diff options
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/permission.py | 27 | ||||
-rw-r--r-- | ipalib/plugins/privilege.py | 13 | ||||
-rw-r--r-- | ipalib/plugins/role.py | 13 |
3 files changed, 53 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e2f842810..5a22acdb6 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject): # For use the complete object_class list, including 'top', so # the updater doesn't try to delete 'top' every time. object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'] + permission_filter_objectclasses = ['ipapermission'] default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', @@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject): 'memberindirect': ['role'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Permissions': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'ipapermissiontype', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + 'ipapermdefaultattr', 'ipapermincludedattr', + 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget', + 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', + 'member', 'memberof', + }, + 'default_privileges': {'RBAC Readers'}, + }, + 'System: Read ACIs': { + # Readable ACIs are needed for reading legacy permissions. + 'non_object': True, + 'ipapermlocation': api.env.basedn, + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': {'aci'}, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Permissions') label_singular = _('Permission') diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 678eb2416..b65af28c2 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -54,6 +54,7 @@ class privilege(LDAPObject): object_name = _('privilege') object_name_plural = _('privileges') object_class = ['nestedgroup', 'groupofnames'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof'] attribute_members = { 'member': ['role'], @@ -63,6 +64,18 @@ class privilege(LDAPObject): 'member': ['permission'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Privileges': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Privileges') label_singular = _('Privilege') diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py index 2837c418b..04088b82a 100644 --- a/ipalib/plugins/role.py +++ b/ipalib/plugins/role.py @@ -66,6 +66,7 @@ class role(LDAPObject): object_name = _('role') object_name_plural = _('roles') object_class = ['groupofnames', 'nestedgroup'] + permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof', 'memberindirect', 'memberofindirect', ] @@ -77,6 +78,18 @@ class role(LDAPObject): 'member': ['privilege'], } rdn_is_primary_key = True + managed_permissions = { + 'System: Read Roles': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'businesscategory', 'cn', 'description', 'member', 'memberof', + 'o', 'objectclass', 'ou', 'owner', 'seealso', + }, + 'default_privileges': {'RBAC Readers'}, + }, + } label = _('Roles') label_singular = _('Role') |