diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-11 10:17:41 +0200 |
commit | a185d45d87539559876f7b0b4f75b904339a5b90 (patch) | |
tree | 79fa64aca6cefceab54e137d74bb48a5d74157bd | |
parent | 50c7f3b2366aa48a966a958a7f95941c917ad3fa (diff) | |
download | freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.gz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.xz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.zip |
Add managed read permissions to RBAC objects
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
-rw-r--r-- | install/updates/40-delegation.update | 9 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 27 | ||||
-rw-r--r-- | ipalib/plugins/privilege.py | 13 | ||||
-rw-r--r-- | ipalib/plugins/role.py | 13 |
4 files changed, 62 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 3fabdf9c7..e90819a51 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -392,3 +392,12 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)' + + +# Read privileges +dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: RBAC Readers +default:description: Read roles, privileges, permissions and ACIs diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e2f842810..5a22acdb6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject): # For use the complete object_class list, including 'top', so # the updater doesn't try to delete 'top' every time. object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'] + permission_filter_objectclasses = ['ipapermission'] default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', @@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject): 'memberindirect': ['role'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Permissions': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'ipapermissiontype', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + 'ipapermdefaultattr', 'ipapermincludedattr', + 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget', + 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', + 'member', 'memberof', + }, + 'default_privileges': {'RBAC Readers'}, + }, + 'System: Read ACIs': { + # Readable ACIs are needed for reading legacy permissions. + 'non_object': True, + 'ipapermlocation': api.env.basedn, + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'aci'}, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Permissions') label_singular = _('Permission') diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 678eb2416..b65af28c2 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -54,6 +54,7 @@ class privilege(LDAPObject): object_name = _('privilege') object_name_plural = _('privileges') object_class = ['nestedgroup', 'groupofnames'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof'] attribute_members = { 'member': ['role'], @@ -63,6 +64,18 @@ class privilege(LDAPObject): 'member': ['permission'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Privileges': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Privileges') label_singular = _('Privilege') diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py index 2837c418b..04088b82a 100644 --- a/ipalib/plugins/role.py +++ b/ipalib/plugins/role.py @@ -66,6 +66,7 @@ class role(LDAPObject): object_name = _('role') object_name_plural = _('roles') object_class = ['groupofnames', 'nestedgroup'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof', 'memberindirect', 'memberofindirect', ] @@ -77,6 +78,18 @@ class role(LDAPObject): 'member': ['privilege'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Roles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Roles') label_singular = _('Role') |