Stage User: Fix permissions naming and split them where apropriate.

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Thierry Bordaz 2015-06-11 13:18:27 +02:00 committed by Petr Vobornik
parent f763b137ee
commit 44cced658b
3 changed files with 64 additions and 64 deletions

32
ACI.txt
View File

@ -247,25 +247,27 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem
dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User kerberos principal key and password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users by administrators";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read/Write delete Users by administrators";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Read/Write delete Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset userPassord and kerberos keys of delete users by administrator";allow (read,search,write) groupdn = "ldap:///cn=System: Reset userPassord and kerberos keys of delete users by administrator,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Active Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Active Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Delete Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Delete Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example

View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=131
# Last change: pvoborni - toposegment direction restrictions
IPA_API_VERSION_MINOR=132
# Last change: dkupka: User life cycle permissions naming and split

View File

@ -112,12 +112,11 @@ class stageuser(baseuser):
object_name = _('stage user')
object_name_plural = _('stage users')
managed_permissions = {
#
# Stage container
#
# Stage user provisioning and Stage user Administrators,
# allowed to create stage users
'System: Add Stage Users by Provisioning and Administrators': {
#
# Stage container
#
# Allowed to create stage user
'System: Add Stage User': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
@ -126,33 +125,40 @@ class stageuser(baseuser):
'ipapermdefaultattr': {'*'},
'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
},
# Stage user administrators allowed to read kerberos/password
# when the user is activated (to copy them in the active entry)
'System: Read Stage User kerberos principal key and password': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=*)'},
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'userPassword', 'krbPrincipalKey',
},
'default_privileges': {'Stage User Administrators'},
# Allow to read kerberos/password
'System: Read Stage User password': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=*)'},
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'userPassword', 'krbPrincipalKey',
},
'default_privileges': {'Stage User Administrators'},
},
# Stage user administrator allowed to delete stage users and
# to update them
'System: Delete modify Stage Users by administrators': {
# Allow to update stage user
'System: Modify Stage User': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=*)'},
'ipapermright': {'delete','write'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'*'},
'default_privileges': {'Stage User Administrators'},
},
# Stage user administrator allowed to read any attributes
# of stage users
'System: Read Stage Users by administrators': {
# Allow to delete stage user
'System: Remove Stage User': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=*)'},
'ipapermright': {'delete'},
'ipapermdefaultattr': {'*'},
'default_privileges': {'Stage User Administrators'},
},
# Allow to read any attributes of stage users
'System: Read Stage Users': {
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
@ -162,36 +168,30 @@ class stageuser(baseuser):
'default_privileges': {'Stage User Administrators'},
},
#
# Delete container
# Preserve container
#
# Stage user administrator allow to read all attributes (when delete
# an active user with preserve flag)
# We also need to reset some of the attributes syntax DN/credential
# so allowed write on all the attributes
'System: Read/Write delete Users by administrators': {
# Allow to read Preserved User
'System: Read Preserved Users': {
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'read', 'search', 'compare', 'write'},
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {'*'},
'default_privileges': {'Stage User Administrators'},
},
#
# Stage user administrator allows to write the RDN
# when the delete user is undeleted
'System: Write Delete Users RDN by administrators': {
# Allow to update Preserved User
'System: Modify Preserved Users': {
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'ipapermdefaultattr': {'*'},
'default_privileges': {'Stage User Administrators'},
},
# Stage user administrator allows to reset kerberos/password
# when a deleted user is preserved
'System: Reset userPassord and kerberos keys of delete users by administrator': {
# Allow to reset Preserved User password
'System: Reset Preserved User password': {
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
@ -207,7 +207,7 @@ class stageuser(baseuser):
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'System: Modify User RDN': {
'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn),
@ -219,10 +219,9 @@ class stageuser(baseuser):
#
# Cross containers autorization
#
# Stage user administrators need a moddn right when preserving
# a delete user.
# Allow to move active user to preserve container (user-del --preserve)
# Note: targetfilter is the target parent container
'System: Preserve an active user to a delete Users': {
'System: Preserve User': {
'ipapermlocation': DN(api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn),
@ -231,10 +230,9 @@ class stageuser(baseuser):
'ipapermright': {'moddn'},
'default_privileges': {'Stage User Administrators'},
},
# Stage user administrators need a moddn right when undelete
# a delete user.
# Allow to move preserved user to active container (user-undel)
# Note: targetfilter is the target parent container
'System: Reactive delete users': {
'System: Undelete User': {
'ipapermlocation': DN(api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn),