mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements existing one that allows to create services on the same host. Add a test that creates a host and then attempts to create and delete a service using its own host keytab. Fixes: https://pagure.io/freeipa/issue/7486 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
0f8593354d
commit
2de1aa27f9
@ -124,10 +124,11 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
|
|||||||
dn: $SUFFIX
|
dn: $SUFFIX
|
||||||
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
|
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
|
||||||
|
|
||||||
# Hosts can add their own services
|
# Hosts can add and delete their own services
|
||||||
dn: cn=services,cn=accounts,$SUFFIX
|
dn: cn=services,cn=accounts,$SUFFIX
|
||||||
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||||
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||||
|
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||||
|
|
||||||
# CIFS service on the master can manage ID ranges
|
# CIFS service on the master can manage ID ranges
|
||||||
dn: cn=ranges,cn=etc,$SUFFIX
|
dn: cn=ranges,cn=etc,$SUFFIX
|
||||||
|
@ -31,6 +31,7 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
|||||||
|
|
||||||
from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
|
from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
|
||||||
from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
|
from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
|
||||||
|
from ipatests.util import change_principal, host_keytab
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
from ipapython.dn import DN
|
from ipapython.dn import DN
|
||||||
@ -1343,3 +1344,30 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
|||||||
updates={u'krbprincipalauthind': u'radius'},
|
updates={u'krbprincipalauthind': u'radius'},
|
||||||
expected_updates={u'krbprincipalauthind': [u'radius']}
|
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def managing_host(request):
|
||||||
|
tracker = HostTracker(name=u'managinghost2', fqdn=fqdn2)
|
||||||
|
return tracker.make_fixture(request)
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def managed_service(request):
|
||||||
|
tracker = ServiceTracker(
|
||||||
|
name=u'managed-service', host_fqdn=fqdn2)
|
||||||
|
return tracker.make_fixture(request)
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestManagedServices(XMLRPC_test):
|
||||||
|
def test_managed_service(
|
||||||
|
self, managing_host, managed_service):
|
||||||
|
""" Add a host and then add a service as a host
|
||||||
|
Finally, remove the service as a host """
|
||||||
|
managing_host.ensure_exists()
|
||||||
|
with host_keytab(managing_host.name) as keytab_filename:
|
||||||
|
with change_principal(managing_host.attrs['krbcanonicalname'][0],
|
||||||
|
keytab=keytab_filename):
|
||||||
|
managed_service.create()
|
||||||
|
managed_service.delete()
|
||||||
|
Loading…
Reference in New Issue
Block a user