ACL: Allow hosts to remove services they manage

Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2018-04-18 13:05:41 +03:00 committed by Rob Crittenden
parent 0f8593354d
commit 2de1aa27f9
2 changed files with 30 additions and 1 deletions

View File

@ -124,10 +124,11 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
dn: $SUFFIX dn: $SUFFIX
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
# Hosts can add their own services # Hosts can add and delete their own services
dn: cn=services,cn=accounts,$SUFFIX dn: cn=services,cn=accounts,$SUFFIX
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
# CIFS service on the master can manage ID ranges # CIFS service on the master can manage ID ranges
dn: cn=ranges,cn=etc,$SUFFIX dn: cn=ranges,cn=etc,$SUFFIX

View File

@ -31,6 +31,7 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
from ipatests.util import change_principal, host_keytab
import base64 import base64
from ipapython.dn import DN from ipapython.dn import DN
@ -1343,3 +1344,30 @@ class TestAuthenticationIndicators(XMLRPC_test):
updates={u'krbprincipalauthind': u'radius'}, updates={u'krbprincipalauthind': u'radius'},
expected_updates={u'krbprincipalauthind': [u'radius']} expected_updates={u'krbprincipalauthind': [u'radius']}
) )
@pytest.fixture(scope='function')
def managing_host(request):
tracker = HostTracker(name=u'managinghost2', fqdn=fqdn2)
return tracker.make_fixture(request)
@pytest.fixture(scope='function')
def managed_service(request):
tracker = ServiceTracker(
name=u'managed-service', host_fqdn=fqdn2)
return tracker.make_fixture(request)
@pytest.mark.tier1
class TestManagedServices(XMLRPC_test):
def test_managed_service(
self, managing_host, managed_service):
""" Add a host and then add a service as a host
Finally, remove the service as a host """
managing_host.ensure_exists()
with host_keytab(managing_host.name) as keytab_filename:
with change_principal(managing_host.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
managed_service.create()
managed_service.delete()