diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-01-03 12:01:42 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-12 17:11:17 +0100 |
commit | 419f3ad62728e12ecf7c3a25211397a5615960b9 (patch) | |
tree | 69927505708fb08faa96006cfe40aaa01b4c3819 /ipalib/plugins/permission.py | |
parent | 9ae2696a858e9b928436ea68180e1234ffd44ff0 (diff) | |
download | freeipa-419f3ad62728e12ecf7c3a25211397a5615960b9.tar.gz freeipa-419f3ad62728e12ecf7c3a25211397a5615960b9.tar.xz freeipa-419f3ad62728e12ecf7c3a25211397a5615960b9.zip |
Permission plugin fixes
- Fix i18n for plugin docstring
- Fix error when the aci attribute is not present on an entry
- Fix error when raising exception for ACI not found
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 66aab459e..d8ca78f70 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -32,27 +32,27 @@ from ipalib.request import context __doc__ = _(""" Permissions -""" + """ +""") + _(""" A permission enables fine-grained delegation of rights. A permission is a human-readable wrapper around a 389-ds Access Control Rule, or instruction (ACI). A permission grants the right to perform a specific task such as adding a user, modifying a group, etc. -""" + """ +""") + _(""" A permission may not contain other permissions. -""" + """ +""") + _(""" * A permission grants access to read, write, add, delete, read, search, or compare. * A privilege combines similar permissions (for example all the permissions needed to add a user). * A role grants a set of privileges to users, groups, hosts or hostgroups. -""" + """ +""") + _(""" A permission is made up of a number of different parts: 1. The name of the permission. 2. The target of the permission. 3. The rights granted by the permission. -""" + """ +""") + _(""" Rights define what operations are allowed, and may be one or more of the following: 1. write - write one or more attributes @@ -62,28 +62,28 @@ of the following: 5. add - add a new entry to the tree 6. delete - delete an existing entry 7. all - all permissions are granted -""" + """ +""") + _(""" Note the distinction between attributes and entries. The permissions are independent, so being able to add a user does not mean that the user will be editable. -""" + """ +""") + _(""" There are a number of allowed targets: 1. subtree: a DN; the permission applies to the subtree under this DN 2. target filter: an LDAP filter 3. target: DN with possible wildcards, specifies entries permission applies to -""" + """ +""") + _(""" Additionally, there are the following convenience options. Setting one of these options will set the corresponding attribute(s). 1. type: a type of object (user, group, etc); sets subtree and target filter. 2. memberof: apply to members of a group; sets target filter 3. targetgroup: grant access to modify a specific group (such as granting the rights to manage group membership); sets target. -""" + """ +""") + _(""" EXAMPLES: -""" + """ +""") + _(""" Add a permission that grants the creation of users: ipa permission-add --type=user --permissions=add "Add Users" -""" + """ +""") + _(""" Add a permission that grants the ability to manage group membership: ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" """) @@ -421,7 +421,7 @@ class permission(baseldap.LDAPObject): acientry['aci'].remove(acistring) if new_acistring: self.log.debug('Adding ACI %r to %s' % (new_acistring, acidn)) - acientry['aci'].append(new_acistring) + acientry.setdefault('aci', []).append(new_acistring) try: ldap.update_entry(acientry) except errors.EmptyModlist: @@ -742,7 +742,8 @@ class permission_del(baseldap.LDAPDelete): try: self.obj.remove_aci(entry) except errors.NotFound: - errors.NotFound('ACI of permission %s was not found' % keys[0]) + errors.NotFound( + reason=_('ACI of permission %s was not found') % keys[0]) return dn |