3 files changed, 81 insertions, 5 deletions

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 27e605789..6ab849bf8 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -408,3 +408,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Password Policy Readers
 default:description: Read password policies
+
+dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Kerberos Ticket Policy Readers
+default:description: Read global and per-user Kerberos ticket policy
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index a05583dfb..4ae676dc5 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -75,8 +75,44 @@ class krbtpolicy(LDAPObject):
     object_name = _('kerberos ticket policy settings')
     default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
     limit_object_classes = ['krbticketpolicyaux']
-
-    label=_('Kerberos Ticket Policy')
+    # permission_filter_objectclasses is deliberately missing,
+    # so it is not possible to create a permission of `--type krbtpolicy`.
+    # This is because we need two permissions to cover both global and per-user
+    # policies.
+    managed_permissions = {
+        'System: Read Default Kerberos Ticket Policy': {
+            'non_object': True,
+            'replaces_global_anonymous_aci': True,
+            'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'krbdefaultencsalttypes', 'krbmaxrenewableage',
+                'krbmaxticketlife', 'krbsupportedencsalttypes',
+                'objectclass',
+            },
+            'default_privileges': {
+                'Kerberos Ticket Policy Readers',
+            },
+        },
+        'System: Read User Kerberos Ticket Policy': {
+            'non_object': True,
+            'replaces_global_anonymous_aci': True,
+            'ipapermlocation': DN(api.env.container_user, api.env.basedn),
+            'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'krbmaxrenewableage', 'krbmaxticketlife',
+            },
+            'default_privileges': {
+                'Kerberos Ticket Policy Readers',
+            },
+        },
+    }
+
+    label = _('Kerberos Ticket Policy')
     label_singular = _('Kerberos Ticket Policy')
 
     takes_params = (
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index d593dd986..54e8d57dd 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -100,6 +100,7 @@ users_dn = DN(api.env.container_user, api.env.basedn)
 groups_dn = DN(api.env.container_group, api.env.basedn)
 etc_dn = DN('cn=etc', api.env.basedn)
 nonexistent_dn = DN('cn=does not exist', api.env.basedn)
+admin_dn = DN('uid=admin', users_dn)
 
 
 def verify_permission_aci(name, dn, acistring):
@@ -1117,9 +1118,42 @@ class test_permission(Declarative):
         ),
 
         dict(
+            desc='Change subtree of %r to admin' % permission1_renamed_ucase,
+            command=(
+                'permission_mod', [permission1_renamed_ucase],
+                dict(ipapermlocation=admin_dn)
+            ),
+            expected=dict(
+                value=permission1_renamed_ucase,
+                summary=u'Modified permission "%s"' % permission1_renamed_ucase,
+                result=dict(
+                    dn=permission1_renamed_ucase_dn,
+                    cn=[permission1_renamed_ucase],
+                    objectclass=objectclasses.permission,
+                    member_privilege=[privilege1],
+                    ipapermlocation=[admin_dn],
+                    ipapermright=[u'write'],
+                    memberof=[u'ipausers'],
+                    attrs=[u'sn'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1_renamed_ucase, admin_dn,
+            '(targetattr = "sn")' +
+            '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+            '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
+            'allow (write) groupdn = "ldap:///%s";)' %
+                permission1_renamed_ucase_dn,
+        ),
+
+        dict(
             desc='Search for %r using --subtree' % permission1_renamed_ucase,
             command=('permission_find', [],
-                     {'ipapermlocation': u'ldap:///%s' % users_dn}),
+                     {'ipapermlocation': u'ldap:///%s' % admin_dn}),
             expected=dict(
                 count=1,
                 truncated=False,
@@ -1130,13 +1164,12 @@ class test_permission(Declarative):
                         'cn':[permission1_renamed_ucase],
                         'objectclass': objectclasses.permission,
                         'member_privilege':[privilege1],
-                        'ipapermlocation': [users_dn],
+                        'ipapermlocation': [admin_dn],
                         'ipapermright':[u'write'],
                         'memberof':[u'ipausers'],
                         'attrs': [u'sn'],
                         'ipapermbindruletype': [u'permission'],
                         'ipapermissiontype': [u'SYSTEM', u'V2'],
-                        'ipapermlocation': [users_dn],
                     },
                 ],
             ),