diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-04-16 16:10:43 +0200 |
| commit | b53f2d28fdc64a99c16b6e9434911da0058c9f58 (patch) | |
| tree | 99246fddf88c45774e9eccbcf9d8ab91187dcf57 /ipalib | |
| parent | 6b0c6bf34435859a21936ad69d3eb984c27f9d8d (diff) | |
| download | freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.gz freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.xz freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.zip | |
Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/krbtpolicy.py | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index a05583dfb..4ae676dc5 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -75,8 +75,44 @@ class krbtpolicy(LDAPObject): object_name = _('kerberos ticket policy settings') default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] limit_object_classes = ['krbticketpolicyaux'] - - label=_('Kerberos Ticket Policy') + # permission_filter_objectclasses is deliberately missing, + # so it is not possible to create a permission of `--type krbtpolicy`. + # This is because we need two permissions to cover both global and per-user + # policies. + managed_permissions = { + 'System: Read Default Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermlocation': DN(container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbdefaultencsalttypes', 'krbmaxrenewableage', + 'krbmaxticketlife', 'krbsupportedencsalttypes', + 'objectclass', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + 'System: Read User Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN(api.env.container_user, api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbmaxrenewableage', 'krbmaxticketlife', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + } + + label = _('Kerberos Ticket Policy') label_singular = _('Kerberos Ticket Policy') takes_params = ( |