managed permission updater: Add mechanism to replace SYSTEM permissions

The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-06-13 15:58:24 +02:00
parent 637ef11109
commit 16ee6847e4
1 changed files with 18 additions and 0 deletions
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -67,6 +67,8 @@ The template dictionary can have the following keys:
 * replaces
  - A list of ACIs corresponding to legacy default permissions replaced
    by this permission.
+* replaces_system
+  - A list of names of old SYSTEM permissions this replaces.
 * fixup_function
  - A callable that may modify the template in-place before it is applied.
  - Called with the permission name, template dict, and keyword arguments:
@@ -410,6 +412,21 @@ class update_managed_permissions(PostUpdate):
            self.log.info("Removing legacy permission '%s'", legacy_name)
            self.api.Command[permission_del](unicode(legacy_name))

+        for name in template.get('replaces_system', ()):
+            name = unicode(name)
+            try:
+                entry = ldap.get_entry(permission_plugin.get_dn(name),
+                                       ['ipapermissiontype'])
+            except errors.NotFound:
+                self.log.info("Legacy permission '%s' not found", name)
+            else:
+                flags = entry.get('ipapermissiontype', [])
+                if list(flags) == ['SYSTEM']:
+                    self.log.info("Removing legacy permission '%s'", name)
+                    self.api.Command[permission_del](name, force=True)
+                else:
+                    self.log.info("Ignoring V2 permission '%s'", name)
+
    def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
        """Compute included and excluded attributes for a new permission

@@ -497,6 +514,7 @@ class update_managed_permissions(PostUpdate):

        template = dict(template)
        template.pop('replaces', None)
+        template.pop('replaces_system', None)

        fixup_function = template.pop('fixup_function', None)
        if fixup_function: