Commit Graph

153 Commits

Author SHA1 Message Date
Rob Crittenden
d84ffd9e54 Move permissions and privileges to their own container, cn=pbac,$SUFFIX
ticket 638
2010-12-22 11:26:49 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Jr Aquino
af48654cbc Add plugins for Sudo Commands, Command Groups and Rules 2010-09-27 22:38:06 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
1dd7b11b0b Connect the -v cli argument to the verbose flag in xmlrpclib
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
2010-06-03 17:08:22 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Jason Gerard DeRose
942919bef7 Consolidate to single WSGI entry point 2010-03-01 20:21:38 -07:00
Rob Crittenden
338578d10a Allow one-character Param names
This is done explicitly to support the l/localityname attribute.
2010-02-12 13:14:29 -07:00
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Jason Gerard DeRose
f58ff2921d Giant webui patch take 2 2009-10-13 11:28:00 -06:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00
Pavel Zuna
8c7883364c Remove use_ldap2 constant. 2009-07-02 13:33:01 -04:00
Pavel Zuna
56e001fd88 Add new env variables: container_taskgroup, container_rolegroup and container_netgroup. 2009-05-26 14:50:24 -04:00
Rob Crittenden
0353be6810 Dogtag keeps telling me to use port 9444 and not 9443, use it. 2009-05-26 14:25:52 -04:00
Jason Gerard DeRose
ae38a2461f Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed 2009-05-11 16:17:08 -04:00
Pavel Zuna
ff0819b189 Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. 2009-04-22 15:12:39 -04:00
root
6ca80e312a Add 'container_hbac' env variable. 2009-04-03 14:07:30 -04:00
Jason Gerard DeRose
4ab133c3cb Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
e0fe732318 Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally 2009-02-17 16:03:09 -05:00
Jakub Hrozek
328f8d0bf8 Add policy-related container constants 2009-02-10 14:10:45 -05:00
Jason Gerard DeRose
231f0bd65a Finished reworked cli.CLI class into cli.cli plugin 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
244346dbcb More work on xmlrpc stuff, started migrated more code to use errors2 instead of errors 2009-02-03 15:29:01 -05:00
Jason Gerard DeRose
12c4879613 Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
6aadeb9aea Added Object.params_minus() method; various small tweaks 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
447c88a2bb Started moving some core classes and functions from plugable.py to new base.py module 2008-12-30 00:45:48 -07:00
Jason Gerard DeRose
01cae56e0a Some more reorganization in Env and added class docstring to Env with lots of examples 2008-12-22 21:02:43 -07:00
Jason Gerard DeRose
6b055b435f Cleaned up Env.__setattr__() and Env.__setitem__() a bit updated their unit tests 2008-12-22 17:29:11 -07:00
Jason Gerard DeRose
014cca57ad The Env.__setitem__() implied conversion is now case sensitive; Env.__setitem__() now also accepts None as a value 2008-12-22 16:16:57 -07:00
Jason Gerard DeRose
dc54dee622 Started work on per-request gettext setup 2008-12-18 14:01:59 -07:00
Jason Gerard DeRose
4d1681176a New Param: added unit tests for TypeError cases in DefaultFrom.__init__() 2008-12-18 02:08:41 -07:00
Jason Gerard DeRose
cb2f294cfe New Param: added missing unit tests for TypeError and ValueError cases in parse_param_spec() 2008-12-18 01:57:39 -07:00
Jason Gerard DeRose
5c47b56d14 Finished kwarg validation and extension mechanism in parameter.Param 2008-12-11 18:07:54 -07:00
Jason Gerard DeRose
22209a0f03 Started roughing out the consolidated type/parameter system in parameters.py; started corresponding unit tests 2008-12-10 21:14:05 -07:00
Rob Crittenden
c513743e7c Add autmount-specific location and default entries 2008-11-14 18:05:29 -05:00
Jason Gerard DeRose
014af24731 Changed calling signature of output_for_cli(); started work on 'textui' backend plugin 2008-11-12 00:46:04 -07:00
Jason Gerard DeRose
9aa14333a4 Added 'conf_dir' env variable, which is directory containing config files 2008-11-10 15:53:10 -07:00
Rob Crittenden
e825bc7ccb Revive the hostgroup_container and include add/remove hosts in hostgroups plugin 2008-11-04 14:03:43 -05:00
Jason Gerard DeRose
242a8183a7 Added custom log formatter util.LogFormatter that makes the human-readable time stamp in UTC 2008-10-31 20:25:33 -06:00
Jason Gerard DeRose
5269d1396c Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True 2008-10-31 18:55:32 -06:00
Jason Gerard DeRose
fbcb55bd11 lite-xmlrpc.py now uses api.bootstrap() property, logs to api.logger 2008-10-28 02:10:56 -06:00
Jason Gerard DeRose
316bd855d5 Added util.configure_logging() function; API.bootstrap() now calls util.configure_logging() 2008-10-28 01:39:02 -06:00
Jason Gerard DeRose
6e456cc749 More CLI cleanup, got all basics working again 2008-10-27 23:30:55 -06:00
Jason Gerard DeRose
9b1e3f5946 More docstrings, functionality, and unit tests for improved CLI class 2008-10-27 19:21:49 -06:00
Jason Gerard DeRose
28dd8e74bd Env._bootstrap() now also sets Env.conf_default 2008-10-27 00:58:25 -06:00
Jason Gerard DeRose
ff5cb4cf6f Added more needed config in DEFAULT_CONFIG 2008-10-24 20:59:11 -06:00
Jason Gerard DeRose
ac4efac394 Finished Env._finalize_core() and corresponding unit tests 2008-10-24 20:02:14 -06:00
Jason Gerard DeRose
f80beb948b Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same 2008-10-24 15:07:07 -06:00