IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add managed read permissions to Sudo objects

Browse Source 
Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-03-26 14:19:44 +01:00
parent 22f0feba28
commit 7786ff694b
3 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ipalib/plugins/sudocmd.py
View File

@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
object_name = _('sudo command')
object_name_plural = _('sudo commands')
object_class = ['ipaobject', 'ipasudocmd']
permission_filter_objectclasses = ['ipasudocmd']
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'sudocmd', 'description',
@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
}
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
managed_permissions = {
'System: Read Sudo Commands': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'description', 'ipauniqueid', 'memberof', 'objectclass',
'sudocmd',
},
},
}
label = _('Sudo Commands')
label_singular = _('Sudo Command')

12
ipalib/plugins/sudocmdgroup.py
View File

@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
object_name = _('sudo command group')
object_name_plural = _('sudo command groups')
object_class = ['ipaobject', 'ipasudocmdgrp']
permission_filter_objectclasses = ['ipasudocmdgrp']
default_attributes = [
'cn', 'description', 'member',
]
@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
attribute_members = {
'member': ['sudocmd'],
}
managed_permissions = {
'System: Read Sudo Command Groups': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'ipauniqueid',
'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
},
},
}
label = _('Sudo Command Groups')
label_singular = _('Sudo Command Group')

31
ipalib/plugins/sudorule.py
View File

@ -96,6 +96,7 @@ class sudorule(LDAPObject):
object_name = _('sudo rule')
object_name_plural = _('sudo rules')
object_class = ['ipaassociation', 'ipasudorule']
permission_filter_objectclasses = ['ipasudorule']
default_attributes = [
'cn', 'ipaenabledflag', 'externaluser',
'description', 'usercategory', 'hostcategory',
@ -115,6 +116,36 @@ class sudorule(LDAPObject):
'ipasudorunas': ['user', 'group'],
'ipasudorunasgroup': ['group'],
}
managed_permissions = {
'System: Read Sudo Rules': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cmdcategory', 'cn', 'description', 'externalhost',
'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
'ipasudorunasextuser', 'ipasudorunasgroup',
'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
'sudoorder', 'usercategory', 'objectclass',
},
},
'System: Read Sudoers compat tree': {
'non_object': True,
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('ou=sudoers', api.env.basedn),
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'cn', 'ou',
'sudouser', 'sudohost', 'sudocommand', 'sudorunas',
'sudorunasuser', 'sudorunasgroup', 'sudooption',
'sudonotbefore', 'sudonotafter', 'sudoorder', 'description',
},
}
}
label = _('Sudo Rules')
label_singular = _('Sudo Rule')