Only use service PAC type as an override

PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
This commit is contained in:
Martin Kosek 2012-10-02 17:06:10 +02:00
parent 941d1e8701
commit 43f4ca710b
6 changed files with 70 additions and 28 deletions

View File

@ -2738,7 +2738,7 @@ command: service_add
args: 1,8,3 args: 1,8,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True) arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True)
option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD')) option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'NONE'))
option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('force', autofill=True, default=False) option: Flag('force', autofill=True, default=False)
@ -2775,7 +2775,7 @@ command: service_find
args: 1,10,4 args: 1,10,4
arg: Str('criteria?', noextrawhitespace=False) arg: Str('criteria?', noextrawhitespace=False)
option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False) option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False)
option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'PAD')) option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'PAD', u'NONE'))
option: Int('timelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0)
option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@ -2792,7 +2792,7 @@ command: service_mod
args: 1,9,3 args: 1,9,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD')) option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'NONE'))
option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui')

View File

@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
# # # #
######################################################## ########################################################
IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=43 IPA_API_VERSION_MINOR=44

View File

@ -192,8 +192,8 @@ class config(LDAPObject):
), ),
StrEnum('ipakrbauthzdata*', StrEnum('ipakrbauthzdata*',
cli_name='pac_type', cli_name='pac_type',
label=_('PAC type'), label=_('Default PAC types'),
doc=_('Default types of PAC for new services'), doc=_('Default types of PAC supported for services'),
values=(u'MS-PAC', u'PAD'), values=(u'MS-PAC', u'PAD'),
csv=True, csv=True,
), ),

View File

@ -60,8 +60,11 @@ EXAMPLES:
ipa service-add HTTP/web.example.com ipa service-add HTTP/web.example.com
Allow a host to manage an IPA service certificate: Allow a host to manage an IPA service certificate:
ipa service-add-host --hosts=web.example.com HTTP/web.example.com ipa service-add-host --hosts=web.example.com HTTP/web.example.com
ipa role-add-member --hosts=web.example.com certadmin ipa role-add-member --hosts=web.example.com certadmin
Override a default list of supported PAC types for the service:
ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
Delete an IPA service: Delete an IPA service:
ipa service-del HTTP/web.example.com ipa service-del HTTP/web.example.com
@ -253,12 +256,28 @@ class service(LDAPObject):
StrEnum('ipakrbauthzdata*', StrEnum('ipakrbauthzdata*',
cli_name='pac_type', cli_name='pac_type',
label=_('PAC type'), label=_('PAC type'),
doc=_('Types of PAC this service supports'), doc=_("Override default list of supported PAC types."
values=(u'MS-PAC', u'PAD'), " Use 'NONE' to disable PAC support for this service"),
values=(u'MS-PAC', u'PAD', u'NONE'),
csv=True, csv=True,
), ),
) )
def validate_ipakrbauthzdata(self, entry):
new_value = entry.get('ipakrbauthzdata', [])
if not new_value:
return
if not isinstance(new_value, (list, tuple)):
new_value = set([new_value])
else:
new_value = set(new_value)
if u'NONE' in new_value and len(new_value) > 1:
raise errors.ValidationError(name='ipakrbauthzdata',
error=_('NONE value cannot be combined with other PAC types'))
api.register(service) api.register(service)
@ -287,6 +306,8 @@ class service_add(LDAPCreate):
reason=_("The host '%s' does not exist to add a service to.") % reason=_("The host '%s' does not exist to add a service to.") %
hostname) hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
cert = options.get('usercertificate') cert = options.get('usercertificate')
if cert: if cert:
dercert = x509.normalize_certificate(cert) dercert = x509.normalize_certificate(cert)
@ -300,11 +321,6 @@ class service_add(LDAPCreate):
util.validate_host_dns(self.log, hostname) util.validate_host_dns(self.log, hostname)
if not 'managedby' in entry_attrs: if not 'managedby' in entry_attrs:
entry_attrs['managedby'] = hostresult['dn'] entry_attrs['managedby'] = hostresult['dn']
if 'ipakrbauthzdata' not in entry_attrs:
config = ldap.get_ipa_config()[1]
default_pac_type = config.get('ipakrbauthzdata', [])
if default_pac_type:
entry_attrs['ipakrbauthzdata'] = default_pac_type
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
# as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
@ -372,6 +388,9 @@ class service_mod(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)
self.obj.validate_ipakrbauthzdata(entry_attrs)
if 'usercertificate' in options: if 'usercertificate' in options:
(service, hostname, realm) = split_principal(keys[-1]) (service, hostname, realm) = split_principal(keys[-1])
cert = options.get('usercertificate') cert = options.get('usercertificate')

View File

@ -654,7 +654,6 @@ class test_host(Declarative):
krbprincipalname=[service1], krbprincipalname=[service1],
objectclass=objectclasses.service, objectclass=objectclasses.service,
managedby_host=[fqdn1], managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
), ),
), ),

View File

@ -181,7 +181,6 @@ class test_service(Declarative):
krbprincipalname=[service1], krbprincipalname=[service1],
objectclass=objectclasses.service, objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -210,7 +209,6 @@ class test_service(Declarative):
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
has_keytab=False, has_keytab=False,
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -230,7 +228,6 @@ class test_service(Declarative):
objectclass=objectclasses.service, objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1], managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False has_keytab=False
), ),
), ),
@ -249,7 +246,6 @@ class test_service(Declarative):
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
managedby_host=[fqdn1], managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False, has_keytab=False,
), ),
], ],
@ -271,7 +267,6 @@ class test_service(Declarative):
ipakrbprincipalalias=[service1], ipakrbprincipalalias=[service1],
objectclass=objectclasses.service, objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid], ipauniqueid=[fuzzy_uuid],
ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False, has_keytab=False,
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
@ -289,7 +284,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -305,7 +299,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -321,7 +314,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1, fqdn2], managedby_host=[fqdn1, fqdn2],
), ),
), ),
@ -337,7 +329,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -353,7 +344,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1, fqdn3.lower()], managedby_host=[fqdn1, fqdn3.lower()],
), ),
), ),
@ -369,7 +359,6 @@ class test_service(Declarative):
result=dict( result=dict(
dn=service1dn, dn=service1dn,
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
), ),
), ),
@ -394,7 +383,6 @@ class test_service(Declarative):
result=dict( result=dict(
usercertificate=[base64.b64decode(servercert)], usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1], krbprincipalname=[service1],
ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1], managedby_host=[fqdn1],
valid_not_before=fuzzy_date, valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date, valid_not_after=fuzzy_date,
@ -409,6 +397,42 @@ class test_service(Declarative):
), ),
dict(
desc='Try to update %r with invalid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC', u'NONE'])),
expected=errors.ValidationError(name='ipakrbauthzdata',
error=u'NONE value cannot be combined with other PAC types')
),
dict(
desc='Update %r with valid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN',api.env.host),x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict( dict(
desc='Retrieve %r to verify update' % service1, desc='Retrieve %r to verify update' % service1,
command=('service_show', [service1], {}), command=('service_show', [service1], {}),