idvies: Add managed permissions for idview and idoverride objects

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Tomas Babej 2014-07-31 13:13:29 +02:00 committed by Martin Kosek
parent b65b74890b
commit 377ab0c4a6
2 changed files with 27 additions and 0 deletions

View File

@ -118,8 +118,12 @@ dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || homedirectory || ipaanchoruuid || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaOverrideAnchor)")(version 3.0;acl "permission:System: Read ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example

View File

@ -64,6 +64,17 @@ class idview(LDAPObject):
),
)
permission_filter_objectclasses = ['nsContainer']
managed_permissions = {
'System: Read ID Views': {
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'description', 'objectClass',
},
},
}
@register()
class idview_add(LDAPCreate):
@ -160,6 +171,18 @@ class idoverride(LDAPObject):
),
)
permission_filter_objectclasses = ['ipaOverrideAnchor']
managed_permissions = {
'System: Read ID Overrides': {
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'gidNumber',
'description', 'homeDirectory', 'uid',
},
},
}
@register()
class idoverride_add(LDAPCreate):