Add several managed read permissions under cn=etc

This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-03-26 17:11:23 +01:00 · 2014-03-26 17:11:23 +01:00 · d893b77fb6
commit d893b77fb6
parent af3a4adc46
2 changed files with 84 additions and 2 deletions
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@ -461,3 +461,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Automember Readers
 default:description: Read Automember definitions
+
+dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: IPA Masters Readers
+default:description: Read list of IPA masters
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@ -68,7 +68,7 @@ The template dictionary can have the following keys:
 No other keys are allowed in the template
 """

-from ipalib import errors
+from ipalib import api, errors
 from ipapython.dn import DN
 from ipalib.plugable import Registry
 from ipalib.plugins import aci
@ -80,7 +80,82 @@ from ipaserver.install.plugins.baseupdate import PostUpdate

 register = Registry()

-NONOBJECT_PERMISSIONS = {}
+NONOBJECT_PERMISSIONS = {
+    'System: Read IPA Masters': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=nscontainer)'},
+        'ipapermbindruletype': 'permission',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'ipaconfigstring',
+        },
+        'default_privileges': {'IPA Masters Readers'},
+    },
+    'System: Read DNA Configuration': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=dnasharedconfig)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'dnaHostname', 'dnaPortNum',
+            'dnaSecurePortNum', 'dnaRemoteBindMethod', 'dnaRemoteConnProtocol',
+            'dnaRemainingValues',
+        },
+    },
+    'System: Read CA Renewal Information': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=pkiuser)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'usercertificate',
+        },
+    },
+    'System: Read CA Certificate': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=pkica)'},
+        'ipapermbindruletype': 'anonymous',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'cacertificate', 'certificaterevocationlist',
+            'authorityrevocationlist', 'crosscertificatepair',
+        },
+    },
+    'System: Read Replication Information': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=nsds5replica)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'nsds5replicaroot', 'nsds5replicaid',
+            'nsds5replicacleanruv', 'nsds5replicaabortcleanruv',
+            'nsds5replicatype', 'nsds5replicabinddn', 'nsstate',
+            'nsds5replicaname', 'nsds5flags', 'nsds5task',
+            'nsds5replicareferral', 'nsds5replicaautoreferral',
+            'nsds5replicapurgedelay', 'nsds5replicatombstonepurgeinterval',
+            'nsds5replicachangecount', 'nsds5replicalegacyconsumer',
+            'nsds5replicaprotocoltimeout', 'nsds5replicabackoffmin',
+            'nsds5replicabackoffmax',
+        },
+    },
+    'System: Read AD Domains': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=etc', api.env.basedn),
+        'ipapermtarget': DN('cn=ad,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=ipantdomainattrs)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'ipantsecurityidentifier', 'ipantflatname',
+            'ipantdomainguid', 'ipantfallbackprimarygroup',
+        },
+    },
+}


@register()