Hello,
Here are a few fixes/improvements, and the first part of a managed
permission
updater.
The patches should go in this order but don't need to be ACKed/pushed
all at once.
Design:
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This part is a "preview" of sorts, to get the basic mechanism and the
metadata
format reviewed before I add all of the default read permissions.
It implements the first section of "Default Permission Updater" in
the design;
"Replacing legacy default permissions" and "Removing the global
anonymous read
ACI" is left for later.
Metadata is added for the netgroup plugin* for starters, so
installing this
will give you two shiny new read permissions:
$ ipa permission-find ipa: --all
---------------------
2 permissions matched
---------------------
dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroup Membership
Permissions: read, compare, search
Effective attributes: externalhost, member, memberof, memberuser
Default attributes: member, memberof, memberuser, externalhost
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroups
Permissions: read, compare, search
Effective attributes: cn, description, hostcategory, ipaenabledflag,
ipauniqueid, nisdomainname, usercategory
Default attributes: cn, usercategory, hostcategory, ipauniqueid,
ipaenabledflag, nisdomainname, description
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
----------------------------
Number of entries returned 2
----------------------------
with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:
(targetattr = "externalhost || member || memberof ||
memberuser")(targetfilter
= "(objectclass=ipanisnetgroup)")(version 3.0;acl
"permission:ipa:Read Netgroup
Membership";allow (read,compare,search) userdn = "ldap:///all";)
(targetattr = "cn || description || hostcategory || ipaenabledflag ||
ipauniqueid || nisdomainname || usercategory")(targetfilter =
"(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:ipa:Read
Netgroups";allow (read,compare,search) userdn = "ldap:///all";)
Patches:
0473: Enables refactoring that will make it more clear (to humans and
machines)
what plugins code depends on.
https://fedorahosted.org/freeipa/ticket/4185
0474: Fix handling of the search term for legacy permissions
My code that's in master now handles the search term incorrectly.
This does a
better job.
0475: Fix tests that relied on some assumptions I'll be breaking
0476: Allow modifying (but not creating) permissions with ":" in the
name
0477: Permission updater & sample metadata