mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Stage User: Fix permissions naming and split them where apropriate.
Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
parent
f763b137ee
commit
44cced658b
32
ACI.txt
32
ACI.txt
@ -247,25 +247,27 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem
|
||||
dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User kerberos principal key and password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users by administrators";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read/Write delete Users by administrators";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Read/Write delete Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset userPassord and kerberos keys of delete users by administrator";allow (read,search,write) groupdn = "ldap:///cn=System: Reset userPassord and kerberos keys of delete users by administrator,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Active Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Active Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Delete Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Delete Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
|
||||
|
4
VERSION
4
VERSION
@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
|
||||
# #
|
||||
########################################################
|
||||
IPA_API_VERSION_MAJOR=2
|
||||
IPA_API_VERSION_MINOR=131
|
||||
# Last change: pvoborni - toposegment direction restrictions
|
||||
IPA_API_VERSION_MINOR=132
|
||||
# Last change: dkupka: User life cycle permissions naming and split
|
||||
|
@ -112,12 +112,11 @@ class stageuser(baseuser):
|
||||
object_name = _('stage user')
|
||||
object_name_plural = _('stage users')
|
||||
managed_permissions = {
|
||||
#
|
||||
# Stage container
|
||||
#
|
||||
# Stage user provisioning and Stage user Administrators,
|
||||
# allowed to create stage users
|
||||
'System: Add Stage Users by Provisioning and Administrators': {
|
||||
#
|
||||
# Stage container
|
||||
#
|
||||
# Allowed to create stage user
|
||||
'System: Add Stage User': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
@ -126,33 +125,40 @@ class stageuser(baseuser):
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
|
||||
},
|
||||
# Stage user administrators allowed to read kerberos/password
|
||||
# when the user is activated (to copy them in the active entry)
|
||||
'System: Read Stage User kerberos principal key and password': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'userPassword', 'krbPrincipalKey',
|
||||
},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
# Allow to read kerberos/password
|
||||
'System: Read Stage User password': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'userPassword', 'krbPrincipalKey',
|
||||
},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Stage user administrator allowed to delete stage users and
|
||||
# to update them
|
||||
'System: Delete modify Stage Users by administrators': {
|
||||
# Allow to update stage user
|
||||
'System: Modify Stage User': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'delete','write'},
|
||||
'ipapermright': {'write'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Stage user administrator allowed to read any attributes
|
||||
# of stage users
|
||||
'System: Read Stage Users by administrators': {
|
||||
# Allow to delete stage user
|
||||
'System: Remove Stage User': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'delete'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Allow to read any attributes of stage users
|
||||
'System: Read Stage Users': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
@ -162,36 +168,30 @@ class stageuser(baseuser):
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
#
|
||||
# Delete container
|
||||
# Preserve container
|
||||
#
|
||||
# Stage user administrator allow to read all attributes (when delete
|
||||
# an active user with preserve flag)
|
||||
# We also need to reset some of the attributes syntax DN/credential
|
||||
# so allowed write on all the attributes
|
||||
'System: Read/Write delete Users by administrators': {
|
||||
# Allow to read Preserved User
|
||||
'System: Read Preserved Users': {
|
||||
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
||||
'ipapermright': {'read', 'search', 'compare', 'write'},
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
#
|
||||
# Stage user administrator allows to write the RDN
|
||||
# when the delete user is undeleted
|
||||
'System: Write Delete Users RDN by administrators': {
|
||||
# Allow to update Preserved User
|
||||
'System: Modify Preserved Users': {
|
||||
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
|
||||
'ipapermright': {'write'},
|
||||
'ipapermdefaultattr': {'uid'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Stage user administrator allows to reset kerberos/password
|
||||
# when a deleted user is preserved
|
||||
'System: Reset userPassord and kerberos keys of delete users by administrator': {
|
||||
# Allow to reset Preserved User password
|
||||
'System: Reset Preserved User password': {
|
||||
'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn),
|
||||
@ -207,7 +207,7 @@ class stageuser(baseuser):
|
||||
#
|
||||
# Stage user administrators need write right on RDN when
|
||||
# the active user is deleted (preserved)
|
||||
'System: Write Active Users RDN by administrators': {
|
||||
'System: Modify User RDN': {
|
||||
'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn),
|
||||
@ -219,10 +219,9 @@ class stageuser(baseuser):
|
||||
#
|
||||
# Cross containers autorization
|
||||
#
|
||||
# Stage user administrators need a moddn right when preserving
|
||||
# a delete user.
|
||||
# Allow to move active user to preserve container (user-del --preserve)
|
||||
# Note: targetfilter is the target parent container
|
||||
'System: Preserve an active user to a delete Users': {
|
||||
'System: Preserve User': {
|
||||
'ipapermlocation': DN(api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn),
|
||||
@ -231,10 +230,9 @@ class stageuser(baseuser):
|
||||
'ipapermright': {'moddn'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Stage user administrators need a moddn right when undelete
|
||||
# a delete user.
|
||||
# Allow to move preserved user to active container (user-undel)
|
||||
# Note: targetfilter is the target parent container
|
||||
'System: Reactive delete users': {
|
||||
'System: Undelete User': {
|
||||
'ipapermlocation': DN(api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn),
|
||||
|
Loading…
Reference in New Issue
Block a user