2009-05-12 11:46:14 -05:00
|
|
|
# Authors:
|
|
|
|
# Rob Crittenden <rcritten@redhat.com>
|
2009-08-27 08:52:29 -05:00
|
|
|
# Pavel Zuna <pzuna@redhat.com>
|
2009-05-12 11:46:14 -05:00
|
|
|
#
|
|
|
|
# Copyright (C) 2009 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
2010-12-09 06:59:11 -06:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
2009-05-12 11:46:14 -05:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2010-12-09 06:59:11 -06:00
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2009-06-16 09:51:44 -05:00
|
|
|
Netgroups
|
2010-06-02 13:08:50 -05:00
|
|
|
|
|
|
|
A netgroup is a group used for permission checking. It can contain both
|
|
|
|
user and host values.
|
|
|
|
|
|
|
|
EXAMPLES:
|
|
|
|
|
2010-08-24 22:40:32 -05:00
|
|
|
Add a new netgroup:
|
|
|
|
ipa netgroup-add --desc="NFS admins" admins
|
2010-06-02 13:08:50 -05:00
|
|
|
|
2010-08-24 22:40:32 -05:00
|
|
|
Add members to the netgroup:
|
2010-06-02 13:08:50 -05:00
|
|
|
ipa netgroup-add-member --users=tuser1,tuser2 admins
|
|
|
|
|
2010-08-24 22:40:32 -05:00
|
|
|
Remove a member from the netgroup:
|
2010-06-02 13:08:50 -05:00
|
|
|
ipa netgroup-remove-member --users=tuser2 admins
|
|
|
|
|
2011-05-04 03:26:18 -05:00
|
|
|
Display information about a netgroup:
|
2010-06-02 13:08:50 -05:00
|
|
|
ipa netgroup-show admins
|
|
|
|
|
2010-08-24 22:40:32 -05:00
|
|
|
Delete a netgroup:
|
2010-06-02 13:08:50 -05:00
|
|
|
ipa netgroup-del admins
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
|
|
|
|
2009-07-02 08:17:50 -05:00
|
|
|
from ipalib import api, errors
|
2010-11-04 14:19:14 -05:00
|
|
|
from ipalib import Str, StrEnum
|
2009-08-27 08:52:29 -05:00
|
|
|
from ipalib.plugins.baseldap import *
|
2010-02-08 06:03:28 -06:00
|
|
|
from ipalib import _, ngettext
|
2010-12-21 06:20:18 -06:00
|
|
|
from ipalib.plugins.hbacrule import is_all
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2010-10-29 10:32:03 -05:00
|
|
|
output_params = (
|
|
|
|
Str('memberuser_user?',
|
|
|
|
label='Member User',
|
|
|
|
),
|
|
|
|
Str('memberuser_group?',
|
|
|
|
label='Member Group',
|
|
|
|
),
|
|
|
|
Str('memberhost_host?',
|
|
|
|
label=_('Member Host'),
|
|
|
|
),
|
|
|
|
Str('memberhost_hostgroup?',
|
|
|
|
label='Member Hostgroup',
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup(LDAPObject):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
|
|
|
Netgroup object.
|
|
|
|
"""
|
2009-08-27 08:52:29 -05:00
|
|
|
container_dn = api.env.container_netgroup
|
|
|
|
object_name = 'netgroup'
|
|
|
|
object_name_plural = 'netgroups'
|
|
|
|
object_class = ['ipaobject', 'ipaassociation', 'ipanisnetgroup']
|
2010-02-23 08:26:07 -06:00
|
|
|
default_attributes = [
|
2010-10-04 16:45:40 -05:00
|
|
|
'cn', 'description', 'memberof', 'externalhost', 'nisdomainname',
|
2010-10-29 10:32:03 -05:00
|
|
|
'memberuser', 'memberhost', 'member', 'memberindirect',
|
2010-11-04 14:19:14 -05:00
|
|
|
'usercategory', 'hostcategory',
|
2010-02-23 08:26:07 -06:00
|
|
|
]
|
2009-08-27 08:52:29 -05:00
|
|
|
uuid_attribute = 'ipauniqueid'
|
2010-10-27 12:04:06 -05:00
|
|
|
rdn_attribute = 'ipauniqueid'
|
2009-08-27 08:52:29 -05:00
|
|
|
attribute_members = {
|
2010-10-04 16:45:40 -05:00
|
|
|
'member': ['netgroup'],
|
2009-08-27 08:52:29 -05:00
|
|
|
'memberof': ['netgroup'],
|
2010-10-04 16:45:40 -05:00
|
|
|
'memberindirect': ['netgroup'],
|
2010-07-14 13:45:15 -05:00
|
|
|
'memberuser': ['user', 'group'],
|
|
|
|
'memberhost': ['host', 'hostgroup'],
|
2009-08-27 08:52:29 -05:00
|
|
|
}
|
2011-01-04 14:15:54 -06:00
|
|
|
relationships = {
|
|
|
|
'member': ('Member', '', 'no_'),
|
2011-01-06 16:14:13 -06:00
|
|
|
'memberof': ('Member Of', 'in_', 'not_in_'),
|
2011-01-04 14:15:54 -06:00
|
|
|
'memberindirect': (
|
|
|
|
'Indirect Member', None, 'no_indirect_'
|
|
|
|
),
|
|
|
|
'memberuser': ('Member', '', 'no_'),
|
|
|
|
'memberhost': ('Member', '', 'no_'),
|
|
|
|
}
|
2009-08-27 08:52:29 -05:00
|
|
|
|
2011-02-22 10:35:25 -06:00
|
|
|
label = _('Netgroups')
|
2011-06-23 19:48:50 -05:00
|
|
|
label_singular = _('netgroup')
|
2010-02-08 06:03:28 -06:00
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
takes_params = (
|
|
|
|
Str('cn',
|
|
|
|
cli_name='name',
|
2010-02-19 10:08:16 -06:00
|
|
|
label=_('Netgroup name'),
|
2009-08-27 08:52:29 -05:00
|
|
|
primary_key=True,
|
|
|
|
normalizer=lambda value: value.lower(),
|
|
|
|
),
|
|
|
|
Str('description',
|
|
|
|
cli_name='desc',
|
2010-02-19 10:08:16 -06:00
|
|
|
label=_('Description'),
|
|
|
|
doc=_('Netgroup description'),
|
2009-08-27 08:52:29 -05:00
|
|
|
),
|
2009-05-12 11:46:14 -05:00
|
|
|
Str('nisdomainname?',
|
|
|
|
cli_name='nisdomain',
|
2010-02-19 10:08:16 -06:00
|
|
|
label=_('NIS domain name'),
|
2009-05-12 11:46:14 -05:00
|
|
|
),
|
2010-02-23 08:26:07 -06:00
|
|
|
Str('ipauniqueid?',
|
|
|
|
cli_name='uuid',
|
|
|
|
label='IPA unique ID',
|
2010-03-05 15:11:21 -06:00
|
|
|
doc=_('IPA unique ID'),
|
2010-02-23 08:26:07 -06:00
|
|
|
flags=['no_create', 'no_update'],
|
|
|
|
),
|
2010-11-04 14:19:14 -05:00
|
|
|
StrEnum('usercategory?',
|
|
|
|
cli_name='usercat',
|
|
|
|
label=_('User category'),
|
|
|
|
doc=_('User category the rule applies to'),
|
|
|
|
values=(u'all', ),
|
|
|
|
),
|
|
|
|
StrEnum('hostcategory?',
|
|
|
|
cli_name='hostcat',
|
|
|
|
label=_('Host category'),
|
|
|
|
doc=_('Host category the rule applies to'),
|
|
|
|
values=(u'all', ),
|
|
|
|
),
|
2009-05-12 11:46:14 -05:00
|
|
|
)
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
api.register(netgroup)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_add(LDAPCreate):
|
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Add a new netgroup.
|
2009-08-27 08:52:29 -05:00
|
|
|
"""
|
2010-10-29 10:32:03 -05:00
|
|
|
has_output_params = LDAPCreate.has_output_params + output_params
|
|
|
|
msg_summary = _('Added netgroup "%(value)s"')
|
2009-12-10 09:39:24 -06:00
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
2009-05-12 11:46:14 -05:00
|
|
|
entry_attrs.setdefault('nisdomainname', self.api.env.domain)
|
2009-08-27 08:52:29 -05:00
|
|
|
return dn
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2009-06-16 09:51:44 -05:00
|
|
|
api.register(netgroup_add)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_del(LDAPDelete):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Delete a netgroup.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-10-04 16:45:40 -05:00
|
|
|
msg_summary = _('Deleted netgroup "%(value)s"')
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2009-06-16 09:51:44 -05:00
|
|
|
api.register(netgroup_del)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_mod(LDAPUpdate):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Modify a netgroup.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-10-29 10:32:03 -05:00
|
|
|
has_output_params = LDAPUpdate.has_output_params + output_params
|
|
|
|
msg_summary = _('Modified netgroup "%(value)s"')
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2010-11-04 14:19:14 -05:00
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
|
(dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
|
|
|
|
if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
|
|
|
|
raise errors.MutuallyExclusiveError(reason="user category cannot be set to 'all' while there are allowed users")
|
|
|
|
if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
|
|
|
|
raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts")
|
|
|
|
return dn
|
|
|
|
|
2009-06-16 07:38:27 -05:00
|
|
|
api.register(netgroup_mod)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_find(LDAPSearch):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Search for a netgroup.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2011-01-04 14:15:54 -06:00
|
|
|
member_attributes = ['member', 'memberuser', 'memberhost', 'memberof']
|
2010-10-29 10:32:03 -05:00
|
|
|
has_output_params = LDAPSearch.has_output_params + output_params
|
|
|
|
msg_summary = ngettext(
|
2011-02-23 15:47:49 -06:00
|
|
|
'%(count)d netgroup matched', '%(count)d netgroups matched', 0
|
2010-10-29 10:32:03 -05:00
|
|
|
)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2011-02-16 10:04:03 -06:00
|
|
|
takes_options = LDAPSearch.takes_options + (
|
|
|
|
Flag('private',
|
|
|
|
cli_name='private',
|
|
|
|
doc=_('search for private groups'),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
|
|
|
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
|
|
|
|
# Do not display private mepManagedEntry netgroups by default
|
|
|
|
# If looking for private groups, we need to omit the negation search filter
|
|
|
|
|
2011-02-17 11:54:26 -06:00
|
|
|
search_kw = {}
|
|
|
|
search_kw['objectclass'] = ['mepManagedEntry']
|
2011-02-16 10:04:03 -06:00
|
|
|
if not options['private']:
|
2011-02-17 11:54:26 -06:00
|
|
|
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
|
|
|
|
else:
|
|
|
|
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
|
|
|
|
filter = ldap.combine_filters((local_filter, filter), rules=ldap.MATCH_ALL)
|
2011-02-16 10:04:03 -06:00
|
|
|
return (filter, base_dn, scope)
|
|
|
|
|
2009-06-16 07:38:27 -05:00
|
|
|
api.register(netgroup_find)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_show(LDAPRetrieve):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Display information about a netgroup.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-11-04 14:19:14 -05:00
|
|
|
has_output_params = LDAPRetrieve.has_output_params + output_params
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2009-06-16 07:38:27 -05:00
|
|
|
api.register(netgroup_show)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_add_member(LDAPAddMember):
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Add members to a netgroup.
|
2009-05-12 11:46:14 -05:00
|
|
|
"""
|
2010-10-04 16:45:40 -05:00
|
|
|
member_attributes = ['memberuser', 'memberhost', 'member']
|
2010-10-29 10:32:03 -05:00
|
|
|
has_output_params = LDAPAddMember.has_output_params + output_params
|
2009-08-27 08:52:29 -05:00
|
|
|
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
|
2010-07-14 13:45:15 -05:00
|
|
|
completed_external = 0
|
|
|
|
# Sift through the host failures. We assume that these are all
|
|
|
|
# hosts that aren't stored in IPA, aka external hosts.
|
|
|
|
if 'memberhost' in failed and 'host' in failed['memberhost']:
|
2009-08-27 08:52:29 -05:00
|
|
|
(dn, entry_attrs_) = ldap.get_entry(dn, ['externalhost'])
|
2010-07-14 13:45:15 -05:00
|
|
|
members = entry_attrs.get('memberhost', [])
|
2009-08-27 08:52:29 -05:00
|
|
|
external_hosts = entry_attrs_.get('externalhost', [])
|
|
|
|
failed_hosts = []
|
2010-07-14 13:45:15 -05:00
|
|
|
for host in failed['memberhost']['host']:
|
2010-10-27 11:07:53 -05:00
|
|
|
hostname = host[0].lower()
|
|
|
|
host_dn = self.api.Object['host'].get_dn(hostname)
|
|
|
|
if hostname not in external_hosts and host_dn not in members:
|
|
|
|
external_hosts.append(hostname)
|
2009-08-27 08:52:29 -05:00
|
|
|
completed_external += 1
|
|
|
|
else:
|
2010-10-27 11:07:53 -05:00
|
|
|
failed_hosts.append(hostname)
|
2009-08-27 08:52:29 -05:00
|
|
|
if completed_external:
|
|
|
|
try:
|
|
|
|
ldap.update_entry(dn, {'externalhost': external_hosts})
|
|
|
|
except errors.EmptyModlist:
|
|
|
|
pass
|
2010-07-14 13:45:15 -05:00
|
|
|
failed['memberhost']['host'] = failed_hosts
|
2009-08-27 08:52:29 -05:00
|
|
|
entry_attrs['externalhost'] = external_hosts
|
|
|
|
return (completed + completed_external, dn)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-06-16 07:38:27 -05:00
|
|
|
api.register(netgroup_add_member)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
|
|
|
|
2009-08-27 08:52:29 -05:00
|
|
|
class netgroup_remove_member(LDAPRemoveMember):
|
|
|
|
"""
|
2010-08-24 22:40:32 -05:00
|
|
|
Remove members from a netgroup.
|
2009-08-27 08:52:29 -05:00
|
|
|
"""
|
2010-10-29 10:32:03 -05:00
|
|
|
member_attributes = ['memberuser', 'memberhost', 'member']
|
|
|
|
has_output_params = LDAPRemoveMember.has_output_params + output_params
|
2009-08-27 08:52:29 -05:00
|
|
|
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
|
2010-07-14 13:45:15 -05:00
|
|
|
# Run through the host failures and gracefully remove any defined as
|
|
|
|
# as an externalhost.
|
|
|
|
if 'memberhost' in failed and 'host' in failed['memberhost']:
|
2009-08-27 08:52:29 -05:00
|
|
|
(dn, entry_attrs) = ldap.get_entry(dn, ['externalhost'])
|
|
|
|
external_hosts = entry_attrs.get('externalhost', [])
|
|
|
|
failed_hosts = []
|
|
|
|
completed_external = 0
|
2010-07-14 13:45:15 -05:00
|
|
|
for host in failed['memberhost']['host']:
|
2010-10-27 11:07:53 -05:00
|
|
|
hostname = host[0].lower()
|
|
|
|
if hostname in external_hosts:
|
|
|
|
external_hosts.remove(hostname)
|
2009-08-27 08:52:29 -05:00
|
|
|
completed_external += 1
|
|
|
|
else:
|
2010-10-27 11:07:53 -05:00
|
|
|
failed_hosts.append(hostname)
|
2009-08-27 08:52:29 -05:00
|
|
|
if completed_external:
|
|
|
|
try:
|
|
|
|
ldap.update_entry(dn, {'externalhost': external_hosts})
|
|
|
|
except errors.EmptyModlist:
|
|
|
|
pass
|
2010-07-14 13:45:15 -05:00
|
|
|
failed['memberhost']['host'] = failed_hosts
|
2009-08-27 08:52:29 -05:00
|
|
|
entry_attrs['externalhost'] = external_hosts
|
|
|
|
return (completed + completed_external, dn)
|
2009-05-12 11:46:14 -05:00
|
|
|
|
2009-07-09 12:02:44 -05:00
|
|
|
api.register(netgroup_remove_member)
|