Convert Host default permissions to managed

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-05-30 18:35:31 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-23 12:44:32 +0200
commit: 8a5110305fafcb6d8770ef78cdff164b8ab1bc0c (patch)
tree: 2a0ee72bd38f81822963d4d763062a174661a9ba /ipalib/plugins/host.py
parent: ac8539bd344f2309f74efc6b42bddb3a925ff20f (diff)
download: freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.tar.gz
freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.tar.xz
freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.zip
1 files changed, 66 insertions, 0 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 062db8fbb..d3911036f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -290,6 +290,72 @@ class host(LDAPObject):
                 'memberof',
             },
         },
+        'System: Add Hosts': {
+            'ipapermright': {'add'},
+            'replaces': [
+                '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators'},
+        },
+        'System: Add krbPrincipalName to a Host': {
+            # Allow an admin to enroll a host that has a one-time password.
+            # When a host is created with a password no krbPrincipalName is set.
+            # This will let it be added if the client ends up enrolling with
+            # an administrator instead.
+            'ipapermright': {'write'},
+            'ipapermtargetfilter': [
+                '(objectclass=ipahost)',
+                '(!(krbprincipalname=*))',
+            ],
+            'ipapermdefaultattr': {'krbprincipalname'},
+            'replaces': [
+                '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators', 'Host Enrollment'},
+        },
+        'System: Enroll a Host': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'objectclass', 'enrolledby'},
+            'replaces': [
+                '(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators', 'Host Enrollment'},
+        },
+        'System: Manage Host SSH Public Keys': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'ipasshpubkey'},
+            'replaces': [
+                '(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators'},
+        },
+        'System: Manage Host Keytab': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+            'replaces': [
+                '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators', 'Host Enrollment'},
+        },
+        'System: Modify Hosts': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'description', 'l', 'nshardwareplatform', 'nshostlocation',
+                'nsosversion', 'macaddress',
+            },
+            'replaces': [
+                '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators'},
+        },
+        'System: Remove Hosts': {
+            'ipapermright': {'delete'},
+            'replaces': [
+                '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
+            ],
+            'default_privileges': {'Host Administrators'},
+        },
     }
 
     label = _('Hosts')
author	Petr Viktorin <pviktori@redhat.com>	2014-05-30 18:35:31 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-23 12:44:32 +0200
commit	8a5110305fafcb6d8770ef78cdff164b8ab1bc0c (patch)
tree	2a0ee72bd38f81822963d4d763062a174661a9ba /ipalib/plugins/host.py
parent	ac8539bd344f2309f74efc6b42bddb3a925ff20f (diff)
download	freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.tar.gz freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.tar.xz freeipa-8a5110305fafcb6d8770ef78cdff164b8ab1bc0c.zip