[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name

Petr Viktorin Mon, 14 Apr 2014 09:55:36 -0700

Hello,

The first patch adds default read permissions to krbtpolicy. Since theplugin manages entries in two trees, there are two permissions. Sincetwo permissions are needed to cover krbtpolicy, it can't be used as apermission's --type.The permissions are added to a new privilege, 'Kerberos Ticket PolicyReaders'.

The second patch adds an ACI for reading the Kerberos realm name. Sinceclient enrollment won't work without this, I don't see a reason forhaving it managed by a permission.


--
Petr³

From 3b14c13b5584b525fd07f0eb0ddb9923361d290e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to krbtpolicy

Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/40-delegation.update |  7 +++++++
 ipalib/plugins/krbtpolicy.py         | 38 +++++++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 27e605789ba152ac61796217ca12a603958931c1..17be6915e82c4893a66dbc8625e2e9ab36af1aa0 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -408,3 +408,10 @@ dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
 default:objectClass: top
 default:cn: Password Policy Readers
 default:description: Read password policies
+
+dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Kerberos Ticket Policy Readers
+default:description: Read global and per-user Kerberos ticket policy
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index a05583dfb4d3067a1a7f1e097859eac26c3be2ae..4ae676dc5b7ece54c57c9d99afea92ca397b36be 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -75,8 +75,44 @@ class krbtpolicy(LDAPObject):
     object_name = _('kerberos ticket policy settings')
     default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
     limit_object_classes = ['krbticketpolicyaux']
+    # permission_filter_objectclasses is deliberately missing,
+    # so it is not possible to create a permission of `--type krbtpolicy`.
+    # This is because we need two permissions to cover both global and per-user
+    # policies.
+    managed_permissions = {
+        'System: Read Default Kerberos Ticket Policy': {
+            'non_object': True,
+            'replaces_global_anonymous_aci': True,
+            'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'krbdefaultencsalttypes', 'krbmaxrenewableage',
+                'krbmaxticketlife', 'krbsupportedencsalttypes',
+                'objectclass',
+            },
+            'default_privileges': {
+                'Kerberos Ticket Policy Readers',
+            },
+        },
+        'System: Read User Kerberos Ticket Policy': {
+            'non_object': True,
+            'replaces_global_anonymous_aci': True,
+            'ipapermlocation': DN(api.env.container_user, api.env.basedn),
+            'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'krbmaxrenewableage', 'krbmaxticketlife',
+            },
+            'default_privileges': {
+                'Kerberos Ticket Policy Readers',
+            },
+        },
+    }
 
-    label=_('Kerberos Ticket Policy')
+    label = _('Kerberos Ticket Policy')
     label_singular = _('Kerberos Ticket Policy')
 
     takes_params = (
-- 
1.9.0

From 032c670a403953d3ef033f58c60299845e9ebe0b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Allow anonymous read access to Kerberos realm container name

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/20-aci.update | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index e9e1fe9db4d9c594ae0485c6f7cec8a668a8ff92..94707660decb8dce83916a74b550b28fe4da7e35 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -24,3 +24,7 @@ dn: $SUFFIX
 # Read access to containers
 dn: $SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
+
+# Read access to Kerberos realm name
+dn: cn=$REALM,cn=kerberos,$SUFFIX
+add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(objectclass=krbrealmcontainer)")(version 3.0;acl "Anonymous read access to Kerberos realm name";allow (read,compare,search) userdn = "ldap:///anyone";;)'
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name

Reply via email to