diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-04-24 14:36:41 +0200 |
| commit | d893b77fb69ef2e0aedf823e7cd82ca86a2971af (patch) | |
| tree | 481f017b65e80d6ae1fdb8029c834f76502f0db5 | |
| parent | af3a4adc46368f736151c118ccb1dd0e9bb89144 (diff) | |
| download | freeipa-d893b77fb69ef2e0aedf823e7cd82ca86a2971af.tar.gz freeipa-d893b77fb69ef2e0aedf823e7cd82ca86a2971af.tar.xz freeipa-d893b77fb69ef2e0aedf823e7cd82ca86a2971af.zip | |
Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | install/updates/40-delegation.update | 7 | ||||
| -rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 79 |
2 files changed, 84 insertions, 2 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 33383038c..7f0f85124 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -461,3 +461,10 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Automember Readers default:description: Read Automember definitions + +dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: IPA Masters Readers +default:description: Read list of IPA masters diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 438767f1c..bffd9bbf4 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -68,7 +68,7 @@ The template dictionary can have the following keys: No other keys are allowed in the template """ -from ipalib import errors +from ipalib import api, errors from ipapython.dn import DN from ipalib.plugable import Registry from ipalib.plugins import aci @@ -80,7 +80,82 @@ from ipaserver.install.plugins.baseupdate import PostUpdate register = Registry() -NONOBJECT_PERMISSIONS = {} +NONOBJECT_PERMISSIONS = { + 'System: Read IPA Masters': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=nscontainer)'}, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'ipaconfigstring', + }, + 'default_privileges': {'IPA Masters Readers'}, + }, + 'System: Read DNA Configuration': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=dnasharedconfig)'}, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'dnaHostname', 'dnaPortNum', + 'dnaSecurePortNum', 'dnaRemoteBindMethod', 'dnaRemoteConnProtocol', + 'dnaRemainingValues', + }, + }, + 'System: Read CA Renewal Information': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=pkiuser)'}, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'usercertificate', + }, + }, + 'System: Read CA Certificate': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=pkica)'}, + 'ipapermbindruletype': 'anonymous', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'cacertificate', 'certificaterevocationlist', + 'authorityrevocationlist', 'crosscertificatepair', + }, + }, + 'System: Read Replication Information': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=nsds5replica)'}, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'nsds5replicaroot', 'nsds5replicaid', + 'nsds5replicacleanruv', 'nsds5replicaabortcleanruv', + 'nsds5replicatype', 'nsds5replicabinddn', 'nsstate', + 'nsds5replicaname', 'nsds5flags', 'nsds5task', + 'nsds5replicareferral', 'nsds5replicaautoreferral', + 'nsds5replicapurgedelay', 'nsds5replicatombstonepurgeinterval', + 'nsds5replicachangecount', 'nsds5replicalegacyconsumer', + 'nsds5replicaprotocoltimeout', 'nsds5replicabackoffmin', + 'nsds5replicabackoffmax', + }, + }, + 'System: Read AD Domains': { + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN('cn=etc', api.env.basedn), + 'ipapermtarget': DN('cn=ad,cn=etc', api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=ipantdomainattrs)'}, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', 'ipantsecurityidentifier', 'ipantflatname', + 'ipantdomainguid', 'ipantfallbackprimarygroup', + }, + }, +} @register() |