Add managed read permissions to RBAC objects

Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

4 files changed, 62 insertions, 0 deletions

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 3fabdf9c7..e90819a51 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -392,3 +392,12 @@ default:ipapermissiontype: SYSTEM
 
 dn: cn=config
 add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
+
+
+# Read privileges
+dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: RBAC Readers
+default:description: Read roles, privileges, permissions and ACIs
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index e2f842810..5a22acdb6 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
     # For use the complete object_class list, including 'top', so
     # the updater doesn't try to delete 'top' every time.
     object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
+    permission_filter_objectclasses = ['ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
         'memberindirect', 'ipapermissiontype', 'objectclass',
         'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject):
         'memberindirect': ['role'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Permissions': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipapermissiontype',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'ipapermdefaultattr', 'ipapermincludedattr',
+                'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
+                'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
+                'member', 'memberof',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+        'System: Read ACIs': {
+            # Readable ACIs are needed for reading legacy permissions.
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'aci'},
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Permissions')
     label_singular = _('Permission')
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 678eb2416..b65af28c2 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -54,6 +54,7 @@ class privilege(LDAPObject):
     object_name = _('privilege')
     object_name_plural = _('privileges')
     object_class = ['nestedgroup', 'groupofnames']
+    permission_filter_objectclasses = ['groupofnames']
     default_attributes = ['cn', 'description', 'member', 'memberof']
     attribute_members = {
         'member': ['role'],
@@ -63,6 +64,18 @@ class privilege(LDAPObject):
         'member': ['permission'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Privileges': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'member', 'memberof',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Privileges')
     label_singular = _('Privilege')
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index 2837c418b..04088b82a 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -66,6 +66,7 @@ class role(LDAPObject):
     object_name = _('role')
     object_name_plural = _('roles')
     object_class = ['groupofnames', 'nestedgroup']
+    permission_filter_objectclasses = ['groupofnames']
     default_attributes = ['cn', 'description', 'member', 'memberof',
         'memberindirect', 'memberofindirect',
     ]
@@ -77,6 +78,18 @@ class role(LDAPObject):
         'member': ['privilege'],
     }
     rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Roles': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'member', 'memberof',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+    }
 
     label = _('Roles')
     label_singular = _('Role')