IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-12 09:11:55 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added CLI param and ACL for vault service operations.

Browse Source 
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.

A new ACL has been added to allow a service to create its own
service container.

https://fedorahosted.org/freeipa/ticket/5172

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Endi S. Dewata 2015-08-11 08:19:59 +02:00 committed by Jan Cholasta
parent 6fa14fd21e
commit 0dd95a19ee
4 changed files with 94 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
API.txt
View File

@ -5434,13 +5434,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None) output: PrimaryKey('value', None, None)
command: vault_add_member command: vault_add_member
args: 1,9,3 args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?') option: Str('service?')
option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False) option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user') option: Str('username?', cli_name='user')
@ -5449,13 +5450,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None) output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_add_owner command: vault_add_owner
args: 1,9,3 args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?') option: Str('service?')
option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False) option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user') option: Str('username?', cli_name='user')
@ -5547,13 +5549,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None) output: PrimaryKey('value', None, None)
command: vault_remove_member command: vault_remove_member
args: 1,9,3 args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?') option: Str('service?')
option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False) option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user') option: Str('username?', cli_name='user')
@ -5562,13 +5565,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None) output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_remove_owner command: vault_remove_owner
args: 1,9,3 args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?') option: Str('service?')
option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False) option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user') option: Str('username?', cli_name='user')

4
VERSION
View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# # # #
######################################################## ########################################################
IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=148 IPA_API_VERSION_MINOR=149
# Last change: ftweedal - add --out option to user-show # Last change: edewata - Added CLI param and ACL for vault service operations

1
install/share/vault.update
View File

@ -8,6 +8,7 @@ default: objectClass: top
default: objectClass: ipaVaultContainer default: objectClass: ipaVaultContainer
default: cn: vaults default: cn: vaults
default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)

177
ipalib/plugins/vault.py
View File

@ -44,7 +44,7 @@ from ipalib.crud import PKQuery, Retrieve, Update
from ipalib.plugable import Registry from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\ LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\
pkey_to_value LDAPModMember, pkey_to_value
from ipalib.request import context from ipalib.request import context
from ipalib.plugins.user import split_principal from ipalib.plugins.user import split_principal
from ipalib import _, ngettext from ipalib import _, ngettext
@ -93,122 +93,91 @@ The secret can only be retrieved using the private key.
""") + _(""" """) + _("""
EXAMPLES: EXAMPLES:
""") + _(""" """) + _("""
List private vaults: List vaults:
ipa vault-find ipa vault-find
[--user <user>|--service <service>|--shared]
""") + _(""" """) + _("""
List service vaults: Add a standard vault:
ipa vault-find --service <service name>
""") + _("""
List shared vaults:
ipa vault-find --shared
""") + _("""
List user vaults:
ipa vault-find --user <username>
""") + _("""
Add a private vault:
ipa vault-add <name> ipa vault-add <name>
""") + _(""" [--user <user>|--service <service>|--shared]
Add a service vault:
ipa vault-add <name> --service <service name>
""") + _("""
Add a shared vault:
ipa vault-add <name> --shared
""") + _("""
Add a user vault:
ipa vault-add <name> --user <username>
""") + _(""" """) + _("""
Add a symmetric vault: Add a symmetric vault:
ipa vault-add <name> --type symmetric --password-file password.txt ipa vault-add <name>
[--user <user>|--service <service>|--shared]
--type symmetric --password-file password.txt
""") + _(""" """) + _("""
Add an asymmetric vault: Add an asymmetric vault:
ipa vault-add <name> --type asymmetric --public-key-file public.pem ipa vault-add <name>
[--user <user>|--service <service>|--shared]
--type asymmetric --public-key-file public.pem
""") + _(""" """) + _("""
Show a private vault: Show a vault:
ipa vault-show <name> ipa vault-show <name>
[--user <user>|--service <service>|--shared]
""") + _(""" """) + _("""
Show a service vault: Modify a vault:
ipa vault-show <name> --service <service name> ipa vault-mod <name>
[--user <user>|--service <service>|--shared]
--desc <description>
""") + _(""" """) + _("""
Show a shared vault: Delete a vault:
ipa vault-show <name> --shared
""") + _("""
Show a user vault:
ipa vault-show <name> --user <username>
""") + _("""
Modify a private vault:
ipa vault-mod <name> --desc <description>
""") + _("""
Modify a service vault:
ipa vault-mod <name> --service <service name> --desc <description>
""") + _("""
Modify a shared vault:
ipa vault-mod <name> --shared --desc <description>
""") + _("""
Modify a user vault:
ipa vault-mod <name> --user <username> --desc <description>
""") + _("""
Delete a private vault:
ipa vault-del <name> ipa vault-del <name>
""") + _(""" [--user <user>|--service <service>|--shared]
Delete a service vault:
ipa vault-del <name> --service <service name>
""") + _("""
Delete a shared vault:
ipa vault-del <name> --shared
""") + _("""
Delete a user vault:
ipa vault-del <name> --user <username>
""") + _(""" """) + _("""
Display vault configuration: Display vault configuration:
ipa vaultconfig-show ipa vaultconfig-show
""") + _(""" """) + _("""
Archive data into private vault: Archive data into standard vault:
ipa vault-archive <name> --in <input file> ipa vault-archive <name>
""") + _(""" [--user <user>|--service <service>|--shared]
Archive data into service vault: --in <input file>
ipa vault-archive <name> --service <service name> --in <input file>
""") + _("""
Archive data into shared vault:
ipa vault-archive <name> --shared --in <input file>
""") + _("""
Archive data into user vault:
ipa vault-archive <name> --user <username> --in <input file>
""") + _(""" """) + _("""
Archive data into symmetric vault: Archive data into symmetric vault:
ipa vault-archive <name> --in <input file> ipa vault-archive <name>
[--user <user>|--service <service>|--shared]
--in <input file>
--password-file password.txt
""") + _(""" """) + _("""
Archive data into asymmetric vault: Archive data into asymmetric vault:
ipa vault-archive <name> --in <input file> ipa vault-archive <name>
[--user <user>|--service <service>|--shared]
--in <input file>
""") + _(""" """) + _("""
Retrieve data from private vault: Retrieve data from standard vault:
ipa vault-retrieve <name> --out <output file> ipa vault-retrieve <name>
""") + _(""" [--user <user>|--service <service>|--shared]
Retrieve data from service vault: --out <output file>
ipa vault-retrieve <name> --service <service name> --out <output file>
""") + _("""
Retrieve data from shared vault:
ipa vault-retrieve <name> --shared --out <output file>
""") + _("""
Retrieve data from user vault:
ipa vault-retrieve <name> --user <username> --out <output file>
""") + _(""" """) + _("""
Retrieve data from symmetric vault: Retrieve data from symmetric vault:
ipa vault-retrieve <name> --out data.bin ipa vault-retrieve <name>
[--user <user>|--service <service>|--shared]
--out <output file>
--password-file password.txt
""") + _(""" """) + _("""
Retrieve data from asymmetric vault: Retrieve data from asymmetric vault:
ipa vault-retrieve <name> --out data.bin --private-key-file private.pem ipa vault-retrieve <name>
[--user <user>|--service <service>|--shared]
--out <output file> --private-key-file private.pem
""") + _(""" """) + _("""
Add a vault owner: Add vault owners:
ipa vault-add-owner <name> --users <usernames> ipa vault-add-owner <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
""") + _(""" """) + _("""
Delete a vault owner: Delete vault owners:
ipa vault-remove-owner <name> --users <usernames> ipa vault-remove-owner <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
""") + _(""" """) + _("""
Add a vault member: Add vault members:
ipa vault-add-member <name> --users <usernames> ipa vault-add-member <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
""") + _(""" """) + _("""
Delete a vault member: Delete vault members:
ipa vault-remove-member <name> --users <usernames> ipa vault-remove-member <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
""") """)
@ -285,8 +254,8 @@ class vault(LDAPObject):
'ipavaulttype', 'ipavaulttype',
] ]
attribute_members = { attribute_members = {
'owner': ['user', 'group'], 'owner': ['user', 'group', 'service'],
'member': ['user', 'group'], 'member': ['user', 'group', 'service'],
} }
label = _('Vaults') label = _('Vaults')
@ -340,6 +309,11 @@ class vault(LDAPObject):
label=_('Owner groups'), label=_('Owner groups'),
flags=['no_create', 'no_update', 'no_search'], flags=['no_create', 'no_update', 'no_search'],
), ),
Str(
'owner_service?',
label=_('Owner services'),
flags=['no_create', 'no_update', 'no_search'],
),
) )
def get_dn(self, *keys, **options): def get_dn(self, *keys, **options):
@ -1432,8 +1406,23 @@ class vault_retrieve_internal(PKQuery):
return response return response
class VaultModMember(LDAPModMember):
def get_options(self):
for param in super(VaultModMember, self).get_options():
if param.name == 'service' and param not in vault_options:
param = param.clone_rename('services')
yield param
def get_member_dns(self, **options):
if 'services' in options:
options['service'] = options.pop('services')
else:
options.pop('service', None)
return super(VaultModMember, self).get_member_dns(**options)
@register() @register()
class vault_add_owner(LDAPAddMember): class vault_add_owner(VaultModMember, LDAPAddMember):
__doc__ = _('Add owners to a vault.') __doc__ = _('Add owners to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options takes_options = LDAPAddMember.takes_options + vault_options
@ -1457,7 +1446,7 @@ class vault_add_owner(LDAPAddMember):
@register() @register()
class vault_remove_owner(LDAPRemoveMember): class vault_remove_owner(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove owners from a vault.') __doc__ = _('Remove owners from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options takes_options = LDAPRemoveMember.takes_options + vault_options
@ -1481,14 +1470,14 @@ class vault_remove_owner(LDAPRemoveMember):
@register() @register()
class vault_add_member(LDAPAddMember): class vault_add_member(VaultModMember, LDAPAddMember):
__doc__ = _('Add members to a vault.') __doc__ = _('Add members to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options takes_options = LDAPAddMember.takes_options + vault_options
@register() @register()
class vault_remove_member(LDAPRemoveMember): class vault_remove_member(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove members from a vault.') __doc__ = _('Remove members from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options takes_options = LDAPRemoveMember.takes_options + vault_options