diff options
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/krbtpolicy.py | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index a05583dfb..4ae676dc5 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -75,8 +75,44 @@ class krbtpolicy(LDAPObject): object_name = _('kerberos ticket policy settings') default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] limit_object_classes = ['krbticketpolicyaux'] - - label=_('Kerberos Ticket Policy') + # permission_filter_objectclasses is deliberately missing, + # so it is not possible to create a permission of `--type krbtpolicy`. + # This is because we need two permissions to cover both global and per-user + # policies. + managed_permissions = { + 'System: Read Default Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermlocation': DN(container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbdefaultencsalttypes', 'krbmaxrenewableage', + 'krbmaxticketlife', 'krbsupportedencsalttypes', + 'objectclass', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + 'System: Read User Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN(api.env.container_user, api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbmaxrenewableage', 'krbmaxticketlife', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + } + + label = _('Kerberos Ticket Policy') label_singular = _('Kerberos Ticket Policy') takes_params = ( |