Add new schema to store information about permissions.

There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
2025-02-25 18:55:28 -06:00 · 2011-02-01 11:57:18 -05:00 · 2011-02-01 11:57:18 -05:00 · c6ef39b2c0
commit c6ef39b2c0
parent 685c516e88
4 changed files with 80 additions and 2 deletions
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case
 attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
 objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to
 attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Change a user password
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add user to default group
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectclass: top
 objectclass: groupofnames
+objectClass: ipapermission
 cn: Unlock user accounts
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Groups
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Group membership
 member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hostgroups
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Hostgroup membership
 member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Services
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX

@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX

@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Roles
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX

@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Role membership
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX

@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify privilege membership
 member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX

@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Automount maps
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Automount maps
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Automount keys
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Automount keys
 member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify netgroups
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify netgroup membership
 member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Manage host keytab
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Manage service keytab
 member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Enroll a host
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Add Replication Agreements
+ipapermissiontype: SYSTEM
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX

 dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Modify Replication Agreements
+ipapermissiontype: SYSTEM
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX

 dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Remove Replication Agreements
+ipapermissiontype: SYSTEM
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX

 # Entitlement management
@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: addentitlements
 description: Add Entitlements
 member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Retrieve Certificates from the CA
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Request Certificate
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Request Certificates from a different host
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Get Certificates status from the CA
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Revoke Certificate
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
+objectClass: ipapermission
 cn: Certificate Remove Hold
 member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
 from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
 from ipalib.request import context
+from ipalib import errors

 ACI_PREFIX=u"permission"

+output_params = (
+    Str('ipapermissiontype',
+        label=_('Permission Type'),
+    ),
+)
+
 class permission(LDAPObject):
    """
    Permission object.
@ -83,9 +90,9 @@ class permission(LDAPObject):
    container_dn = api.env.container_permission
    object_name = 'permission'
    object_name_plural = 'permissions'
-    object_class = ['groupofnames']
+    object_class = ['groupofnames', 'ipapermission']
    default_attributes = ['cn', 'member', 'memberof',
-        'memberindirect',
+        'memberindirect', 'ipapermissiontype',
    ]
    aci_attributes = ['group', 'permissions', 'attrs', 'type',
        'filter', 'subtree', 'targetgroup',
@ -150,6 +157,17 @@ class permission(LDAPObject):
        ),
    )

+    # Don't allow SYSTEM permissions to be modified or removed
+    def check_system(self, ldap, dn, *keys):
+        try:
+            (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+        except errors.NotFound:
+            self.handle_not_found(*keys)
+        if 'ipapermissiontype' in entry_attrs:
+            if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+                return False
+        return True
+
 api.register(permission)


@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
    msg_summary = _('Deleted permission "%(value)s"')

    def pre_callback(self, ldap, dn, *keys, **options):
+        if not self.obj.check_system(ldap, dn, *keys):
+            raise errors.ACIError(info='A SYSTEM permission may not be removed')
        # remove permission even when the underlying ACI is missing
        try:
            self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
    """

    msg_summary = _('Modified permission "%(value)s"')
+    has_output_params = LDAPUpdate.has_output_params + output_params

    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if not self.obj.check_system(ldap, dn, *keys):
+            raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
        # check if permission is in LDAP
        try:
            (dn, attrs) = ldap.get_entry(
@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
    msg_summary = ngettext(
        '%(count)d permission matched', '%(count)d permissions matched'
    )
+    has_output_params = LDAPSearch.has_output_params + output_params

    def post_callback(self, ldap, entries, truncated, *args, **options):
        for entry in entries:
@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
    """
    Display information about a permission.
    """
+    has_output_params = LDAPRetrieve.has_output_params + output_params
    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
        try:
            aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
--- a/tests/test_xmlrpc/objectclasses.py
+++ b/tests/test_xmlrpc/objectclasses.py
@ -68,6 +68,7 @@ role = [

 permission = [
    u'groupofnames',
+    u'ipapermission',
    u'top'
 ]