vault: add permissions and administrator privilege

https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2015-09-03 09:32:11 +0200
committer: Petr Vobornik <pvoborni@redhat.com> 2015-09-17 14:55:54 +0200
commit: 0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee (patch)
tree: 61a65fd8a8ca718f17bbce2f012cf097158c49ea /ipalib
parent: d3503043c47a1adc139688776341dc86b7085448 (diff)
download: freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.tar.gz
freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.tar.xz
freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.zip
1 files changed, 98 insertions, 0 deletions
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index a389e2dab..b5bd50bbd 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -290,6 +290,7 @@ class vaultcontainer(LDAPObject):
     object_name = _('vaultcontainer')
     object_name_plural = _('vaultcontainers')
     object_class = ['ipaVaultContainer']
+    permission_filter_objectclasses = ['ipaVaultContainer']
 
     attribute_members = {
         'owner': ['user', 'group', 'service'],
@@ -298,6 +299,48 @@ class vaultcontainer(LDAPObject):
     label = _('Vault Containers')
     label_singular = _('Vault Container')
 
+    managed_permissions = {
+        'System: Read Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Add Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'add'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Delete Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'delete'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Modify Vault Containers': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Container Ownership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+    }
+
     takes_params = (
         Str(
             'owner_user?',
@@ -492,6 +535,7 @@ class vault(LDAPObject):
     object_name_plural = _('vaults')
 
     object_class = ['ipaVault']
+    permission_filter_objectclasses = ['ipaVault']
     default_attributes = [
         'cn',
         'description',
@@ -514,6 +558,60 @@ class vault(LDAPObject):
     label = _('Vaults')
     label_singular = _('Vault')
 
+    managed_permissions = {
+        'System: Read Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'ipavaulttype',
+                'ipavaultsalt', 'ipavaultpublickey', 'owner', 'member',
+                'memberuser', 'memberhost',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Add Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'add'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Delete Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'delete'},
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Modify Vaults': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'description', 'ipavaulttype',
+                'ipavaultsalt', 'ipavaultpublickey',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Ownership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'owner',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+        'System: Manage Vault Membership': {
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'member',
+            },
+            'default_privileges': {'Vault Administrators'},
+        },
+    }
+
     takes_params = (
         Str(
             'cn',
author	Jan Cholasta <jcholast@redhat.com>	2015-09-03 09:32:11 +0200
committer	Petr Vobornik <pvoborni@redhat.com>	2015-09-17 14:55:54 +0200
commit	0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee (patch)
tree	61a65fd8a8ca718f17bbce2f012cf097158c49ea /ipalib
parent	d3503043c47a1adc139688776341dc86b7085448 (diff)
download	freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.tar.gz freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.tar.xz freeipa-0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee.zip