radiusproxy: add permission for reading radius proxy servers

A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.

The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>

Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/radiusproxy.py

@@ -29,6 +29,7 @@ from ipalib import errors
 from ipalib.plugable import Registry
 from ipalib.util import validate_hostname, validate_ipaddr
 from ipalib.errors import ValidationError
+from ipapython.dn import DN
 import re
 
 __doc__ = _("""
@@ -147,6 +148,24 @@ class radiusproxy(LDAPObject):
         ),
     )
 
+    managed_permissions = {
+        'System: Read Radius Servers': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'objectclass', 'ipatokenradiusserver', 'description',
+                'ipatokenradiustimeout', 'ipatokenradiusretries',
+                'ipatokenusermapattribute'
+            },
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'ipapermtargetfilter': {
+                '(objectclass=ipatokenradiusconfiguration)'},
+            'default_privileges': {
+                'User Administrators',
+                'Stage User Administrators'},
+        }
+    }
+
 @register()
 class radiusproxy_add(LDAPCreate):
     __doc__ = _('Add a new RADIUS proxy server.')