IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0
freeipa/tests/test_xmlrpc/objectclasses.py
Martin Kosek 52f69aaa8a Per-domain DNS record permissions 
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00

155 lines
2.6 KiB
Python
Raw Blame History

# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Defines the expected objectclass for various entries.
"""
user_base = [
u'top',
u'person',
u'organizationalperson',
u'inetorgperson',
u'inetuser',
u'posixaccount',
u'krbprincipalaux',
u'krbticketpolicyaux',
u'ipaobject',
u'ipasshuser',
u'ipaSshGroupOfPubKeys',
]
user = user_base + [u'mepOriginEntry']
group = [
u'top',
u'groupofnames',
u'nestedgroup',
u'ipausergroup',
u'ipaobject',
]
host = [
u'ipasshhost',
u'ipaSshGroupOfPubKeys',
u'ieee802device',
u'ipaobject',
u'nshost',
u'ipahost',
u'pkiuser',
u'ipaservice',
u'krbprincipalaux',
u'krbprincipal',
u'top',
]
hostgroup = [
u'ipaobject',
u'ipahostgroup',
u'nestedGroup',
u'groupOfNames',
u'top',
u'mepOriginEntry',
]
role = [
u'groupofnames',
u'nestedgroup',
u'top',
]
permission = [
u'groupofnames',
u'ipapermission',
u'top'
]
privilege = [
u'nestedgroup',
u'groupofnames',
u'top'
]
service = [
u'krbprincipal',
u'krbprincipalaux',
u'krbticketpolicyaux',
u'ipaobject',
u'ipaservice',
u'pkiuser',
u'ipakrbprincipal',
u'top',
]
hbacsvc = [
u'ipaobject',
u'ipahbacservice',
]
hbacsvcgroup = [
u'ipaobject',
u'ipahbacservicegroup',
u'groupOfNames',
u'top',
]
sudocmd = [
u'ipaobject',
u'ipasudocmd',
]
sudocmdgroup = [
u'ipaobject',
u'ipasudocmdgrp',
u'groupOfNames',
u'top',
]
netgroup = [
u'ipaobject',
u'ipaassociation',
u'ipanisnetgroup',
]
automember = [
u'top',
u'automemberregexrule',
]
selinuxusermap = [
u'ipaassociation',
u'ipaselinuxusermap',
]
hbacrule = [
u'ipaassociation',
u'ipahbacrule',
]
dnszone = [
u'top',
u'idnsrecord',
u'idnszone',
]
dnsrecord = [
u'top',
u'idnsrecord',
]
Reference in New Issue View Git Blame Copy Permalink