Jan Cholasta
2870db7913
Add permissions for CA certificate renewal.
...
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Petr Viktorin
afe067b1ab
makeaci: Use the DN where the ACI is stored, not the permission's DN
...
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-07-07 14:42:52 +02:00
Martin Kosek
ef83a0c678
Add Modify Realm Domains permission
...
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.
https://fedorahosted.org/freeipa/ticket/4423
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 12:17:04 +02:00
Martin Basti
30551a8aa3
Add NSEC3PARAM to zone settings
...
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0
Remove NSEC3PARAM record
...
Revert 5b95be802chttps://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
c655aa2832
Fix ACI in DNS
...
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-01 12:43:55 +02:00
Martin Basti
12cb31575c
DNSSEC: add TLSA record type
...
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-01 12:37:08 +02:00
Tomas Babej
9304b649a3
sudorule: Allow using external groups as groups of runAsUsers
...
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
c2e6b74029
trusts: Allow reading system trust accounts by adtrust agents
...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Tomas Babej
8f9838c7ef
trusts: Add more read attributes
...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Petr Viktorin
175b19bbf8
Add several CRUD default permissions
...
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)
Related to: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
52003a9ffb
Convert Sudo Command Group default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc
Convert Sudo Command default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
439dd7fa74
Convert Service default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c
Convert SELinux User Map default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d
Convert Role default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364
Convert the Modify privilege membership permission to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136
Convert Netgroup default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5
Convert Hostgroup default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
8e8e6b1ae7
Convert HBAC Service Group default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead
Convert HBAC Service default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5
Convert HBAC Rule default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8
Convert Group default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3
Convert Automount default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
61eeea9e69
netgroup: Add objectclass attribute to read permissions
...
The entries were unreadable without this.
Additional fix for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 17:41:49 +02:00
Tomas Babej
ef5309d376
trusts: Allow reading ipaNTSecurityIdentifier in user and group objects
...
https://fedorahosted.org/freeipa/ticket/4385
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-23 15:27:33 +02:00
Petr Viktorin
14e2eb9171
host permissions: Allow writing attributes needed for automatic enrollment
...
- userclass
added to existing Modify hosts permission
- usercertificate, userpassword
added to a new permissions
https://fedorahosted.org/freeipa/ticket/4252
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:33 +02:00
Petr Viktorin
8a5110305f
Convert Host default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:32 +02:00
Petr Viktorin
ac8539bd34
Add posixgroup to groups' permission object filter
...
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Martin Basti
7cdc4178b0
DNSSEC: DLVRecord type added
...
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c
DNSSEC: added NSEC3PARAM record type
...
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:40 +02:00
Petr Viktorin
49e83256b4
Convert Password Policy default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7
Convert COSTemplate default permissions to managed
...
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
853b6ef4ce
Convert DNS default permissions to managed
...
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Petr Viktorin
b6258d08d6
Make sure member* attrs are always granted together in read permissions
...
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:30 +02:00
Petr Viktorin
6acaf73b0c
Add ACI.txt
...
The ACI.txt file is a list all managed permissions in ACI form.
Similarly to API.txt, it ensures that changes are not made lightly,
since modifications must be reflected in ACI.txt and committed to Git.
Add a script, makeaci, which parallels makeapi: it recreates or
validates ACI.txt.
Call makeaci --validate before the build, just after API.txt is validated.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
