diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-26 12:12:35 +0200 |
| commit | 791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f (patch) | |
| tree | 7fe364b14b3c34ed7cd63b2c3101032993d498e3 | |
| parent | db7d0219bac72daa270ee28d5db5c18ea41fb8b1 (diff) | |
| download | freeipa-791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f.tar.gz freeipa-791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f.tar.xz freeipa-791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f.zip | |
Add managed read permissions to user
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | ipalib/plugins/user.py | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d9c7c6c85..56e2fe697 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -233,6 +233,76 @@ class user(LDAPObject): bindable = True password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] + managed_permissions = { + 'System: Read User Standard Attributes': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'anonymous', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'objectclass', 'cn', 'sn', 'description', 'title', 'uid', + 'displayname', 'givenname', 'initials', 'manager', 'gecos', + 'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' + }, + }, + 'System: Read User Addressbook Attributes': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'seealso', 'telephonenumber', + 'fax', 'l', 'ou', 'st', 'postalcode', 'street', + 'destinationindicator', 'internationalisdnnumber', + 'physicaldeliveryofficename', 'postaladdress', 'postofficebox', + 'preferreddeliverymethod', 'registeredaddress', + 'teletexterminalidentifier', 'telexnumber', 'x121address', + 'carlicense', 'departmentnumber', 'employeenumber', + 'employeetype', 'preferredlanguage', 'mail', 'mobile', 'pager', + 'audio', 'businesscategory', 'homephone', 'homepostaladdress', + 'jpegphoto', 'labeleduri', 'o', 'photo', 'roomnumber', + 'secretary', 'usercertificate', + 'usersmimecertificate', 'x500uniqueidentifier', + 'inetuserhttpurl', 'inetuserstatus', + }, + }, + 'System: Read User IPA Attributes': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass', + }, + }, + 'System: Read User Kerberos Attributes': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', + 'krbprincipalexpiration', 'krbpasswordexpiration', + 'krblastpwdchange', 'nsaccountlock', 'krbprincipaltype', + }, + }, + 'System: Read User Kerberos Login Attributes': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krblastsuccessfulauth', 'krblastfailedauth', + 'krblastpwdchange', 'krblastadminunlock', + 'krbloginfailedcount', 'krbpwdpolicyreference', + 'krbticketpolicyreference', 'krbupenabled', + }, + 'default_privileges': {'User Administrators'}, + }, + 'System: Read User Membership': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'memberof', + }, + }, + } label = _('Users') label_singular = _('User') |