diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-11 10:17:41 +0200 |
commit | a185d45d87539559876f7b0b4f75b904339a5b90 (patch) | |
tree | 79fa64aca6cefceab54e137d74bb48a5d74157bd /ipalib | |
parent | 50c7f3b2366aa48a966a958a7f95941c917ad3fa (diff) | |
download | freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.gz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.tar.xz freeipa-a185d45d87539559876f7b0b4f75b904339a5b90.zip |
Add managed read permissions to RBAC objects
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/permission.py | 27 | ||||
-rw-r--r-- | ipalib/plugins/privilege.py | 13 | ||||
-rw-r--r-- | ipalib/plugins/role.py | 13 |
3 files changed, 53 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e2f842810..5a22acdb6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject): # For use the complete object_class list, including 'top', so # the updater doesn't try to delete 'top' every time. object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'] + permission_filter_objectclasses = ['ipapermission'] default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', @@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject): 'memberindirect': ['role'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Permissions': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'ipapermissiontype', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + 'ipapermdefaultattr', 'ipapermincludedattr', + 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget', + 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', + 'member', 'memberof', + }, + 'default_privileges': {'RBAC Readers'}, + }, + 'System: Read ACIs': { + # Readable ACIs are needed for reading legacy permissions. + 'non_object': True, + 'ipapermlocation': api.env.basedn, + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'aci'}, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Permissions') label_singular = _('Permission') diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 678eb2416..b65af28c2 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -54,6 +54,7 @@ class privilege(LDAPObject): object_name = _('privilege') object_name_plural = _('privileges') object_class = ['nestedgroup', 'groupofnames'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof'] attribute_members = { 'member': ['role'], @@ -63,6 +64,18 @@ class privilege(LDAPObject): 'member': ['permission'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Privileges': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Privileges') label_singular = _('Privilege') diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py index 2837c418b..04088b82a 100644 --- a/ipalib/plugins/role.py +++ b/ipalib/plugins/role.py @@ -66,6 +66,7 @@ class role(LDAPObject): object_name = _('role') object_name_plural = _('roles') object_class = ['groupofnames', 'nestedgroup'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof', 'memberindirect', 'memberofindirect', ] @@ -77,6 +78,18 @@ class role(LDAPObject): 'member': ['privilege'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Roles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Roles') label_singular = _('Role') |