IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
6860c63760
freeipa/ipaclient/remote_plugins/2_49/permission.py
Jan Cholasta 2cf7c7b4ac client: add support for pre-schema servers 
Bundle remote plugin interface definitions for servers which lack API
schema support. These server API versions are included:
* 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+,
* 2.114: IPA 4.1.4 on Fedora 22,
* 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23,
* 2.164: IPA 4.3.1 on Fedora 23.

For servers with other API versions, the closest lower API version is used.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00

752 lines
21 KiB
Python
Raw Blame History

#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Permissions
A permission enables fine-grained delegation of rights. A permission is
a human-readable form of a 389-ds Access Control Rule, or instruction (ACI).
A permission grants the right to perform a specific task such as adding a
user, modifying a group, etc.
A permission may not contain other permissions.
* A permission grants access to read, write, add or delete.
* A privilege combines similar permissions (for example all the permissions
needed to add a user).
* A role grants a set of privileges to users, groups, hosts or hostgroups.
A permission is made up of a number of different parts:
1. The name of the permission.
2. The target of the permission.
3. The rights granted by the permission.
Rights define what operations are allowed, and may be one or more
of the following:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted
Read permission is granted for most attributes by default so the read
permission is not expected to be used very often.
Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.
There are a number of allowed targets:
1. type: a type of object (user, group, etc).
2. memberof: a member of a group or hostgroup
3. filter: an LDAP filter
4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a
super-set of the "type" target.
5. targetgroup: grant access to modify a specific group (such as granting
the rights to manage group membership)
EXAMPLES:
Add a permission that grants the creation of users:
ipa permission-add --type=user --permissions=add "Add Users"
Add a permission that grants the ability to manage group membership:
ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
""")
register = Registry()
@register()
class permission(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Permission name'),
),
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Str(
'member_privilege',
required=False,
label=_(u'Granted to Privilege'),
),
parameters.Str(
'memberindirect_role',
required=False,
label=_(u'Indirect Member of roles'),
),
)
@register()
class permission_add(Method):
__doc__ = _("Add a new permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
alwaysask=True,
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
alwaysask=True,
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
alwaysask=True,
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
alwaysask=True,
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
alwaysask=True,
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
alwaysask=True,
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_add_member(Method):
__doc__ = _("Add members to a permission.")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'member privilege'),
doc=_(u'comma-separated list of privileges to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class permission_add_noaci(Method):
__doc__ = _("Add a system permission without an ACI")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissiontype',
required=False,
cli_metavar="['SYSTEM']",
label=_(u'Permission type'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_del(Method):
__doc__ = _("Delete a permission.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
parameters.Flag(
'force',
label=_(u'Force'),
doc=_(u'force delete of SYSTEM permissions'),
exclude=('cli', 'webui'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_find(Method):
__doc__ = _("Search for permissions.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Permission name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class permission_mod(Method):
__doc__ = _("Modify a permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'rename',
required=False,
label=_(u'Rename'),
doc=_(u'Rename the permission object'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_remove_member(Method):
__doc__ = _("Remove members from a permission.")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'member privilege'),
doc=_(u'comma-separated list of privileges to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class permission_show(Method):
__doc__ = _("Display information about a permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
Reference in New Issue View Git Blame Copy Permalink