Make 'permission' the default bind type for managed permissions

This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>

ipalib/plugins/automember.py

@@ -199,7 +199,6 @@ class automember(LDAPObject):
             'ipapermlocation': DN(container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=automemberdefinition)'},
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'objectclass', 'cn', 'automemberscope', 'automemberfilter',
@@ -211,7 +210,6 @@ class automember(LDAPObject):
         },
         'System: Read Automember Rules': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'cn', 'objectclass', 'automembertargetgroup', 'description',
@@ -225,7 +223,6 @@ class automember(LDAPObject):
             'ipapermlocation': DN('cn=tasks', 'cn=config'),
             'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER),
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Automember Task Administrator'},

ipalib/plugins/krbtpolicy.py

@@ -90,7 +90,6 @@ class krbtpolicy(baseldap.LDAPObject):
             'replaces_global_anonymous_aci': True,
             'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
             'ipapermlocation': DN(container_dn, api.env.basedn),
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krbdefaultencsalttypes', 'krbmaxrenewableage',
@@ -106,7 +105,6 @@ class krbtpolicy(baseldap.LDAPObject):
             'replaces_global_anonymous_aci': True,
             'ipapermlocation': DN(api.env.container_user, api.env.basedn),
             'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krbmaxrenewableage', 'krbmaxticketlife',

ipalib/plugins/permission.py

@@ -185,7 +185,6 @@ class permission(baseldap.LDAPObject):
     managed_permissions = {
         'System: Read Permissions': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'ipapermissiontype',
@@ -202,7 +201,6 @@ class permission(baseldap.LDAPObject):
             'non_object': True,
             'ipapermlocation': api.env.basedn,
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'aci'},
             'default_privileges': {'RBAC Readers'},

ipalib/plugins/privilege.py

@@ -67,7 +67,6 @@ class privilege(LDAPObject):
     managed_permissions = {
         'System: Read Privileges': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',

ipalib/plugins/pwpolicy.py

@@ -87,7 +87,6 @@ class cosentry(LDAPObject):
     managed_permissions = {
         'System: Read Group Password Policy costemplate': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'cn', 'cospriority', 'krbpwdpolicyreference', 'objectclass',

ipalib/plugins/role.py

@@ -85,7 +85,6 @@ class role(LDAPObject):
     managed_permissions = {
         'System: Read Roles': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'businesscategory', 'cn', 'description', 'member', 'memberof',

ipalib/plugins/sudorule.py

@@ -150,7 +150,6 @@ class sudorule(LDAPObject):
             },
         },
         'System: Add Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'add'},
             'replaces': [
                 '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo rule";allow (add) groupdn = "ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -158,7 +157,6 @@ class sudorule(LDAPObject):
             'default_privileges': {'Sudo Administrator'},
         },
         'System: Delete Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -166,7 +164,6 @@ class sudorule(LDAPObject):
             'default_privileges': {'Sudo Administrator'},
         },
         'System: Modify Sudo rule': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'description', 'ipaenabledflag', 'usercategory',

ipalib/plugins/user.py

@@ -310,7 +310,6 @@ class user(LDAPObject):
         },
         'System: Read User Kerberos Login Attributes': {
             'replaces_global_anonymous_aci': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'krblastsuccessfulauth', 'krblastfailedauth',
@@ -334,13 +333,11 @@ class user(LDAPObject):
             'non_object': True,
             'ipapermlocation': UPG_DEFINITION_DN,
             'ipapermtarget': UPG_DEFINITION_DN,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'User Administrators'},
         },
         'System: Add Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'add'},
             'replaces': [
                 '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -349,7 +346,6 @@ class user(LDAPObject):
         },
         'System: Add User to default group': {
             'non_object': True,
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermlocation': DN(api.env.container_group, api.env.basedn),
             'ipapermtarget': DN('cn=ipausers', api.env.container_group,
@@ -361,7 +357,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Change User password': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermtargetfilter': [
                 '(objectclass=posixaccount)',
@@ -383,7 +378,6 @@ class user(LDAPObject):
             },
         },
         'System: Manage User SSH Public Keys': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {'ipasshpubkey'},
             'replaces': [
@@ -392,7 +386,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Modify Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'businesscategory', 'carlicense', 'cn', 'description',
@@ -413,7 +406,6 @@ class user(LDAPObject):
             },
         },
         'System: Remove Users': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -421,7 +413,6 @@ class user(LDAPObject):
             'default_privileges': {'User Administrators'},
         },
         'System: Unlock User': {
-            'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
                 'krblastadminunlock', 'krbloginfailedcount', 'nsaccountlock',

ipaserver/install/plugins/update_managed_permissions.py

@@ -533,7 +533,7 @@ class update_managed_permissions(PostUpdate):
             entry['ipapermtarget'] = ipapermtarget
 
         # Attributes from template
-        bindruletype = template.pop('ipapermbindruletype')
+        bindruletype = template.pop('ipapermbindruletype', 'permission')
         if is_new:
             entry.single_value['ipapermbindruletype'] = bindruletype