diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-04 17:39:10 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-24 13:53:41 +0200 |
commit | 439dd7fa74de9acd920ca060788190e71eeadf2b (patch) | |
tree | e805daee5f4defc431f1880615952c7d1e28c252 /ipalib | |
parent | f8dc51860c4ec006e25314d934e530cdcdfa4dda (diff) | |
download | freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.gz freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.tar.xz freeipa-439dd7fa74de9acd920ca060788190e71eeadf2b.zip |
Convert Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/service.py | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 0572a0ae2..8d6a14711 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -330,6 +330,36 @@ class service(LDAPObject): 'krbobjectreferences', }, }, + 'System: Add Services': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Service Administrators'}, + }, + 'System: Manage Service Keytab': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, + 'replaces': [ + '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Service Administrators'}, + }, + 'System: Modify Services': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'usercertificate'}, + 'replaces': [ + '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Service Administrators'}, + }, + 'System: Remove Services': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Service Administrators'}, + }, } label = _('Services') |