Commit Graph

32 Commits

Author SHA1 Message Date
Simo Sorce
c386773484 Set VERSION to 2.99.0 on the 3.0 development branch 2011-08-18 16:59:20 -04:00
Rob Crittenden
293f0fab0b Become IPA 2.1.0 2011-08-15 00:34:48 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Jan Cholasta
b203756a88 Add ability to specify DNS reverse zone name by IP network address.
In order for this to work, chaining of parameters through
default_from is made possible.

ticket 1474
2011-07-15 02:21:23 -04:00
Martin Kosek
0cb65fd9f6 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
2011-07-13 15:06:13 +02:00
Martin Kosek
e6c68e9993 Add DNS record modification command
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.

This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
 - modify a DNS record value (note than DNS record can hold multiple values
   and those will be overwritten)
 - remove a DNS record when an empty value is passed

New tests for this new command have been added to the CLI test suite.

https://fedorahosted.org/freeipa/ticket/1137
2011-07-12 14:20:16 -04:00
Jan Cholasta
67b807d640 Replace the 'private' option in netgroup-find with 'managed'.
The 'private' option is kept in to maintain API compatibility, but
is hidden from the user.

ticket 1120
2011-06-28 01:57:11 -04:00
Jr Aquino
44cdf8ef54 Raise DuplicateEntry Error when adding a duplicate sudo option
https://fedorahosted.org/freeipa/ticket/1276
https://fedorahosted.org/freeipa/ticket/1277
https://fedorahosted.org/freeipa/ticket/1308

Added new Exception: AttrValueNotFound
Fixed XML Test for Sudorule remove_option
1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule)
1277 (Raise DuplicateEntry Error when adding a duplicate sudo option)
1308 (Make sudooption a required option for sudorule_remove_option)
2011-06-16 19:21:07 -04:00
Martin Kosek
058e3d0306 Add ignore lists to migrate-ds command
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.

This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.

Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).

https://fedorahosted.org/freeipa/ticket/1266
2011-06-15 08:36:32 +02:00
Rob Crittenden
bee4e6a85a Remove automountinformation as part of the DN for automount.
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.

So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.

Multiple direct maps are still supported and for those the info is
always required.

ticket 1229
2011-06-13 22:59:27 -04:00
Jr Aquino
d7c60205a6 Add sudorule and hbacrule to memberof and indirectmemberof attributes
Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
2011-06-06 13:14:38 -04:00
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Rob Crittenden
cc87bc3f28 Bump version to 2.0.90 to distinguish between 2.0.x 2011-05-03 10:51:36 -04:00
Rob Crittenden
316efbc32f postalCode should be a string not an integer.
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.

This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.

Bump the API version to 2.1.

ticket 1150
2011-04-05 21:51:34 -04:00
Rob Crittenden
446a4ca439 Become IPA 2.0.0 2011-03-24 16:28:53 -04:00
Rob Crittenden
dcf7a18b4e Become IPA v2 RC 3 (2.0.0.rc3) 2011-03-10 10:00:13 -05:00
Rob Crittenden
22a503785e Become IPA v2 RC 2 (2.0.0.rc2) 2011-02-23 22:14:42 -05:00
Rob Crittenden
94395b2661 Become IPA v2 RC 1 (2.0.0.rc1) 2011-02-14 20:12:05 -05:00
Rob Crittenden
ec0911e61b Become IPA v2 beta 2 (2.0.0.pre2) 2011-02-10 11:16:56 -05:00
Rob Crittenden
c69d8084c1 Add API version and have server reject incompatible clients.
This patch contains 2 parts.

The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.

The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).

To determine the API version of the server from a client use the ping
command.

ticket 584
2011-01-14 14:26:22 -05:00
Rob Crittenden
e4c94320cb Become IPA v2 beta 1 (2.0.0.pre1) 2010-12-22 14:36:37 -05:00
Rob Crittenden
6a6db10dbc Become IPA v2 alpha 5 (1.9.0.pre5) 2010-11-09 15:03:20 -05:00
Rob Crittenden
a0dfbc069d Become IPA v2 alpha 4 (1.9.0.pre4) 2010-07-15 11:25:39 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
caf32115ec Become IPA v2 alpha 3 (1.9.0.pre3) 2010-05-07 13:22:39 -04:00
Rob Crittenden
28d8bd6e69 Become IPA v2 alpha 2 (1.9.0.pre2) 2010-02-18 11:29:16 -05:00
Rob Crittenden
23b800a879 Back down to version 1.9.0 in preparation for release of first alpha.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
2009-10-26 13:55:01 -04:00
Rob Crittenden
a2c99b0360 Bump version to 2.0.0pre1 2009-05-11 16:26:55 -04:00
Simo Sorce
818cafdd4d Bump up version number to 1.2.0 2008-11-13 11:20:06 -05:00
Simo Sorce
9648da8f5f Fix versioning for configure.ac and ipa-python/setup.py
Fix make maintainer-clean

Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)

Version 1.1.0 was released some times ago, bump up to 1.1.1
2008-08-11 18:31:05 -04:00
Simo Sorce
e9b96cdabb Move version to 1.1.0 in preparation for new patch release 2008-06-11 09:21:18 -04:00
Rob Crittenden
5ad2af3429 Redo the way versioning works in freeIPA.
The file VERSION is now the sole-source of versioning.

The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.

By default a GIT build is done. To do a non-GIT build do:

 $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no

When updating the version you can run this to regenerate the version:

 $ make version-update

The version can be determined in Python by using ipaserver.version.VERSION
2008-05-05 13:53:57 -04:00