Add managed read permissions to RBAC objects

Add default read permissions to roles, privileges and permissions. Also add permission to read ACIs. This is required for legacy permissions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2025-02-25 18:55:28 -06:00 · 2014-03-26 17:11:23 +01:00 · 2014-03-26 17:11:23 +01:00 · a185d45d87
commit a185d45d87
parent 50c7f3b236
4 changed files with 62 additions and 0 deletions
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@ -392,3 +392,12 @@ default:ipapermissiontype: SYSTEM

 dn: cn=config
 add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
+
+
+# Read privileges
+dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: RBAC Readers
+default:description: Read roles, privileges, permissions and ACIs
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
    # For use the complete object_class list, including 'top', so
    # the updater doesn't try to delete 'top' every time.
    object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
+    permission_filter_objectclasses = ['ipapermission']
    default_attributes = ['cn', 'member', 'memberof',
        'memberindirect', 'ipapermissiontype', 'objectclass',
        'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject):
        'memberindirect': ['role'],
    }
    rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Permissions': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipapermissiontype',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+                'ipapermdefaultattr', 'ipapermincludedattr',
+                'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
+                'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
+                'member', 'memberof',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+        'System: Read ACIs': {
+            # Readable ACIs are needed for reading legacy permissions.
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'aci'},
+            'default_privileges': {'RBAC Readers'},
+        },
+    }

    label = _('Permissions')
    label_singular = _('Permission')
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@ -54,6 +54,7 @@ class privilege(LDAPObject):
    object_name = _('privilege')
    object_name_plural = _('privileges')
    object_class = ['nestedgroup', 'groupofnames']
+    permission_filter_objectclasses = ['groupofnames']
    default_attributes = ['cn', 'description', 'member', 'memberof']
    attribute_members = {
        'member': ['role'],
@ -63,6 +64,18 @@ class privilege(LDAPObject):
        'member': ['permission'],
    }
    rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Privileges': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'member', 'memberof',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+    }

    label = _('Privileges')
    label_singular = _('Privilege')
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@ -66,6 +66,7 @@ class role(LDAPObject):
    object_name = _('role')
    object_name_plural = _('roles')
    object_class = ['groupofnames', 'nestedgroup']
+    permission_filter_objectclasses = ['groupofnames']
    default_attributes = ['cn', 'description', 'member', 'memberof',
        'memberindirect', 'memberofindirect',
    ]
@ -77,6 +78,18 @@ class role(LDAPObject):
        'member': ['privilege'],
    }
    rdn_is_primary_key = True
+    managed_permissions = {
+        'System: Read Roles': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'member', 'memberof',
+                'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+            'default_privileges': {'RBAC Readers'},
+        },
+    }

    label = _('Roles')
    label_singular = _('Role')