Add managed read permissions to pwpolicy and cosentry

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-03-26 17:11:23 +01:00 · 2014-03-26 17:11:23 +01:00 · f10ec17c03
commit f10ec17c03
parent c08f8d2f1e
2 changed files with 41 additions and 0 deletions
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@ -401,3 +401,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: RBAC Readers
 default:description: Read roles, privileges, permissions and ACIs
+
+dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Password Policy Readers
+default:description: Read password policies
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@ -78,7 +78,22 @@ class cosentry(LDAPObject):

    container_dn = DN(('cn', 'costemplates'), api.env.container_accounts)
    object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer']
+    permission_filter_objectclasses = ['costemplate']
    default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference']
+    managed_permissions = {
+        'System: Read Group Password Policy costemplate': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'cospriority', 'krbpwdpolicyreference', 'objectclass',
+            },
+            'default_privileges': {
+                'Password Policy Readers',
+                'Password Policy Administrator',
+            },
+        },
+    }

    takes_params = (
        Str('cn', primary_key=True),
@ -180,12 +195,31 @@ class pwpolicy(LDAPObject):
    object_name = _('password policy')
    object_name_plural = _('password policies')
    object_class = ['top', 'nscontainer', 'krbpwdpolicy']
+    permission_filter_objectclasses = ['krbpwdpolicy']
    default_attributes = [
        'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
        'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength',
        'krbpwdmaxfailure', 'krbpwdfailurecountinterval',
        'krbpwdlockoutduration',
    ]
+    managed_permissions = {
+        'System: Read Group Password Policy': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
+                'krbpwdfailurecountinterval', 'krbpwdhistorylength',
+                'krbpwdlockoutduration', 'krbpwdmaxfailure',
+                'krbpwdmindiffchars', 'krbpwdminlength', 'objectclass',
+            },
+            'default_privileges': {
+                'Password Policy Readers',
+                'Password Policy Administrator',
+            },
+        },
+    }
+
    MIN_KRB5KDC_WITH_LOCKOUT = "1.8"
    has_lockout = False
    lockout_params = ()