The following attributes were missing from the list of default attributes:
* externalhost
* ipasudorunasextuser
* ipasudorunasextgroup
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
dns(forward)zone-add/remove-permission can work with permissions with
relative zone name
Ticket:https://fedorahosted.org/freeipa/ticket/4383
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)
Related to: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- userclass
added to existing Modify hosts permission
- usercertificate, userpassword
added to a new permissions
https://fedorahosted.org/freeipa/ticket/4252
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The recent conversions to managed permissions left behind a few
failing tests. Fix them.
Also fix a now incorrect docstring in ipalib.config.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.
Fix the behaviour and cover it in the test suite.
https://fedorahosted.org/freeipa/ticket/4360
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When api.env is loaded, strings that "look like" floats got
auto-converted to floats.
This is wrong, as the conversion to float can lose precision.
Case in point: the api_version (e.g. '2.88') should never be
interpreted as float.
Do not automatically convert to float.
We have two numeric options: startup_timeout and wait_for_dns.
wait_for_dns is already converted to int when used in the code.
Convert startup_timeout to float explicitly when used, so
configuration that specified it with a decimal point continues
to work.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The current code would convert values to DN if the key was
a substring of 'basedn', e.g. 'base' or 'sed'.
Only convert if we're actually dealing with 'basedn'.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This results in the proper message being shown if the client sends
an option the server doesn't have yet.
It also adds the check to commands that override run() but not __call__,
such as `ipa ping`, and to commands run on the server. Adjust tests
for these changes.
https://fedorahosted.org/freeipa/ticket/3963
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
