diff options
-rw-r--r-- | ipalib/plugins/user.py | 17 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 14 |
2 files changed, 31 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 56e2fe697..604502ee7 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -195,6 +195,21 @@ def check_protected_member(user, protected_group_name=u'admins'): raise errors.LastMemberError(key=user, label=_(u'group'), container=protected_group_name) + +def fix_addressbook_permission_bindrule(name, template, is_new, + anonymous_read_aci, + **other_options): + """Fix bind rule type for Read User Addressbook/IPA Attributes permission + + When upgrading from an old IPA that had the global read ACI, + or when installing the first replica with granular read permissions, + we need to keep allowing anonymous access to many user attributes. + This fixup_function changes the bind rule type accordingly. + """ + if is_new and anonymous_read_aci: + template['ipapermbindruletype'] = 'anonymous' + + class user(LDAPObject): """ User object. @@ -263,6 +278,7 @@ class user(LDAPObject): 'usersmimecertificate', 'x500uniqueidentifier', 'inetuserhttpurl', 'inetuserstatus', }, + 'fixup_function': fix_addressbook_permission_bindrule, }, 'System: Read User IPA Attributes': { 'replaces_global_anonymous_aci': True, @@ -271,6 +287,7 @@ class user(LDAPObject): 'ipapermdefaultattr': { 'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass', }, + 'fixup_function': fix_addressbook_permission_bindrule, }, 'System: Read User Kerberos Attributes': { 'replaces_global_anonymous_aci': True, diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 175a5bf47..72c1b131f 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -64,6 +64,14 @@ The template dictionary can have the following keys: * non_object - If true, no object-specific defaults are used (e.g. for ipapermtargetfilter, ipapermlocation). +* fixup_function + - A callable that may modify the template in-place before it is applied. + - Called with the permission name, template dict, and keyword arguments: + - is_new: true if the permission was previously existing + - anonymous_read_aci: the legacy 'Enable Anonymous access' ACI as + an ipalib.aci.ACI object, or None if it does not exist + Extra keyword arguments must be ignored, since this list may grow + in the future. No other keys are allowed in the template """ @@ -313,6 +321,12 @@ class update_managed_permissions(PostUpdate): template = dict(template) + fixup_function = template.pop('fixup_function', None) + if fixup_function: + fixup_function(name, template, + is_new=is_new, + anonymous_read_aci=anonymous_read_aci) + if template.pop('non_object', False): obj = None |