summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-29 21:32:29 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-05-26 12:12:35 +0200
commit63becae88c6c270b98f0432dc474b661b82f3119 (patch)
tree42215fed49d231ae59f51848279ec88b677419db
parent993c1c8557aafb890199b1c443ebd2d895ae6ba6 (diff)
downloadfreeipa-63becae88c6c270b98f0432dc474b661b82f3119.zip
freeipa-63becae88c6c270b98f0432dc474b661b82f3119.tar.gz
freeipa-63becae88c6c270b98f0432dc474b661b82f3119.tar.xz
Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r--ipalib/plugins/user.py17
-rw-r--r--ipaserver/install/plugins/update_managed_permissions.py14
2 files changed, 31 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 56e2fe6..604502e 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -195,6 +195,21 @@ def check_protected_member(user, protected_group_name=u'admins'):
raise errors.LastMemberError(key=user, label=_(u'group'),
container=protected_group_name)
+
+def fix_addressbook_permission_bindrule(name, template, is_new,
+ anonymous_read_aci,
+ **other_options):
+ """Fix bind rule type for Read User Addressbook/IPA Attributes permission
+
+ When upgrading from an old IPA that had the global read ACI,
+ or when installing the first replica with granular read permissions,
+ we need to keep allowing anonymous access to many user attributes.
+ This fixup_function changes the bind rule type accordingly.
+ """
+ if is_new and anonymous_read_aci:
+ template['ipapermbindruletype'] = 'anonymous'
+
+
class user(LDAPObject):
"""
User object.
@@ -263,6 +278,7 @@ class user(LDAPObject):
'usersmimecertificate', 'x500uniqueidentifier',
'inetuserhttpurl', 'inetuserstatus',
},
+ 'fixup_function': fix_addressbook_permission_bindrule,
},
'System: Read User IPA Attributes': {
'replaces_global_anonymous_aci': True,
@@ -271,6 +287,7 @@ class user(LDAPObject):
'ipapermdefaultattr': {
'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass',
},
+ 'fixup_function': fix_addressbook_permission_bindrule,
},
'System: Read User Kerberos Attributes': {
'replaces_global_anonymous_aci': True,
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 175a5bf..72c1b13 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -64,6 +64,14 @@ The template dictionary can have the following keys:
* non_object
- If true, no object-specific defaults are used (e.g. for
ipapermtargetfilter, ipapermlocation).
+* fixup_function
+ - A callable that may modify the template in-place before it is applied.
+ - Called with the permission name, template dict, and keyword arguments:
+ - is_new: true if the permission was previously existing
+ - anonymous_read_aci: the legacy 'Enable Anonymous access' ACI as
+ an ipalib.aci.ACI object, or None if it does not exist
+ Extra keyword arguments must be ignored, since this list may grow
+ in the future.
No other keys are allowed in the template
"""
@@ -313,6 +321,12 @@ class update_managed_permissions(PostUpdate):
template = dict(template)
+ fixup_function = template.pop('fixup_function', None)
+ if fixup_function:
+ fixup_function(name, template,
+ is_new=is_new,
+ anonymous_read_aci=anonymous_read_aci)
+
if template.pop('non_object', False):
obj = None