IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add managed read permissions to RBAC objects

Browse Source 
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This commit is contained in:
Petr Viktorin
2014-03-26 17:11:23 +01:00
committed by Martin Kosek
parent 50c7f3b236
commit a185d45d87
4 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ipalib/plugins/permission.py
View File

@@ -170,6 +170,7 @@ class permission(baseldap.LDAPObject):
# For use the complete object_class list, including 'top', so
# the updater doesn't try to delete 'top' every time.
object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
permission_filter_objectclasses = ['ipapermission']
default_attributes = ['cn', 'member', 'memberof',
'memberindirect', 'ipapermissiontype', 'objectclass',
'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
@@ -181,6 +182,32 @@ class permission(baseldap.LDAPObject):
'memberindirect': ['role'],
}
rdn_is_primary_key = True
managed_permissions = {
'System: Read Permissions': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'ipapermissiontype',
'o', 'objectclass', 'ou', 'owner', 'seealso',
'ipapermdefaultattr', 'ipapermincludedattr',
'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermtarget',
'ipapermlocation', 'ipapermright', 'ipapermtargetfilter',
'member', 'memberof',
},
'default_privileges': {'RBAC Readers'},
},
'System: Read ACIs': {
# Readable ACIs are needed for reading legacy permissions.
'non_object': True,
'ipapermlocation': api.env.basedn,
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {'aci'},
'default_privileges': {'RBAC Readers'},
},
}
label = _('Permissions')
label_singular = _('Permission')

13
ipalib/plugins/privilege.py
View File

@@ -54,6 +54,7 @@ class privilege(LDAPObject):
object_name = _('privilege')
object_name_plural = _('privileges')
object_class = ['nestedgroup', 'groupofnames']
permission_filter_objectclasses = ['groupofnames']
default_attributes = ['cn', 'description', 'member', 'memberof']
attribute_members = {
'member': ['role'],
@@ -63,6 +64,18 @@ class privilege(LDAPObject):
'member': ['permission'],
}
rdn_is_primary_key = True
managed_permissions = {
'System: Read Privileges': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'member', 'memberof',
'o', 'objectclass', 'ou', 'owner', 'seealso',
},
'default_privileges': {'RBAC Readers'},
},
}
label = _('Privileges')
label_singular = _('Privilege')

13
ipalib/plugins/role.py
View File

@@ -66,6 +66,7 @@ class role(LDAPObject):
object_name = _('role')
object_name_plural = _('roles')
object_class = ['groupofnames', 'nestedgroup']
permission_filter_objectclasses = ['groupofnames']
default_attributes = ['cn', 'description', 'member', 'memberof',
'memberindirect', 'memberofindirect',
]
@@ -77,6 +78,18 @@ class role(LDAPObject):
'member': ['privilege'],
}
rdn_is_primary_key = True
managed_permissions = {
'System: Read Roles': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'member', 'memberof',
'o', 'objectclass', 'ou', 'owner', 'seealso',
},
'default_privileges': {'RBAC Readers'},
},
}
label = _('Roles')
label_singular = _('Role')