mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Add ACI.txt
The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin
114
ACI.txt
Normal file
114
ACI.txt
Normal file
@@ -0,0 +1,114 @@
|
||||
dn: cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass")(targetfilter = "(objectclass=automemberdefinition)")(version 3.0;acl "permission:System: Read Automember Definitions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "member || memberof || memberuid")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "member || memberof")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "externalhost || member || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipanttrusteddomainsid || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add User to default group";allow (write) groupdn = "ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read User Addressbook Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read User IPA Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read User Kerberos Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange || krblastsuccessfulauth || krbloginfailedcount || krbpwdpolicyreference || krbticketpolicyreference || krbupenabled")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Login Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read AD Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || crosscertificatepair || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=System: Read CA Renewal Information,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read DNA Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=System: Read Replication Information,cn=permissions,cn=pbac,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
1
Makefile
1
Makefile
@@ -156,6 +156,7 @@ version-update: release-update
|
||||
|
||||
if [ "$(SKIP_API_VERSION_CHECK)" != "yes" ]; then \
|
||||
./makeapi --validate; \
|
||||
./makeaci --validate; \
|
||||
fi
|
||||
|
||||
server: version-update
|
||||
|
||||
119
makeaci
Executable file
119
makeaci
Executable file
@@ -0,0 +1,119 @@
|
||||
#!/usr/bin/python2
|
||||
# Authors:
|
||||
# Petr Viktorin <pviktori@redhat.com>
|
||||
# John Dennis <jdennis@redhat.com>
|
||||
# Martin Kosek <mkosek@redhat.com>
|
||||
#
|
||||
# Copyright (C) 2011 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Test the managed permission ACIs against a known-good ACI list
|
||||
# to ensure that changes aren't made lightly.
|
||||
# Can either regenerate ACI.txt, or validate against it.
|
||||
|
||||
import sys
|
||||
import difflib
|
||||
from argparse import ArgumentParser
|
||||
|
||||
from ipalib import api
|
||||
from ipapython.dn import DN
|
||||
from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient
|
||||
|
||||
|
||||
class FakeLDAPClient(LDAPClient):
|
||||
"""A LDAP client that can't do any LDAP operations
|
||||
|
||||
Used to create and manipulate entries without an LDAP connection.
|
||||
"""
|
||||
def _init_connection(self):
|
||||
self.conn = IPASimpleLDAPObject('', False, no_schema=True)
|
||||
|
||||
|
||||
def parse_options():
|
||||
parser = ArgumentParser()
|
||||
parser.add_argument('--validate', dest='validate', action='store_true',
|
||||
default=False, help='Validate the API vs the stored API')
|
||||
parser.add_argument('filename', nargs='?', default='ACI.txt',
|
||||
help='File to create or validate, default: ACI.txt')
|
||||
|
||||
options = parser.parse_args()
|
||||
return options
|
||||
|
||||
|
||||
def generate_aci_lines(api):
|
||||
"""Yields ACI lines as they appear in ACI.txt, with trailing newline"""
|
||||
update_plugin = api.Updater['update_managed_permissions']
|
||||
perm_plugin = api.Object['permission']
|
||||
fake_ldap = FakeLDAPClient('')
|
||||
for name, template, obj in update_plugin.get_templates():
|
||||
dn = perm_plugin.get_dn(name)
|
||||
entry = fake_ldap.make_entry(dn)
|
||||
update_plugin.update_entry(
|
||||
obj=obj,
|
||||
entry=entry,
|
||||
template=template,
|
||||
anonymous_read_aci=None,
|
||||
is_new=True,
|
||||
)
|
||||
aci = perm_plugin.make_aci(entry)
|
||||
yield 'dn: %s\n' % dn
|
||||
yield 'aci: %s\n' % aci
|
||||
|
||||
|
||||
def main(options):
|
||||
api.bootstrap(
|
||||
context='cli',
|
||||
in_server=False,
|
||||
debug=False,
|
||||
verbose=0,
|
||||
validate_api=True,
|
||||
enable_ra=True,
|
||||
mode='developer',
|
||||
plugins_on_demand=False,
|
||||
basedn=DN('dc=ipa,dc=example'),
|
||||
realm='IPA.EXAMPLE',
|
||||
)
|
||||
from ipaserver.install.plugins.update_managed_permissions import (
|
||||
update_managed_permissions)
|
||||
from ipalib.plugins.permission import permission
|
||||
api.finalize()
|
||||
|
||||
output_lines = list(generate_aci_lines(api))
|
||||
|
||||
if options.validate:
|
||||
with open(options.filename) as file:
|
||||
file_lines = file.readlines()
|
||||
if file_lines != output_lines:
|
||||
diff = list(difflib.unified_diff(
|
||||
file_lines,
|
||||
output_lines,
|
||||
fromfile='existing %s' % options.filename,
|
||||
tofile='new result',
|
||||
))
|
||||
for line in diff:
|
||||
print line,
|
||||
print>>sys.stderr
|
||||
print>>sys.stderr, 'Managed permission ACI validation failed.'
|
||||
print>>sys.stderr, 'Re-check permission changes and run `makeaci`.'
|
||||
exit('%s validation failed' % options.filename)
|
||||
else:
|
||||
with open(options.filename, 'w') as file:
|
||||
file.writelines(output_lines)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
options = parse_options()
|
||||
main(options)
|
||||
Reference in New Issue
Block a user