Add permissions for topologysegment

I don't know why these weren't added originally when the topology plugin was created. Add them all to the 'Replication Administrators' privilege Fixes: https://pagure.io/freeipa/issue/9594 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-24 15:16:40 -06:00 · 2024-05-17 16:15:18 -04:00 · 2024-05-17 16:15:18 -04:00 · 6fc35156d9
commit 6fc35156d9
parent 9dc57ef77e
2 changed files with 41 additions and 0 deletions
--- a/ACI.txt
+++ b/ACI.txt
@ -374,6 +374,14 @@ dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entryusn || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || modifytimestamp || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=trusts,dc=ipa,dc=example
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@ -104,6 +104,7 @@ class topologysegment(LDAPObject):
    object_name = _('segment')
    object_name_plural = _('segments')
    object_class = ['iparepltoposegment']
+    permission_filter_objectclasses = ['iparepltoposegment']
    default_attributes = [
        'cn',
        'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
@ -115,6 +116,38 @@ class topologysegment(LDAPObject):
        'cn', 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
        'ipaReplTopoSegmentLeftNode'
    ]
+    managed_permissions = {
+        'System: Read Topology Segments': {
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'objectclass',
+                'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
+                'ipaReplTopoSegmentLeftNode', 'ipaReplTopoConfRoot',
+                'ipaReplTopoSegmentStatus','nsds5replicastripattrs',
+                'nsds5replicatedattributelist',
+                'nsds5replicatedattributelisttotal',
+            },
+            'default_privileges': {'Replication Administrators'},
+        },
+        'System: Add Topology Segments': {
+            'ipapermright': {'add'},
+            'default_privileges': {'Replication Administrators'},
+        },
+        'System: Remove Topology Segments': {
+            'ipapermright': {'delete'},
+            'default_privileges': {'Replication Administrators'},
+        },
+        'System: Modify Topology Segments': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
+                'ipaReplTopoSegmentLeftNode', 'nsds5replicastripattrs',
+                'nsds5replicatedattributelist',
+                'nsds5replicatedattributelisttotal',
+            },
+            'default_privileges': {'Replication Administrators'},
+        },
+    }

    label = _('Topology Segments')
    label_singular = _('Topology Segment')