privilege "%(value)s"') + +api.register(privilege_add) + + +class privilege_del(LDAPDelete): + """ + Delete a privilege. + """ + + msg_summary = _('Deleted privilege "%(value)s"') + +api.register(privilege_del) + + +class privilege_mod(LDAPUpdate): + """ + Modify a privilege. + """ + + msg_summary = _('Modified privilege "%(value)s"') + +api.register(privilege_mod) + + +class privilege_find(LDAPSearch): + """ + Search for privileges. + """ + + msg_summary = ngettext( + '%(count)d privilege matched', '%(count)d privileges matched' + ) + +api.register(privilege_find) + + +class privilege_show(LDAPRetrieve): + """ + Display information about a privilege. + """ + +api.register(privilege_show) + + +class privilege_add_member(LDAPAddMember): + """ + Add members to a privilege + """ + INTERNAL=True + +api.register(privilege_add_member) + + +class privilege_remove_member(LDAPRemoveMember): + """ + Remove members from a privilege + """ + INTERNAL=True + +api.register(privilege_remove_member) + + +class privilege_add_permission(LDAPAddReverseMember): + """ + Add permissions to a privilege. + """ + show_command = 'privilege_show' + member_command = 'permission_add_member' + reverse_attr = 'permission' + member_attr = 'privilege' + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be added'), + ), + output.Output('completed', + type=int, + doc=_('Number of permissions added'), + ), + ) + +api.register(privilege_add_permission) + + +class privilege_remove_permission(LDAPRemoveReverseMember): + """ + Remove permissions from a privilege. + """ + show_command = 'privilege_show' + member_command = 'permission_remove_member' + reverse_attr = 'permission' + member_attr = 'privilege' + + permission_count_out = ('%i permission removed.', '%i permissions removed.') + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be added'), + ), + output.Output('completed', + type=int, + doc=_('Number of permissions removed'), + ), + ) + +api.register(privilege_remove_permission) diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py new file mode 100644 index 000000000..ceca75ffb --- /dev/null +++ b/ipalib/plugins/role.py @@ -0,0 +1,212 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# Pavel Zuna <pzuna@redhat.com> +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group juioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'useradmins' can + add users, reset passwords or add a user to the default IPA user group. +""" + +from ipalib.plugins.baseldap import * +from ipalib import api, Str, _, ngettext +from ipalib import Command +from ipalib.plugins import privilege + + +class role(LDAPObject): + """ + Role object. + """ + container_dn = api.env.container_rolegroup + object_name = 'role' + object_name_plural = 'roles' + object_class = ['groupofnames', 'nestedgroup'] + default_attributes = ['cn', 'description', 'member', 'memberof', + 'memberindirect' + ] + attribute_members = { + 'member': ['user', 'group', 'host', 'hostgroup'], + 'memberof': ['privilege'], +# 'memberindirect': ['user', 'group', 'host', 'hostgroup'], + } + reverse_members = { + 'member': ['privilege'], + } + rdnattr='cn' + + label = _('Role Groups') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Role name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('A description of this role-group'), + ), + ) + +api.register(role) + + +class role_add(LDAPCreate): + """ + Add a new role. + """ + + msg_summary = _('Added role "%(value)s"') + +api.register(role_add) + + +class role_del(LDAPDelete): + """ + Delete a role. + """ + + msg_summary = _('Deleted role "%(value)s"') + +api.register(role_del) + + +class role_mod(LDAPUpdate): + """ + Modify a role. + """ + + msg_summary = _('Modified role "%(value)s"') + +api.register(role_mod) + + +class role_find(LDAPSearch): + """ + Search for roles. + """ + + msg_summary = ngettext( + '%(count)d role matched', '%(count)d roles matched' + ) + +api.register(role_find) + + +class role_show(LDAPRetrieve): + """ + Display information about a role. + """ + +api.register(role_show) + + +class role_add_member(LDAPAddMember): + """ + Add members to a role. + """ + +api.register(role_add_member) + + +class role_remove_member(LDAPRemoveMember): + """ + Remove members from a role. + """ + +api.register(role_remove_member) + + +class role_add_privilege(LDAPAddReverseMember): + """ + Add privileges to a role. + """ + show_command = 'role_show' + member_command = 'privilege_add_member' + reverse_attr = 'privilege' + member_attr = 'role' + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be added'), + ), + output.Output('completed', + type=int, + doc=_('Number of privileges added'), + ), + ) + +api.register(role_add_privilege) + + +class role_remove_privilege(LDAPRemoveReverseMember): + """ + Remove privileges from a role. + """ + show_command = 'role_show' + member_command = 'privilege_remove_member' + reverse_attr = 'privilege' + member_attr = 'role' + + has_output = ( + output.Entry('result'), + output.Output('failed', + type=dict, + doc=_('Members that could not be added'), + ), + output.Output('completed', + type=int, + doc=_('Number of privileges removed'), + ), + ) + +api.register(role_remove_privilege) diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py deleted file mode 100644 index e0b6fbc4e..000000000 --- a/ipalib/plugins/rolegroup.py +++ /dev/null @@ -1,165 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -""" -Rolegroups - -A rolegroup is used for fine-grained delegation. Access control rules -(ACIs) grant permission to perform given tasks (add a user, modify a group, -etc.), to task groups. Rolegroups are members of taskgroups, giving them -permission to perform the task. - -The logic behind ACIs and rolegroups proceeds as follows: - - ACIs grants permission to taskgroup - rolegroups are members of taskgroups - users, groups, hosts and hostgroups are members of rolegroups - -Rolegroups can contain both hosts and hostgroups, enabling -operations using the host service principal associated with a machine. - -Rolegroups can not contain other rolegroups. - -EXAMPLES: - - Add a new rolegroup: - ipa rolegroup-add --desc="Junior-level admin" junioradmin - - Add this role to some tasks: - ipa taskgroup-add-member --rolegroups=junioradmin addusers - ipa taskgroup-add-member --rolegroups=junioradmin change_password - ipa taskgroup-add-member --rolegroups=junioradmin add_user_to_default_group - - Yes, this can seem backwards. The taskgroup is the entry that is granted - permissions by the ACIs. By adding a rolegroup as a member of a taskgroup - it inherits those permissions. - - Add a group of users to this role: - ipa group-add --desc="User admins" useradmins - ipa rolegroup-add-member --groups=useradmins junioradmin - - Display information about a rolegroup: - ipa rolegroup-show junioradmin -""" - -from ipalib.plugins.baseldap import * -from ipalib import api, Str, _, ngettext - - -class rolegroup(LDAPObject): - """ - Rolegroup object. - """ - container_dn = api.env.container_rolegroup - object_name = 'rolegroup' - object_name_plural = 'rolegroups' - object_class = ['groupofnames', 'nestedgroup'] - default_attributes = ['cn', 'description', 'member', 'memberof', - 'memberindirect' - ] - attribute_members = { - 'member': ['user', 'group', 'host', 'hostgroup'], - 'memberof': ['taskgroup'], - 'memberindirect': ['user', 'group', 'host', 'hostgroup'], - } - rdnattr='cn' - - label = _('Role Groups') - - takes_params = ( - Str('cn', - cli_name='name', - label=_('Role-group name'), - primary_key=True, - normalizer=lambda value: value.lower(), - ), - Str('description', - cli_name='desc', - label=_('Description'), - doc=_('A description of this role-group'), - ), - ) - -api.register(rolegroup) - - -class rolegroup_add(LDAPCreate): - """ - Add a new rolegroup. - """ - - msg_summary = _('Added rolegroup "%(value)s"') - -api.register(rolegroup_add) - - -class rolegroup_del(LDAPDelete): - """ - Delete a rolegroup. - """ - - msg_summary = _('Deleted rolegroup "%(value)s"') - -api.register(rolegroup_del) - - -class rolegroup_mod(LDAPUpdate): - """ - Modify a rolegroup. - """ - - msg_summary = _('Modified rolegroup "%(value)s"') - -api.register(rolegroup_mod) - - -class rolegroup_find(LDAPSearch): - """ - Search for rolegroups. - """ - - msg_summary = ngettext( - '%(count)d rolegroup matched', '%(count)d rolegroups matched' - ) - -api.register(rolegroup_find) - - -class rolegroup_show(LDAPRetrieve): - """ - Display information about a rolegroup. - """ - -api.register(rolegroup_show) - - -class rolegroup_add_member(LDAPAddMember): - """ - Add members to a rolegroup. - """ - -api.register(rolegroup_add_member) - - -class rolegroup_remove_member(LDAPRemoveMember): - """ - Remove members from a rolegroup. - """ - -api.register(rolegroup_remove_member) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 6cdba9b32..fbb1ff2ca 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -47,7 +47,7 @@ EXAMPLES: Allow a host to manage an IPA service certificate: ipa service-add-host --hosts=web.example.com HTTP/web.example.com - ipa rolegroup-add-member --hosts=web.example.com certadmin + ipa role-add-member --hosts=web.example.com certadmin Delete an IPA service: ipa service-del HTTP/web.example.com diff --git a/ipalib/plugins/taskgroup.py b/ipalib/plugins/taskgroup.py deleted file mode 100644 index ba3f50738..000000000 --- a/ipalib/plugins/taskgroup.py +++ /dev/null @@ -1,136 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -""" -Taskgroups - -A taskgroup enables fine-grained delegation of permissions. Access Control -Rules, or instructions (ACIs), grant permission to taskgroups to perform -given tasks such as adding a user, modifying a group, etc. - -A taskgroup may not be members of other taskgroups. - -See rolegroup and aci for additional information. -""" - -from ipalib.plugins.baseldap import * -from ipalib import api, _, ngettext - - -class taskgroup(LDAPObject): - """ - Taskgroup object. - """ - container_dn = api.env.container_taskgroup - object_name = 'taskgroup' - object_name_plural = 'taskgroups' - object_class = ['groupofnames'] - default_attributes = ['cn', 'description', 'member', 'memberof', - 'memberindirect' - ] - attribute_members = { - 'member': ['user', 'group', 'rolegroup'], - 'memberindirect': ['user', 'group', 'rolegroup'], - # FIXME: taskgroup can be member of ??? - } - rdnattr='cn' - - label = _('Task Groups') - - takes_params = ( - Str('cn', - cli_name='name', - label=_('Task-group name'), - primary_key=True, - normalizer=lambda value: value.lower(), - ), - Str('description', - cli_name='desc', - label=_('Description'), - doc=_('Task-group description'), - ), - ) - -api.register(taskgroup) - - -class taskgroup_add(LDAPCreate): - """ - Add a new taskgroup. - """ - - msg_summary = _('Added taskgroup "%(value)s"') - -api.register(taskgroup_add) - - -class taskgroup_del(LDAPDelete): - """ - Delete a taskgroup. - """ - - msg_summary = _('Deleted taskgroup "%(value)s"') - -api.register(taskgroup_del) - - -class taskgroup_mod(LDAPUpdate): - """ - Modify a taskgroup. - """ - - msg_summary = _('Modified taskgroup "%(value)s"') - -api.register(taskgroup_mod) - - -class taskgroup_find(LDAPSearch): - """ - Search for taskgroups. - """ - - msg_summary = ngettext( - '%(count)d taskgroup matched', '%(count)d taskgroups matched' - ) - -api.register(taskgroup_find) - - -class taskgroup_show(LDAPRetrieve): - """ - Display information about a taskgroup. - """ - -api.register(taskgroup_show) - - -class taskgroup_add_member(LDAPAddMember): - """ - Add members to a taskgroup. - """ - -api.register(taskgroup_add_member) - - -class taskgroup_remove_member(LDAPRemoveMember): - """ - Remove members from a taskgroup. - """ - -api.register(taskgroup_remove_member) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 64120fd2b..1bbb9b1ae 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -70,7 +70,7 @@ class user(LDAPObject): ] uuid_attribute = 'ipauniqueid' attribute_members = { - 'memberof': ['group', 'netgroup', 'rolegroup', 'taskgroup'], + 'memberof': ['group', 'netgroup', 'role'], } rdnattr = 'uid' diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4e63e7e3e..0f8200874 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -357,7 +357,7 @@ class BindInstance(service.Service): logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) raise e - dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix + dns_group = "cn=dnsserver,cn=privileges,cn=accounts,%s" % self.suffix if isinstance(dns_principal, unicode): dns_principal = dns_principal.encode('utf-8') mod = [(ldap.MOD_ADD, 'member', dns_principal)] diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index 8aa0b0d9b..54c8c280e 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -61,13 +61,19 @@ hostgroup = [ u'top', ] -rolegroup = [ +role = [ u'groupofnames', u'nestedgroup', u'top', ] -taskgroup = [ +permission = [ + u'groupofnames', + u'top' +] + +privilege = [ + u'nestedgroup', u'groupofnames', u'top' ] diff --git a/tests/test_xmlrpc/test_aci_plugin.py b/tests/test_xmlrpc/test_aci_plugin.py deleted file mode 100644 index c287a4349..000000000 --- a/tests/test_xmlrpc/test_aci_plugin.py +++ /dev/null @@ -1,321 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -""" -Test the `ipalib/plugins/aci.py` module. -""" - -from ipalib import api, errors -from tests.test_xmlrpc import objectclasses -from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid - - -aci1=u'test1' -taskgroup = u'testtaskgroup' - -aci2=u'selftest1' - - -class test_aci(Declarative): - - cleanup_commands = [ - ('aci_del', [aci1], {}), - ('aci_del', [aci2], {}), - ] - - tests = [ - - dict( - desc='Try to retrieve non-existent %r' % aci1, - command=('aci_show', [aci1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % aci1, - command=('aci_mod', [aci1], dict(permissions=u'write')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to delete non-existent %r' % aci1, - command=('aci_del', [aci1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Create %r' % aci1, - command=( - 'aci_add', [aci1], dict(permissions=u'add', type=u'user', taskgroup=taskgroup) - ), - expected=dict( - value=aci1, - summary=u'Created ACI "%s"' % aci1, - result=dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add'], - ), - ), - ), - - - dict( - desc='Try to create duplicate %r' % aci1, - command=( - 'aci_add', [aci1], dict(permissions=u'add', type=u'user', taskgroup=taskgroup) - ), - expected=errors.DuplicateEntry(), - ), - - - dict( - desc='Retrieve %r' % aci1, - command=( - 'aci_show', [aci1], {} - ), - expected=dict( - value=aci1, - summary=None, - result=dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add'], - ), - ), - ), - - - dict( - desc='Search for %r with all=True' % aci1, - command=( - 'aci_find', [aci1], {'all': True} - ), - expected=dict( - result=[ - dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add'], - ), - ], - summary=u'1 ACI matched', - count=1, - truncated=False, - ), - ), - - - dict( - desc='Search for %r with minimal attributes' % aci1, - command=( - 'aci_find', [aci1], {} - ), - expected=dict( - result=[ - dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add'], - ), - ], - summary=u'1 ACI matched', - count=1, - truncated=False, - ), - ), - - - dict( - desc='Update permissions in %r' % aci1, - command=( - 'aci_mod', [aci1], dict(permissions=u'add,write') - ), - expected=dict( - value=aci1, - summary=u'Modified ACI "%s"' % aci1, - result=dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add', u'write'], - ), - ), - ), - - - dict( - desc='Retrieve %r to verify update' % aci1, - command=('aci_show', [aci1], {}), - expected=dict( - value=aci1, - summary=None, - result=dict( - aciname=u'%s' % aci1, - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add', u'write'], - ), - ), - - ), - - dict( - desc='Update attributes in %r' % aci1, - command=( - 'aci_mod', [aci1], dict(attrs=u'cn, sn,givenName') - ), - expected=dict( - value=aci1, - summary=u'Modified ACI "%s"' % aci1, - result=dict( - aciname=u'%s' % aci1, - attrs=[u'cn', u'sn', u'givenName'], - type=u'user', - taskgroup=u'%s' % taskgroup, - permissions=[u'add', u'write'], - ), - ), - ), - - - dict( - desc='Update type in %r' % aci1, - command=( - 'aci_mod', [aci1], dict(type=u'group') - ), - expected=dict( - value=aci1, - summary=u'Modified ACI "%s"' % aci1, - result=dict( - aciname=u'%s' % aci1, - attrs=[u'cn', u'sn', u'givenName'], - type=u'group', - taskgroup=u'%s' % taskgroup, - permissions=[u'add', u'write'], - ), - ), - ), - - - dict( - desc='Update memberOf in %r' % aci1, - command=( - 'aci_mod', [aci1], dict(memberof=u'ipausers') - ), - expected=dict( - value=aci1, - summary=u'Modified ACI "%s"' % aci1, - result=dict( - aciname=u'%s' % aci1, - taskgroup=u'%s' % taskgroup, - filter=u'(memberOf=cn=%s,cn=taskgroups,cn=accounts,%s)' % (taskgroup, api.env.basedn), - attrs=[u'cn', u'sn', u'givenName'], - type=u'group', - permissions=[u'add', u'write'], - ), - ), - ), - - - dict( - desc='Delete %r' % aci1, - command=('aci_del', [aci1], {}), - expected=dict( - result=True, - summary=u'Deleted ACI "%s"' % aci1, - value=aci1, - ), - ), - - - dict( - desc='Try to delete non-existent %r' % aci1, - command=('aci_del', [aci1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to retrieve non-existent %r' % aci1, - command=('aci_show', [aci1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % aci1, - command=('aci_mod', [aci1], dict(givenname=u'Foo')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Create %r' % aci2, - command=( - 'aci_add', [aci2], dict(permissions=u'write', attrs=(u'givenName',u'sn',u'cn'), selfaci=True) - ), - expected=dict( - value=aci2, - summary=u'Created ACI "%s"' % aci2, - result=dict( - selfaci=True, - aciname=u'%s' % aci2, - attrs=[u'givenName', u'sn', u'cn'], - permissions=[u'write'], - ), - ), - ), - - - dict( - desc='Update attributes in %r' % aci2, - command=( - 'aci_mod', [aci2], dict(attrs=(u'givenName',u'sn',u'cn',u'uidNumber')) - ), - expected=dict( - value=aci2, - summary=u'Modified ACI "%s"' % aci2, - result=dict( - selfaci=True, - aciname=u'%s' % aci2, - attrs=[u'givenName', u'sn', u'cn', u'uidNumber'], - permissions=[u'write'], - ), - ), - ), - - - dict( - desc='Update self ACI with a taskgroup %r' % aci2, - command=( - 'aci_mod', [aci2], dict(attrs=(u'givenName',u'sn',u'cn',u'uidNumber'), taskgroup=taskgroup) - ), - expected=errors.ValidationError(name='target', error='group, taskgroup and self are mutually exclusive'), - ), - - - ] diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index 3ec17b30e..acfaa6c45 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -31,7 +31,6 @@ renamedgroup1 = u'testgroup' user1 = u'tuser1' invalidgroup1=u'+tgroup1' -invalidgroup2=u'tgroup1234567890123456789012345678901234567890' class test_group(Declarative): @@ -335,8 +334,6 @@ class test_group(Declarative): 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], - 'memberof_rolegroup': [u'hostadmin', u'replicaadmin'], - 'memberof_taskgroup': [u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], }, { 'dn': u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn, @@ -449,7 +446,7 @@ class test_group(Declarative): completed=0, failed=dict( member=dict( - group=[(u'notfound', u'This entry is not a member of the group')], + group=[(u'notfound', u'This entry is not a member')], user=tuple(), ), ), @@ -569,12 +566,6 @@ class test_group(Declarative): ), - dict( - desc='Test a group name that is too long %r' % invalidgroup2, - command=('group_add', [invalidgroup2], dict(description=u'Test')), - expected=errors.ValidationError(name='cn', error='can be at most 33 characters'), - ), - ##### managed entry tests dict( desc='Create %r' % user1, diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py index 4c3aeafc0..f5b4f1e1f 100644 --- a/tests/test_xmlrpc/test_netgroup_plugin.py +++ b/tests/test_xmlrpc/test_netgroup_plugin.py @@ -495,7 +495,7 @@ class test_netgroup(Declarative): ), memberuser=dict( group=tuple(), - user=[('%s' % user1, u'This entry is already a member of the group')], + user=[('%s' % user1, u'This entry is already a member')], ), memberhost=dict( hostgroup=tuple(), @@ -528,7 +528,7 @@ class test_netgroup(Declarative): netgroup=tuple(), ), memberuser=dict( - group=[('%s' % group1, u'This entry is already a member of the group')], + group=[('%s' % group1, u'This entry is already a member')], user=tuple(), ), memberhost=dict( @@ -568,7 +568,7 @@ class test_netgroup(Declarative): ), memberhost=dict( hostgroup=tuple(), - host=[('%s' % host1, u'This entry is already a member of the group')], + host=[('%s' % host1, u'This entry is already a member')], ), ), result={ @@ -602,7 +602,7 @@ class test_netgroup(Declarative): user=tuple(), ), memberhost=dict( - hostgroup=[('%s' % hostgroup1, u'This entry is already a member of the group')], + hostgroup=[('%s' % hostgroup1, u'This entry is already a member')], host=tuple(), ), ), @@ -907,7 +907,7 @@ class test_netgroup(Declarative): ), memberhost=dict( hostgroup=tuple(), - host=[('%s' % host1, u'This entry is not a member of the group')] + host=[('%s' % host1, u'This entry is not a member')] ), ), result={ @@ -937,7 +937,7 @@ class test_netgroup(Declarative): user=tuple(), ), memberhost=dict( - hostgroup=[('%s' % hostgroup1, u'This entry is not a member of the group')], + hostgroup=[('%s' % hostgroup1, u'This entry is not a member')], host=tuple(), ), ), @@ -965,7 +965,7 @@ class test_netgroup(Declarative): ), memberuser=dict( group=tuple(), - user=[('%s' % user1, u'This entry is not a member of the group')], + user=[('%s' % user1, u'This entry is not a member')], ), memberhost=dict( hostgroup=tuple(), @@ -995,7 +995,7 @@ class test_netgroup(Declarative): netgroup=tuple(), ), memberuser=dict( - group= [('%s' % group1, u'This entry is not a member of the group')], + group= [('%s' % group1, u'This entry is not a member')], user=tuple(), ), memberhost=dict( @@ -1023,7 +1023,7 @@ class test_netgroup(Declarative): completed=0, failed=dict( member=dict( - netgroup=[('%s' % netgroup2, u'This entry is not a member of the group')], + netgroup=[('%s' % netgroup2, u'This entry is not a member')], ), memberuser=dict( group=tuple(), diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py new file mode 100644 index 000000000..46c312545 --- /dev/null +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -0,0 +1,400 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# Pavel Zuna <pzuna@redhat.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Test the `ipalib/plugins/permission.py` module. +""" + +from ipalib import api, errors +from tests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid + +permission1 = u'testperm' +permission1_dn = u'cn=%s,%s,%s' % (permission1, + api.env.container_permission,api.env.basedn, +) + + +permission2 = u'testperm2' +permission2_dn = u'cn=%s,%s,%s' % (permission2, + api.env.container_permission,api.env.basedn, +) + +privilege1 = u'testpriv1' +privilege1_dn = u'cn=%s,%s,%s' % ( + privilege1, api.env.container_privilege, api.env.basedn +) + + +class test_permission(Declarative): + + cleanup_commands = [ + ('permission_del', [permission1], {}), + ('permission_del', [permission2], {}), + ('privilege_del', [privilege1], {}), + ] + + tests = [ + + dict( + desc='Try to retrieve non-existent %r' % permission1, + command=('permission_show', [permission1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to update non-existent %r' % permission1, + command=('permission_mod', [permission1], dict(description=u'Foo')), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to delete non-existent %r' % permission1, + command=('permission_del', [permission1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Search for non-existent %r' % permission1, + command=('permission_find', [permission1], {}), + expected=dict( + count=0, + truncated=False, + summary=u'0 permissions matched', + result=[], + ), + ), + + + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( + description=u'Test desc 1', + type=u'user', + permissions=u'write', + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + description=[u'Test desc 1'], + objectclass=objectclasses.permission, + type=u'user', + permissions=[u'write'], + ), + ), + ), + + + dict( + desc='Try to create duplicate %r' % permission1, + command=( + 'permission_add', [permission1], dict( + description=u'Test desc 1', + type=u'user', + permissions=u'write', + ), + ), + expected=errors.DuplicateEntry(), + ), + + + dict( + desc='Create %r' % privilege1, + command=('privilege_add', [privilege1], + dict(description=u'privilege desc. 1') + ), + expected=dict( + value=privilege1, + summary=u'Added privilege "%s"' % privilege1, + result=dict( + dn=privilege1_dn, + cn=[privilege1], + description=[u'privilege desc. 1'], + objectclass=objectclasses.privilege, + ), + ), + ), + + + dict( + desc='Add permission %r to privilege %r' % (permission1, privilege1), + command=('privilege_add_permission', [privilege1], + dict(permission=permission1) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + permission=[], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + } + ), + ), + + + dict( + desc='Retrieve %r' % permission1, + command=('permission_show', [permission1], {}), + expected=dict( + value=permission1, + summary=None, + result={ + 'dn': permission1_dn, + 'cn': [permission1], + 'description': [u'Test desc 1'], + 'member_privilege': [privilege1], + 'type': u'user', + 'permissions': [u'write'], + }, + ), + ), + + + dict( + desc='Search for %r' % permission1, + command=('permission_find', [permission1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 permission matched', + result=[ + { + 'dn': permission1_dn, + 'cn': [permission1], + 'description': [u'Test desc 1'], + 'member_privilege': [privilege1], + 'type': u'user', + 'permissions': [u'write'], + }, + ], + ), + ), + + + dict( + desc='Search for %r' % privilege1, + command=('permission_find', [privilege1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 permission matched', + result=[ + { + 'dn': permission1_dn, + 'cn': [permission1], + 'description': [u'Test desc 1'], + 'member_privilege': [privilege1], + 'type': u'user', + 'permissions': [u'write'], + }, + ], + ), + ), + + + dict( + desc='Create %r' % permission2, + command=( + 'permission_add', [permission2], dict( + description=u'Test desc 2', + type=u'user', + permissions=u'write', + ) + ), + expected=dict( + value=permission2, + summary=u'Added permission "%s"' % permission2, + result=dict( + dn=permission2_dn, + cn=[permission2], + description=[u'Test desc 2'], + objectclass=objectclasses.permission, + type=u'user', + permissions=[u'write'], + ), + ), + ), + + + dict( + desc='Search for %r' % permission1, + command=('permission_find', [permission1], {}), + expected=dict( + count=2, + truncated=False, + summary=u'2 permissions matched', + result=[ + { + 'dn': permission1_dn, + 'cn': [permission1], + 'description': [u'Test desc 1'], + 'member_privilege': [privilege1], + 'type': u'user', + 'permissions': [u'write'], + }, + { + 'dn': permission2_dn, + 'cn': [permission2], + 'description': [u'Test desc 2'], + 'type': u'user', + 'permissions': [u'write'], + }, + ], + ), + ), + + + dict( + desc='Search for %r' % privilege1, + command=('privilege_find', [privilege1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 privilege matched', + result=[ + { + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + }, + ], + ), + ), + + + dict( + desc='Update %r' % permission1, + command=( + 'permission_mod', [permission1], dict(description=u'New desc 1') + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + description=[u'New desc 1'], + member_privilege=[privilege1], + type=u'user', + permissions=[u'write'], + ), + ), + ), + + + dict( + desc='Retrieve %r to verify update' % permission1, + command=('permission_show', [permission1], {}), + expected=dict( + value=permission1, + summary=None, + result={ + 'dn': permission1_dn, + 'cn': [permission1], + 'description': [u'New desc 1'], + 'member_privilege': [privilege1], + 'type': u'user', + 'permissions': [u'write'], + }, + ), + ), + + + dict( + desc='Delete %r' % permission1, + command=('permission_del', [permission1], {}), + expected=dict( + result=True, + value=permission1, + summary=u'Deleted permission "%s"' % permission1, + ) + ), + + + dict( + desc='Try to delete non-existent %r' % permission1, + command=('permission_del', [permission1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to retrieve non-existent %r' % permission1, + command=('permission_show', [permission1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to update non-existent %r' % permission1, + command=('permission_mod', [permission1], dict(description=u'Foo')), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Delete %r' % permission2, + command=('permission_del', [permission2], {}), + expected=dict( + result=True, + value=permission2, + summary=u'Deleted permission "%s"' % permission2, + ) + ), + + + dict( + desc='Search for %r' % permission1, + command=('permission_find', [permission1], {}), + expected=dict( + count=0, + truncated=False, + summary=u'0 permissions matched', + result=[], + ), + ), + + + dict( + desc='Delete %r' % privilege1, + command=('privilege_del', [privilege1], {}), + expected=dict( + result=True, + value=privilege1, + summary=u'Deleted privilege "%s"' % privilege1, + ) + ), + + ] diff --git a/tests/test_xmlrpc/test_privilege_plugin.py b/tests/test_xmlrpc/test_privilege_plugin.py new file mode 100644 index 000000000..b3bd7af8b --- /dev/null +++ b/tests/test_xmlrpc/test_privilege_plugin.py @@ -0,0 +1,365 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Test the `ipalib/plugins/privilege.py` module. +""" + +from ipalib import api, errors +from tests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid + +permission1 = u'testperm' +permission1_dn = u'cn=%s,%s,%s' % (permission1, + api.env.container_permission,api.env.basedn, +) + + +permission2 = u'testperm2' +permission2_dn = u'cn=%s,%s,%s' % (permission2, + api.env.container_permission,api.env.basedn, +) + +privilege1 = u'testpriv1' +privilege1_dn = u'cn=%s,%s,%s' % ( + privilege1, api.env.container_privilege, api.env.basedn +) + + +class test_privilege(Declarative): + + cleanup_commands = [ + ('permission_del', [permission1], {}), + ('permission_del', [permission2], {}), + ('privilege_del', [privilege1], {}), + ] + + tests = [ + + dict( + desc='Try to retrieve non-existent %r' % privilege1, + command=('privilege_show', [privilege1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to update non-existent %r' % privilege1, + command=('privilege_mod', [privilege1], dict(description=u'Foo')), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to delete non-existent %r' % privilege1, + command=('privilege_del', [privilege1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Search for non-existent %r' % privilege1, + command=('privilege_find', [privilege1], {}), + expected=dict( + count=0, + truncated=False, + summary=u'0 privileges matched', + result=[], + ), + ), + + + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( + description=u'Test desc 1', + type=u'user', + permissions=u'add, delete', + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + description=[u'Test desc 1'], + objectclass=objectclasses.permission, + type=u'user', + permissions=[u'add', u'delete'], + ), + ), + ), + + + dict( + desc='Create %r' % privilege1, + command=('privilege_add', [privilege1], + dict(description=u'privilege desc. 1') + ), + expected=dict( + value=privilege1, + summary=u'Added privilege "%s"' % privilege1, + result=dict( + dn=privilege1_dn, + cn=[privilege1], + description=[u'privilege desc. 1'], + objectclass=objectclasses.privilege, + ), + ), + ), + + + dict( + desc='Add permission %r to privilege %r' % (permission1, privilege1), + command=('privilege_add_permission', [privilege1], + dict(permission=permission1) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + permission=[], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + } + ), + ), + + + dict( + desc='Retrieve %r' % privilege1, + command=('privilege_show', [privilege1], {}), + expected=dict( + value=privilege1, + summary=None, + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + }, + ), + ), + + + dict( + desc='Search for %r' % privilege1, + command=('privilege_find', [privilege1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 privilege matched', + result=[ + { + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + }, + ], + ), + ), + + + dict( + desc='Search for %r' % privilege1, + command=('privilege_find', [privilege1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 privilege matched', + result=[ + { + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1], + }, + ], + ), + ), + + + dict( + desc='Create %r' % permission2, + command=( + 'permission_add', [permission2], dict( + description=u'Test desc 2', + type=u'user', + permissions=u'write', + ) + ), + expected=dict( + value=permission2, + summary=u'Added permission "%s"' % permission2, + result=dict( + dn=permission2_dn, + cn=[permission2], + description=[u'Test desc 2'], + objectclass=objectclasses.permission, + type=u'user', + permissions=[u'write'], + ), + ), + ), + + + dict( + desc='Add permission %r to privilege %r' % (permission2, privilege1), + command=('privilege_add_permission', [privilege1], + dict(permission=permission2) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + permission=[], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1, permission2], + } + ), + ), + + + dict( + desc='Add permission %r to privilege %r again' % (permission2, privilege1), + command=('privilege_add_permission', [privilege1], + dict(permission=permission2) + ), + expected=dict( + completed=0, + failed=dict( + member=dict( + permission=[(u'testperm2', u'This entry is already a member'),], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1, permission2], + } + ), + ), + + + dict( + desc='Search for %r' % privilege1, + command=('privilege_find', [privilege1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 privilege matched', + result=[ + { + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'privilege desc. 1'], + 'memberof_permission': [permission1, permission2], + }, + ], + ), + ), + + + dict( + desc='Update %r' % privilege1, + command=( + 'privilege_mod', [privilege1], dict(description=u'New desc 1') + ), + expected=dict( + value=privilege1, + summary=u'Modified privilege "%s"' % privilege1, + result=dict( + cn=[privilege1], + description=[u'New desc 1'], + memberof_permission=[permission1, permission2], + ), + ), + ), + + + dict( + desc='Remove permission from %r' % privilege1, + command=('privilege_remove_permission', [privilege1], + dict(permission=permission1), + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + permission=[], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'New desc 1'], + 'memberof_permission': [permission2], + } + ), + ), + + + dict( + desc='Remove permission from %r again' % privilege1, + command=('privilege_remove_permission', [privilege1], + dict(permission=permission1), + ), + expected=dict( + completed=0, + failed=dict( + member=dict( + permission=[(u'testperm', u'This entry is not a member'),], + ), + ), + result={ + 'dn': privilege1_dn, + 'cn': [privilege1], + 'description': [u'New desc 1'], + 'memberof_permission': [permission2], + } + ), + ), + + + dict( + desc='Delete %r' % privilege1, + command=('privilege_del', [privilege1], {}), + expected=dict( + result=True, + value=privilege1, + summary=u'Deleted privilege "%s"' % privilege1, + ) + ), + + + ] diff --git a/tests/test_xmlrpc/test_role_plugin.py b/tests/test_xmlrpc/test_role_plugin.py new file mode 100644 index 000000000..e739ec65e --- /dev/null +++ b/tests/test_xmlrpc/test_role_plugin.py @@ -0,0 +1,566 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# Pavel Zuna <pzuna@redhat.com> +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Test the `ipalib/plugins/role.py` module. +""" + +from ipalib import api, errors +from tests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid + +search = u'test-role' + +role1 = u'test-role-1' +role1_dn = u'cn=%s,%s,%s' % ( + role1, api.env.container_rolegroup, api.env.basedn +) +renamedrole1 = u'test-role' + +role2 = u'test-role-2' +role2_dn = u'cn=%s,%s,%s' % ( + role2, api.env.container_rolegroup, api.env.basedn +) + +group1 = u'testgroup1' +group1_dn = u'cn=%s,%s,%s' % (group1, api.env.container_group, api.env.basedn) + +privilege1 = u'testpriv1' +privilege1_dn = u'cn=%s,%s,%s' % (privilege1, api.env.container_privilege, api.env.basedn) + + +class test_role(Declarative): + + cleanup_commands = [ + ('role_del', [role1], {}), + ('role_del', [role2], {}), + ('group_del', [group1], {}), + ('privilege_del', [privilege1], {}), + ] + + tests = [ + + dict( + desc='Try to retrieve non-existent %r' % role1, + command=('role_show', [role1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to update non-existent %r' % role1, + command=('role_mod', [role1], dict(description=u'Foo')), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to delete non-existent %r' % role1, + command=('role_del', [role1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to rename non-existent %r' % role1, + command=('role_del', [role1], dict(setattr=u'cn=%s' % renamedrole1)), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Search for non-existent %r' % role1, + command=('role_find', [role1], {}), + expected=dict( + count=0, + truncated=False, + summary=u'0 roles matched', + result=[], + ), + ), + + + dict( + desc='Create %r' % role1, + command=('role_add', [role1], + dict(description=u'role desc 1') + ), + expected=dict( + value=role1, + summary=u'Added role "%s"' % role1, + result=dict( + dn=role1_dn, + cn=[role1], + description=[u'role desc 1'], + objectclass=objectclasses.role, + ), + ), + ), + + + dict( + desc='Retrieve %r' % role1, + command=('role_show', [role1], {}), + expected=dict( + value=role1, + summary=None, + result=dict( + dn=role1_dn, + cn=[role1], + description=[u'role desc 1'], + ), + ), + ), + + + dict( + desc='Create %r' % group1, + command=( + 'group_add', [group1], dict(description=u'group desc 1', + nonposix=True,) + ), + expected=dict( + value=group1, + summary=u'Added group "testgroup1"', + result=dict( + dn=group1_dn, + cn=[group1], + description=[u'group desc 1'], + objectclass=objectclasses.group, + ipauniqueid=[fuzzy_uuid], + ), + ), + ), + + + dict( + desc='Create %r' % privilege1, + command=('privilege_add', [privilege1], + dict(description=u'privilege desc. 1') + ), + expected=dict( + value=privilege1, + summary=u'Added privilege "%s"' % privilege1, + result=dict( + dn=privilege1_dn, + cn=[privilege1], + description=[u'privilege desc. 1'], + objectclass=objectclasses.privilege, + ), + ), + ), + + + dict( + desc='Add privilege %r to role %r' % (privilege1, role1), + command=('role_add_privilege', [role1], + dict(privilege=privilege1) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + privilege=[], + ), + ), + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'memberof_privilege': [privilege1], + } + ), + ), + + + dict( + desc='Add member %r to %r' % (group1, role1), + command=('role_add_member', [role1], dict(group=group1)), + expected=dict( + completed=1, + failed=dict( + member=dict( + user=[], + group=[], + host=[], + hostgroup=[], + ), + ), + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + } + ), + ), + + + dict( + desc='Retrieve %r to verify member-add' % role1, + command=('role_show', [role1], {}), + expected=dict( + value=role1, + summary=None, + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + ), + ), + + + dict( + desc='Search for %r' % role1, + command=('role_find', [role1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 role matched', + result=[ + { + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + ], + ), + ), + + + dict( + desc='Search for %r' % search, + command=('role_find', [search], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 role matched', + result=[ + { + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + ], + ), + ), + + + dict( + desc='Create %r' % role2, + command=('role_add', [role2], + dict(description=u'role desc 2') + ), + expected=dict( + value=role2, + summary=u'Added role "%s"' % role2, + result=dict( + dn=role2_dn, + cn=[role2], + description=[u'role desc 2'], + objectclass=objectclasses.role, + ), + ), + ), + + + dict( + desc='Search for %r' % role1, + command=('role_find', [role1], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 role matched', + result=[ + { + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + ], + ), + ), + + + dict( + desc='Search for %r' % search, + command=('role_find', [search], {}), + expected=dict( + count=2, + truncated=False, + summary=u'2 roles matched', + result=[ + { + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'role desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + { + 'dn': role2_dn, + 'cn': [role2], + 'description': [u'role desc 2'], + }, + ], + ), + ), + + + dict( + desc='Update %r' % role1, + command=( + 'role_mod', [role1], dict(description=u'New desc 1') + ), + expected=dict( + value=role1, + summary=u'Modified role "%s"' % role1, + result=dict( + cn=[role1], + description=[u'New desc 1'], + member_group=[group1], + memberof_privilege=[privilege1], + ), + ), + ), + + + dict( + desc='Retrieve %r to verify update' % role1, + command=('role_show', [role1], {}), + expected=dict( + value=role1, + summary=None, + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'New desc 1'], + 'member_group': [group1], + 'memberof_privilege': [privilege1], + }, + ), + ), + + + dict( + desc='Remove member %r from %r' % (group1, role1), + command=('role_remove_member', [role1], dict(group=group1)), + expected=dict( + completed=1, + failed=dict( + member=dict( + user=[], + group=[], + host=[], + hostgroup=[], + ), + ), + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'New desc 1'], + 'memberof_privilege': [privilege1], + }, + ), + ), + + + dict( + desc='Retrieve %r to verify member-del' % role1, + command=('role_show', [role1], {}), + expected=dict( + value=role1, + summary=None, + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'New desc 1'], + 'memberof_privilege': [privilege1], + }, + ), + ), + + + dict( + desc='Delete %r' % group1, + command=('group_del', [group1], {}), + expected=dict( + result=True, + value=group1, + summary=u'Deleted group "testgroup1"', + ) + ), + + + dict( + desc='Rename %r' % role1, + command=('role_mod', [role1], dict(setattr=u'cn=%s' % renamedrole1)), + expected=dict( + value=role1, + result=dict( + cn=[renamedrole1], + description=[u'New desc 1'], + memberof_privilege=[privilege1], + ), + summary=u'Modified role "%s"' % role1 + ) + ), + + + dict( + desc='Rename %r back' % renamedrole1, + command=('role_mod', [renamedrole1], dict(setattr=u'cn=%s' % role1)), + expected=dict( + value=renamedrole1, + result=dict( + cn=[role1], + description=[u'New desc 1'], + memberof_privilege=[privilege1], + ), + summary=u'Modified role "%s"' % renamedrole1 + ) + ), + + + dict( + desc='Remove privilege %r from role %r' % (privilege1, role1), + command=('role_remove_privilege', [role1], + dict(privilege=privilege1) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + privilege=[], + ), + ), + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'New desc 1'], + } + ), + ), + + + dict( + desc='Remove privilege %r from role %r again' % (privilege1, role1), + command=('role_remove_privilege', [role1], + dict(privilege=privilege1) + ), + expected=dict( + completed=0, + failed=dict( + member=dict( + privilege=[(u'%s' % privilege1, u'This entry is not a member'),], + ), + ), + result={ + 'dn': role1_dn, + 'cn': [role1], + 'description': [u'New desc 1'], + } + ), + ), + + + + dict( + desc='Delete %r' % role1, + command=('role_del', [role1], {}), + expected=dict( + result=True, + value=role1, + summary=u'Deleted role "%s"' % role1, + ) + ), + + + dict( + desc='Try to delete non-existent %r' % role1, + command=('role_del', [role1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to retrieve non-existent %r' % role1, + command=('role_show', [group1], {}), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Try to update non-existent %r' % role1, + command=('role_mod', [role1], dict(description=u'Foo')), + expected=errors.NotFound(reason='no such entry'), + ), + + + dict( + desc='Search for %r' % search, + command=('role_find', [search], {}), + expected=dict( + count=1, + truncated=False, + summary=u'1 role matched', + result=[ + { + 'dn': role2_dn, + 'cn': [role2], + 'description': [u'role desc 2'], + }, + ], + ), + ), + + + dict( + desc='Delete %r' % role2, + command=('role_del', [role2], {}), + expected=dict( + result=True, + value=role2, + summary=u'Deleted role "%s"' % role2, + ) + ), + + + dict( + desc='Search for %r' % search, + command=('role_find', [search], {}), + expected=dict( + count=0, + truncated=False, + summary=u'0 roles matched', + result=[], + ), + ), + + ] diff --git a/tests/test_xmlrpc/test_rolegroup_plugin.py b/tests/test_xmlrpc/test_rolegroup_plugin.py deleted file mode 100644 index 46922cd4e..000000000 --- a/tests/test_xmlrpc/test_rolegroup_plugin.py +++ /dev/null @@ -1,467 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -""" -Test the `ipalib/plugins/rolegroup.py` module. -""" - -from ipalib import api, errors -from tests.test_xmlrpc import objectclasses -from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid - -search = u'test-rolegroup' - -rolegroup1 = u'test-rolegroup-1' -rolegroup1_dn = u'cn=%s,cn=rolegroups,cn=accounts,%s' % ( - rolegroup1, api.env.basedn -) -renamedrolegroup1 = u'test-rolegroup' - -rolegroup2 = u'test-rolegroup-2' -rolegroup2_dn = u'cn=%s,cn=rolegroups,cn=accounts,%s' % ( - rolegroup2, api.env.basedn -) - -group1 = u'testgroup1' -group1_dn = u'cn=%s,cn=groups,cn=accounts,%s' % (group1, api.env.basedn) - - -class test_rolegroup(Declarative): - - cleanup_commands = [ - ('rolegroup_del', [rolegroup1], {}), - ('rolegroup_del', [rolegroup2], {}), - ('group_del', [group1], {}), - ] - - tests = [ - - dict( - desc='Try to retrieve non-existent %r' % rolegroup1, - command=('rolegroup_show', [rolegroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % rolegroup1, - command=('rolegroup_mod', [rolegroup1], dict(description=u'Foo')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to delete non-existent %r' % rolegroup1, - command=('rolegroup_del', [rolegroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to rename non-existent %r' % rolegroup1, - command=('rolegroup_del', [rolegroup1], dict(setattr=u'cn=%s' % renamedrolegroup1)), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Search for non-existent %r' % rolegroup1, - command=('rolegroup_find', [rolegroup1], {}), - expected=dict( - count=0, - truncated=False, - summary=u'0 rolegroups matched', - result=[], - ), - ), - - - dict( - desc='Create %r' % rolegroup1, - command=('rolegroup_add', [rolegroup1], - dict(description=u'rolegroup desc 1') - ), - expected=dict( - value=rolegroup1, - summary=u'Added rolegroup "test-rolegroup-1"', - result=dict( - dn=rolegroup1_dn, - cn=[rolegroup1], - description=[u'rolegroup desc 1'], - objectclass=objectclasses.rolegroup, - ), - ), - ), - - - dict( - desc='Retrieve %r' % rolegroup1, - command=('rolegroup_show', [rolegroup1], {}), - expected=dict( - value=rolegroup1, - summary=None, - result=dict( - dn=rolegroup1_dn, - cn=[rolegroup1], - description=[u'rolegroup desc 1'], - ), - ), - ), - - - dict( - desc='Create %r' % group1, - command=( - 'group_add', [group1], dict(description=u'group desc 1', - nonposix=True,) - ), - expected=dict( - value=group1, - summary=u'Added group "testgroup1"', - result=dict( - dn=group1_dn, - cn=[group1], - description=[u'group desc 1'], - objectclass=objectclasses.group, - ipauniqueid=[fuzzy_uuid], - ), - ), - ), - - - dict( - desc='Add member %r to %r' % (group1, rolegroup1), - command=('rolegroup_add_member', [rolegroup1], dict(group=group1)), - expected=dict( - completed=1, - failed=dict( - member=dict( - user=[], - group=[], - host=[], - hostgroup=[], - ), - ), - result={ - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - } - ), - ), - - - dict( - desc='Retrieve %r to verify member-add' % rolegroup1, - command=('rolegroup_show', [rolegroup1], {}), - expected=dict( - value=rolegroup1, - summary=None, - result={ - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - }, - ), - ), - - - dict( - desc='Search for %r' % rolegroup1, - command=('rolegroup_find', [rolegroup1], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 rolegroup matched', - result=[ - { - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Search for %r' % search, - command=('rolegroup_find', [search], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 rolegroup matched', - result=[ - { - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Create %r' % rolegroup2, - command=('rolegroup_add', [rolegroup2], - dict(description=u'rolegroup desc 2') - ), - expected=dict( - value=rolegroup2, - summary=u'Added rolegroup "test-rolegroup-2"', - result=dict( - dn=rolegroup2_dn, - cn=[rolegroup2], - description=[u'rolegroup desc 2'], - objectclass=objectclasses.rolegroup, - ), - ), - ), - - - dict( - desc='Search for %r' % rolegroup1, - command=('rolegroup_find', [rolegroup1], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 rolegroup matched', - result=[ - { - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Search for %r' % search, - command=('rolegroup_find', [search], {}), - expected=dict( - count=2, - truncated=False, - summary=u'2 rolegroups matched', - result=[ - { - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'rolegroup desc 1'], - 'member_group': [group1], - }, - { - 'dn': rolegroup2_dn, - 'cn': [rolegroup2], - 'description': [u'rolegroup desc 2'], - }, - ], - ), - ), - - - dict( - desc='Updated %r' % rolegroup1, - command=( - 'rolegroup_mod', [rolegroup1], dict(description=u'New desc 1') - ), - expected=dict( - value=rolegroup1, - summary=u'Modified rolegroup "test-rolegroup-1"', - result=dict( - cn=[rolegroup1], - description=[u'New desc 1'], - member_group=[group1], - ), - ), - ), - - - dict( - desc='Retrieve %r to verify update' % rolegroup1, - command=('rolegroup_show', [rolegroup1], {}), - expected=dict( - value=rolegroup1, - summary=None, - result={ - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'New desc 1'], - 'member_group': [group1], - }, - ), - ), - - - dict( - desc='Remove member %r from %r' % (group1, rolegroup1), - command=('rolegroup_remove_member', [rolegroup1], dict(group=group1)), - expected=dict( - completed=1, - failed=dict( - member=dict( - user=[], - group=[], - host=[], - hostgroup=[], - ), - ), - result={ - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'New desc 1'], - }, - ), - ), - - - dict( - desc='Retrieve %r to verify member-del' % rolegroup1, - command=('rolegroup_show', [rolegroup1], {}), - expected=dict( - value=rolegroup1, - summary=None, - result={ - 'dn': rolegroup1_dn, - 'cn': [rolegroup1], - 'description': [u'New desc 1'], - }, - ), - ), - - - dict( - desc='Delete %r' % group1, - command=('group_del', [group1], {}), - expected=dict( - result=True, - value=group1, - summary=u'Deleted group "testgroup1"', - ) - ), - - - dict( - desc='Rename %r' % rolegroup1, - command=('rolegroup_mod', [rolegroup1], dict(setattr=u'cn=%s' % renamedrolegroup1)), - expected=dict( - value=rolegroup1, - result=dict( - cn=[renamedrolegroup1], - description=[u'New desc 1'], - ), - summary=u'Modified rolegroup "%s"' % rolegroup1 - ) - ), - - - dict( - desc='Rename %r back' % renamedrolegroup1, - command=('rolegroup_mod', [renamedrolegroup1], dict(setattr=u'cn=%s' % rolegroup1)), - expected=dict( - value=renamedrolegroup1, - result=dict( - cn=[rolegroup1], - description=[u'New desc 1'], - ), - summary=u'Modified rolegroup "%s"' % renamedrolegroup1 - ) - ), - - - dict( - desc='Delete %r' % rolegroup1, - command=('rolegroup_del', [rolegroup1], {}), - expected=dict( - result=True, - value=rolegroup1, - summary=u'Deleted rolegroup "test-rolegroup-1"', - ) - ), - - - dict( - desc='Try to delete non-existent %r' % rolegroup1, - command=('rolegroup_del', [rolegroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to retrieve non-existent %r' % rolegroup1, - command=('rolegroup_show', [group1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % rolegroup1, - command=('rolegroup_mod', [rolegroup1], dict(description=u'Foo')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Search for %r' % search, - command=('rolegroup_find', [search], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 rolegroup matched', - result=[ - { - 'dn': rolegroup2_dn, - 'cn': [rolegroup2], - 'description': [u'rolegroup desc 2'], - }, - ], - ), - ), - - - dict( - desc='Delete %r' % rolegroup2, - command=('rolegroup_del', [rolegroup2], {}), - expected=dict( - result=True, - value=rolegroup2, - summary=u'Deleted rolegroup "test-rolegroup-2"', - ) - ), - - - dict( - desc='Search for %r' % search, - command=('rolegroup_find', [search], {}), - expected=dict( - count=0, - truncated=False, - summary=u'0 rolegroups matched', - result=[], - ), - ), - - ] diff --git a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py index a6b4ab2a2..564d956e2 100644 --- a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py +++ b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py @@ -430,7 +430,7 @@ class test_sudocmdgroup(Declarative): failed=dict( member=dict( sudocmdgroup=tuple(), - sudocmd=[(u'notfound', u'This entry is not a member of the group')], + sudocmd=[(u'notfound', u'This entry is not a member')], ), ), result={ diff --git a/tests/test_xmlrpc/test_taskgroup_plugin.py b/tests/test_xmlrpc/test_taskgroup_plugin.py deleted file mode 100644 index ce3166020..000000000 --- a/tests/test_xmlrpc/test_taskgroup_plugin.py +++ /dev/null @@ -1,496 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -""" -Test the `ipalib/plugins/taskgroup.py` module. -""" - -from ipalib import api, errors -from tests.test_xmlrpc import objectclasses -from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid - -search = u'test-taskgroup' - -taskgroup1 = u'test-taskgroup-1' -taskgroup1_dn = u'cn=%s,cn=taskgroups,cn=accounts,%s' % ( - taskgroup1, api.env.basedn -) -renamedtaskgroup1 = u'test-taskgroup1' - -taskgroup2 = u'test-taskgroup-2' -taskgroup2_dn = u'cn=%s,cn=taskgroups,cn=accounts,%s' % ( - taskgroup2, api.env.basedn -) - -group1 = u'testgroup1' -group1_dn = u'cn=%s,cn=groups,cn=accounts,%s' % (group1, api.env.basedn) - -rolegroup1 = u'test-rolegroup-1' -rolegroup1_dn = u'cn=%s,cn=rolegroups,cn=accounts,%s' % ( - rolegroup1, api.env.basedn -) - - -class test_taskgroup(Declarative): - - cleanup_commands = [ - ('taskgroup_del', [taskgroup1], {}), - ('taskgroup_del', [taskgroup2], {}), - ('group_del', [group1], {}), - ('rolegroup_del', [rolegroup1], {}), - ] - - tests = [ - - dict( - desc='Try to retrieve non-existent %r' % taskgroup1, - command=('taskgroup_show', [taskgroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % taskgroup1, - command=('taskgroup_mod', [taskgroup1], dict(description=u'Foo')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to delete non-existent %r' % taskgroup1, - command=('taskgroup_del', [taskgroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to rename non-existent %r' % taskgroup1, - command=('taskgroup_del', [taskgroup1], dict(setattr=u'cn=%s' % renamedtaskgroup1)), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Search for non-existent %r' % taskgroup1, - command=('taskgroup_find', [taskgroup1], {}), - expected=dict( - count=0, - truncated=False, - summary=u'0 taskgroups matched', - result=[], - ), - ), - - - dict( - desc='Create %r' % taskgroup1, - command=( - 'taskgroup_add', [taskgroup1], dict(description=u'Test desc 1') - ), - expected=dict( - value=taskgroup1, - summary=u'Added taskgroup "test-taskgroup-1"', - result=dict( - dn=taskgroup1_dn, - cn=[taskgroup1], - description=[u'Test desc 1'], - objectclass=objectclasses.taskgroup, - ), - ), - ), - - - dict( - desc='Try to create duplicate %r' % taskgroup1, - command=( - 'taskgroup_add', [taskgroup1], dict(description=u'Test desc 1') - ), - expected=errors.DuplicateEntry(), - ), - - - dict( - desc='Create %r' % rolegroup1, - command=('rolegroup_add', [rolegroup1], - dict(description=u'rolegroup desc. 1') - ), - expected=dict( - value=rolegroup1, - summary=u'Added rolegroup "test-rolegroup-1"', - result=dict( - dn=rolegroup1_dn, - cn=[rolegroup1], - description=[u'rolegroup desc. 1'], - objectclass=objectclasses.rolegroup, - ), - ), - ), - - - dict( - desc='Create %r' % group1, - command=( - 'group_add', [group1], dict(description=u'Test group desc 1', - nonposix=True,) - ), - expected=dict( - value=group1, - summary=u'Added group "testgroup1"', - result=dict( - dn=group1_dn, - cn=[group1], - description=[u'Test group desc 1'], - objectclass=objectclasses.group, - ipauniqueid=[fuzzy_uuid], - ), - ), - ), - - - dict( - desc='Add member to %r' % taskgroup1, - command=('taskgroup_add_member', [taskgroup1], - dict(rolegroup=rolegroup1, group=group1) - ), - expected=dict( - completed=2, - failed=dict( - member=dict( - rolegroup=[], - group=[], - user=[], - ), - ), - result={ - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - } - ), - ), - - - dict( - desc='Retrieve %r' % taskgroup1, - command=('taskgroup_show', [taskgroup1], {}), - expected=dict( - value=taskgroup1, - summary=None, - result={ - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - ), - ), - - - dict( - desc='Search for %r' % taskgroup1, - command=('taskgroup_find', [taskgroup1], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 taskgroup matched', - result=[ - { - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Search for %r' % search, - command=('taskgroup_find', [search], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 taskgroup matched', - result=[ - { - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Create %r' % taskgroup2, - command=( - 'taskgroup_add', [taskgroup2], dict(description=u'Test desc 2') - ), - expected=dict( - value=taskgroup2, - summary=u'Added taskgroup "test-taskgroup-2"', - result=dict( - dn=taskgroup2_dn, - cn=[taskgroup2], - description=[u'Test desc 2'], - objectclass=objectclasses.taskgroup, - ), - ), - ), - - - dict( - desc='Search for %r' % taskgroup1, - command=('taskgroup_find', [taskgroup1], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 taskgroup matched', - result=[ - { - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - ], - ), - ), - - - dict( - desc='Search for %r' % search, - command=('taskgroup_find', [search], {}), - expected=dict( - count=2, - truncated=False, - summary=u'2 taskgroups matched', - result=[ - { - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'Test desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - { - 'dn': taskgroup2_dn, - 'cn': [taskgroup2], - 'description': [u'Test desc 2'], - }, - ], - ), - ), - - - dict( - desc='Updated %r' % taskgroup1, - command=( - 'taskgroup_mod', [taskgroup1], dict(description=u'New desc 1') - ), - expected=dict( - value=taskgroup1, - summary=u'Modified taskgroup "test-taskgroup-1"', - result=dict( - cn=[taskgroup1], - description=[u'New desc 1'], - member_rolegroup=[rolegroup1], - member_group=[group1], - - ), - ), - ), - - - dict( - desc='Retrieve %r to verify update' % taskgroup1, - command=('taskgroup_show', [taskgroup1], {}), - expected=dict( - value=taskgroup1, - summary=None, - result={ - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'New desc 1'], - 'member_rolegroup': [rolegroup1], - 'member_group': [group1], - }, - ), - ), - - - dict( - desc='Remove member from %r' % taskgroup1, - command=('taskgroup_remove_member', [taskgroup1], - dict(group=group1), - ), - expected=dict( - completed=1, - failed=dict( - member=dict( - rolegroup=[], - group=[], - user=[], - ), - ), - result={ - 'dn': taskgroup1_dn, - 'cn': [taskgroup1], - 'description': [u'New desc 1'], - 'member_rolegroup': [rolegroup1], - } - ), - ), - - - dict( - desc='Rename %r' % taskgroup1, - command=('taskgroup_mod', [taskgroup1], dict(setattr=u'cn=%s' % renamedtaskgroup1)), - expected=dict( - value=taskgroup1, - result=dict( - cn=[renamedtaskgroup1], - description=[u'New desc 1'], - member_rolegroup=[u'test-rolegroup-1'], - ), - summary=u'Modified taskgroup "%s"' % taskgroup1 - ) - ), - - - dict( - desc='Rename %r back' % renamedtaskgroup1, - command=('taskgroup_mod', [renamedtaskgroup1], dict(setattr=u'cn=%s' % taskgroup1)), - expected=dict( - value=renamedtaskgroup1, - result=dict( - cn=[taskgroup1], - description=[u'New desc 1'], - member_rolegroup=[u'test-rolegroup-1'], - ), - summary=u'Modified taskgroup "%s"' % renamedtaskgroup1 - ) - ), - - - dict( - desc='Delete %r' % taskgroup1, - command=('taskgroup_del', [taskgroup1], {}), - expected=dict( - result=True, - value=taskgroup1, - summary=u'Deleted taskgroup "test-taskgroup-1"', - ) - ), - - - dict( - desc='Try to delete non-existent %r' % taskgroup1, - command=('taskgroup_del', [taskgroup1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to retrieve non-existent %r' % taskgroup1, - command=('taskgroup_show', [group1], {}), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Try to update non-existent %r' % taskgroup1, - command=('taskgroup_mod', [taskgroup1], dict(description=u'Foo')), - expected=errors.NotFound(reason='no such entry'), - ), - - - dict( - desc='Search for %r' % search, - command=('taskgroup_find', [search], {}), - expected=dict( - count=1, - truncated=False, - summary=u'1 taskgroup matched', - result=[ - { - 'dn': taskgroup2_dn, - 'cn': [taskgroup2], - 'description': [u'Test desc 2'], - }, - ], - ), - ), - - - dict( - desc='Delete %r' % taskgroup2, - command=('taskgroup_del', [taskgroup2], {}), - expected=dict( - result=True, - value=taskgroup2, - summary=u'Deleted taskgroup "test-taskgroup-2"', - ) - ), - - - dict( - desc='Search for %r' % search, - command=('taskgroup_find', [search], {}), - expected=dict( - count=0, - truncated=False, - summary=u'0 taskgroups matched', - result=[], - ), - ), - - - dict( - desc='Delete %r' % group1, - command=('group_del', [group1], {}), - expected=dict( - result=True, - value=group1, - summary=u'Deleted group "testgroup1"', - ) - ), - - - dict( - desc='Delete %r' % rolegroup1, - command=('rolegroup_del', [rolegroup1], {}), - expected=dict( - result=True, - value=rolegroup1, - summary=u'Deleted rolegroup "test-rolegroup-1"', - ) - ), - - ] diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 340963858..9849953ee 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -201,8 +201,6 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'hostadmin', u'replicaadmin'], - memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], nsaccountlock=[u'False'], ), dict( @@ -237,8 +235,6 @@ class test_user(Declarative): sn=[u'Administrator'], uid=[u'admin'], memberof_group=[u'admins'], - memberof_rolegroup=[u'hostadmin', u'replicaadmin'], - memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'], nsaccountlock=[u'False'], ), ], |