freeipa/ipalib/plugins/role.py

# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#   Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2009  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from ipalib.plugins.baseldap import *
from ipalib import api, Str, _, ngettext
from ipalib import Command
from ipalib.plugins import privilege

__doc__ = _("""
Roles

A role is used for fine-grained delegation. A permission grants the ability
to perform given low-level tasks (add a user, modify a group, etc.). A
privilege combines one or more permissions into a higher-level abstraction
such as useradmin. A useradmin would be able to add, delete and modify users.

Privileges are assigned to Roles.

Users, groups, hosts and hostgroups may be members of a Role.

Roles can not contain other roles.

EXAMPLES:

 Add a new role:
   ipa role-add --desc="Junior-level admin" junioradmin

 Add some privileges to this role:
   ipa role-add-privilege --privileges=addusers junioradmin
   ipa role-add-privilege --privileges=change_password junioradmin
   ipa role-add-privilege --privileges=add_user_to_default_group junioradmin

 Add a group of users to this role:
   ipa group-add --desc="User admins" useradmins
   ipa role-add-member --groups=useradmins junioradmin

 Display information about a role:
   ipa role-show junioradmin

 The result of this is that any users in the group 'junioradmin' can
 add users, reset passwords or add a user to the default IPA user group.
""")

class role(LDAPObject):
    """
    Role object.
    """
    container_dn = api.env.container_rolegroup
    object_name = _('role')
    object_name_plural = _('roles')
    object_class = ['groupofnames', 'nestedgroup']
    default_attributes = ['cn', 'description', 'member', 'memberof',
        'memberindirect', 'memberofindirect',
    ]
    attribute_members = {
        'member': ['user', 'group', 'host', 'hostgroup'],
        'memberof': ['privilege'],
    }
    reverse_members = {
        'member': ['privilege'],
    }
    rdnattr='cn'

    label = _('Roles')
    label_singular = _('Role')

    takes_params = (
        Str('cn',
            cli_name='name',
            label=_('Role name'),
            primary_key=True,
        ),
        Str('description',
            cli_name='desc',
            label=_('Description'),
            doc=_('A description of this role-group'),
        ),
    )

api.register(role)


class role_add(LDAPCreate):
    __doc__ = _('Add a new role.')

    msg_summary = _('Added role "%(value)s"')

api.register(role_add)


class role_del(LDAPDelete):
    __doc__ = _('Delete a role.')

    msg_summary = _('Deleted role "%(value)s"')

api.register(role_del)


class role_mod(LDAPUpdate):
    __doc__ = _('Modify a role.')

    msg_summary = _('Modified role "%(value)s"')

api.register(role_mod)


class role_find(LDAPSearch):
    __doc__ = _('Search for roles.')

    msg_summary = ngettext(
        '%(count)d role matched', '%(count)d roles matched', 0
    )

api.register(role_find)


class role_show(LDAPRetrieve):
    __doc__ = _('Display information about a role.')

api.register(role_show)


class role_add_member(LDAPAddMember):
    __doc__ = _('Add members to a role.')

api.register(role_add_member)


class role_remove_member(LDAPRemoveMember):
    __doc__ = _('Remove members from a role.')

api.register(role_remove_member)


class role_add_privilege(LDAPAddReverseMember):
    __doc__ = _('Add privileges to a role.')

    show_command = 'role_show'
    member_command = 'privilege_add_member'
    reverse_attr = 'privilege'
    member_attr = 'role'

    has_output = (
        output.Entry('result'),
        output.Output('failed',
            type=dict,
            doc=_('Members that could not be added'),
        ),
        output.Output('completed',
            type=int,
            doc=_('Number of privileges added'),
        ),
    )

api.register(role_add_privilege)


class role_remove_privilege(LDAPRemoveReverseMember):
    __doc__ = _('Remove privileges from a role.')

    show_command = 'role_show'
    member_command = 'privilege_remove_member'
    reverse_attr = 'privilege'
    member_attr = 'role'

    has_output = (
        output.Entry('result'),
        output.Output('failed',
            type=dict,
            doc=_('Members that could not be added'),
        ),
        output.Output('completed',
            type=int,
            doc=_('Number of privileges removed'),
        ),
    )

api.register(role_remove_privilege)