radiusproxy: add permission for reading radius proxy servers

A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.

The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>

Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2018-11-07 16:58:04 +01:00 committed by Christian Heimes
parent 1c2c2ee6f8
commit 5d603fce5d
2 changed files with 21 additions and 0 deletions

View File

@ -234,6 +234,8 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=radiusproxy,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipatokenradiusretries || ipatokenradiusserver || ipatokenradiustimeout || ipatokenusermapattribute || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipatokenradiusconfiguration)")(version 3.0;acl "permission:System: Read Radius Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example

View File

@ -29,6 +29,7 @@ from ipalib import errors
from ipalib.plugable import Registry
from ipalib.util import validate_hostname, validate_ipaddr
from ipalib.errors import ValidationError
from ipapython.dn import DN
import re
__doc__ = _("""
@ -147,6 +148,24 @@ class radiusproxy(LDAPObject):
),
)
managed_permissions = {
'System: Read Radius Servers': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'ipatokenradiusserver', 'description',
'ipatokenradiustimeout', 'ipatokenradiusretries',
'ipatokenusermapattribute'
},
'ipapermlocation': DN(container_dn, api.env.basedn),
'ipapermtargetfilter': {
'(objectclass=ipatokenradiusconfiguration)'},
'default_privileges': {
'User Administrators',
'Stage User Administrators'},
}
}
@register()
class radiusproxy_add(LDAPCreate):
__doc__ = _('Add a new RADIUS proxy server.')