Add read permissions for automember tasks

Permission to read all tasks is given to high-level admins. Managed permission for automember tasks is given to automember task admins. "targetattr=*" is used because tasks are extensibleObject with attributes that aren't in the schema. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-05-30 14:03:13 +02:00 · 2014-05-30 14:03:13 +02:00 · 93ad23912e
commit 93ad23912e
parent 63a2147ac2
2 changed files with 19 additions and 5 deletions
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@ -47,6 +47,9 @@ add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLi
 # Read-only
 add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'

+dn: cn=tasks,cn=config
+add:aci:'(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+
 # Removal of obsolete ACIs
 dn: cn=config
 # Replaced by 'System: Read Replication Agreements'
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@ -131,6 +131,11 @@ register = Registry()
 INCLUDE_RE = 'automemberinclusiveregex'
 EXCLUDE_RE = 'automemberexclusiveregex'

+REBUILD_TASK_CONTAINER = DN(('cn', 'automember rebuild membership'),
+                            ('cn', 'tasks'),
+                            ('cn', 'config'))
+
+
 regex_attrs = (
    Str('automemberinclusiveregex*',
        cli_name='inclusive_regex',
@ -215,6 +220,16 @@ class automember(LDAPObject):
            'default_privileges': {'Automember Readers',
                                   'Automember Task Administrator'},
        },
+        'System: Read Automember Tasks': {
+            'non_object': True,
+            'ipapermlocation': DN('cn=tasks', 'cn=config'),
+            'ipapermtarget': DN('cn=*', REBUILD_TASK_CONTAINER),
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'Automember Task Administrator'},
+        },
    }

    label = _('Auto Membership Rule')
@ -732,11 +747,7 @@ class automember_rebuild(Command):
        else:
            search_filter = '(%s=*)' % obj.primary_key.name

-        task_dn = DN(
-            ('cn', cn),
-            ('cn', 'automember rebuild membership'),
-            ('cn', 'tasks'),
-            ('cn', 'config'))
+        task_dn = DN(('cn', cn), REBUILD_TASK_CONTAINER)

        entry = ldap.make_entry(
            task_dn,