On 06/13/2014 05:25 PM, Petr Viktorin wrote:
With the first patch, old SYSTEM permissions can be replaced. The "Read DNS Entries" did not have an associated ACI, but was rather rolled into a single ACI with the managedBy rule used for per-zone access. (and before that it was part of a deny rule.) We can't remove this permission in an update file, because we need to check that it is indeed an old SYSTEM perm and not a new one with the same name. The second patch converts DNS permissions to managed. The ACIs are put directly in $SUFFIX, because the cn=dns subtree does not exist in all installations. I hope to change this for https://fedorahosted.org/freeipa/ticket/4058, when I've thought more about relationships between plugins, packages, install options, and the updater.
Testing more, I found a benign bug: the updater complained if the cn=dns container was missing. Fixed here.
Also, the update_dns_permissions plugin is now now obsolete, the third patch removes it.
-- PetrĀ³
From 2d213434a065c18943b8b33e921bb5b9995a581d Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Fri, 13 Jun 2014 15:58:24 +0200 Subject: [PATCH] managed permission updater: Add mechanism to replace SYSTEM permissions The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- .../install/plugins/update_managed_permissions.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 7b1405a1974826fd90acd0d5082f51d8b25034cd..2ca054d50d11eec9527e0ef1e5d53d2f8e479ed0 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -67,6 +67,8 @@ * replaces - A list of ACIs corresponding to legacy default permissions replaced by this permission. +* replaces_system + - A list of names of old SYSTEM permissions this replaces. * fixup_function - A callable that may modify the template in-place before it is applied. - Called with the permission name, template dict, and keyword arguments: @@ -410,6 +412,21 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci): self.log.info("Removing legacy permission '%s'", legacy_name) self.api.Command[permission_del](unicode(legacy_name)) + for name in template.get('replaces_system', ()): + name = unicode(name) + try: + entry = ldap.get_entry(permission_plugin.get_dn(name), + ['ipapermissiontype']) + except errors.NotFound: + self.log.info("Legacy permission '%s' not found", name) + else: + flags = entry.get('ipapermissiontype', []) + if list(flags) == ['SYSTEM']: + self.log.info("Removing legacy permission '%s'", name) + self.api.Command[permission_del](name, force=True) + else: + self.log.info("Ignoring V2 permission '%s'", name) + def get_upgrade_attr_lists(self, current_acistring, default_acistrings): """Compute included and excluded attributes for a new permission @@ -497,6 +514,7 @@ def update_entry(self, obj, entry, template, template = dict(template) template.pop('replaces', None) + template.pop('replaces_system', None) fixup_function = template.pop('fixup_function', None) if fixup_function: -- 1.9.0
From 2878c7dbebc2352b91fc091aae3c4010c5243fb4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Mon, 9 Jun 2014 15:06:35 +0200 Subject: [PATCH] Convert DNS default permissions to managed Convewrt the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ACI.txt | 12 +++++ install/share/dns.ldif | 59 -------------------- install/updates/40-delegation.update | 6 +-- install/updates/40-dns.update | 28 +--------- ipalib/plugins/dns.py | 101 +++++++++++++++++++++++++++++++++++ 5 files changed, 118 insertions(+), 88 deletions(-) diff --git a/ACI.txt b/ACI.txt index 2ceaacc077467b6ef54e09d0aa7d3d5695c8fd40..6b75e79c3d771d33558750958f61ada82fd1e5eb 100644 --- a/ACI.txt +++ b/ACI.txt @@ -10,6 +10,18 @@ dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=exampl aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/install/share/dns.ldif b/install/share/dns.ldif index d27f105b75ab1ac635ad16b31fe7f1332715f5f5..a2b126714acb30b9a6283db58728fac8fe340678 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -9,14 +9,6 @@ dn: cn=dns,$SUFFIX aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) -dn: $SUFFIX -changetype: modify -add: aci -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX";)(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top @@ -32,54 +24,3 @@ dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX objectClass: nestedgroup cn: DNS Servers description: DNS Servers - -dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX -changetype: add -objectClass: groupofnames -objectClass: top -objectClass: ipapermission -cn: add dns entries -description: Add DNS entries -member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX -changetype: add -objectClass: groupofnames -objectClass: top -objectClass: ipapermission -cn: remove dns entries -description: Remove DNS entries -member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX -changetype: add -objectClass: groupofnames -objectClass: top -objectClass: ipapermission -cn: update dns entries -description: Update DNS entries -member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: ipapermission -cn: Read DNS Entries -description: Read DNS entries -ipapermissiontype: SYSTEM -member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX -changetype: add -objectClass: groupofnames -objectClass: top -objectClass: ipapermission -cn: Write DNS Configuration -description: Write DNS Configuration -member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 7c3a284b8d2a0592240e56d8118c821a25fc7798..3c3212d58dc4fa9d50a07bee69bde98eaf6608f2 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -244,9 +244,9 @@ dn: $SUFFIX # The original DNS permissions lacked the tag. dn: $SUFFIX -replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' -replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' -replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' # SELinux User Mapping dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 475a0c05cf3c54c2c26c65c608d205034dec9faf..f0dbc9ce388e050ccfcf21ac1c82dcf12c3594c8 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -1,23 +1,3 @@ -# Add missing member values to attach permissions to their respective -# privileges -# Memberof task is already being run in 55-pbacmemberof.update -dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX -addifexist:objectclass: ipapermission -addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' -addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' - -dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX -addifexist:objectclass: ipapermission -addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' -addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' - -dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX -addifexist:objectclass: ipapermission -addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' -addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' - -dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX -addifexist:objectclass: ipapermission # update DNS container dn: cn=dns, $SUFFIX @@ -26,14 +6,10 @@ dn: cn=dns, $SUFFIX addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)' addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' -# update DNS acis with new idnsRecord attributes -dn: $SUFFIX -replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' -replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' - # replace DNS tree deny rule with managedBy enhanced allow rule dn: cn=dns, $SUFFIX -replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)' +replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' +replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' # add DNS plugin dn: cn=IPA DNS,cn=plugins,cn=config diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 736162368e6ec37f62a111d2007dbfc6188bf182..b149f1f07a0062ab30d441d319b8a47cafcbccba 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1843,6 +1843,77 @@ class dnszone(LDAPObject): doc=_('Allow inline DNSSEC signing of records in the zone'), ), ) + managed_permissions = { + 'System: Add DNS Entries': { + 'non_object': True, + 'ipapermright': {'add'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn), + 'replaces': [ + '(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + 'System: Read DNS Entries': { + 'non_object': True, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn), + 'ipapermdefaultattr': { + 'objectclass', + 'a6record', 'aaaarecord', 'afsdbrecord', 'arecord', + 'certrecord', 'cn', 'cnamerecord', 'dnamerecord', 'dnsclass', + 'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate', + 'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer', + 'idnsforwarders', 'idnsforwardpolicy', 'idnsname', + 'idnssoaexpire', 'idnssoaminimum', 'idnssoamname', + 'idnssoarefresh', 'idnssoaretry', 'idnssoarname', + 'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive', + 'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord', + 'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord', + 'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord', + 'sigrecord', 'srvrecord', 'sshfprecord', 'txtrecord', + }, + 'replaces_system': ['Read DNS Entries'], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + 'System: Remove DNS Entries': { + 'non_object': True, + 'ipapermright': {'delete'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn), + 'replaces': [ + '(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + 'System: Update DNS Entries': { + 'non_object': True, + 'ipapermright': {'write'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn), + 'ipapermdefaultattr': { + 'a6record', 'aaaarecord', 'afsdbrecord', 'arecord', + 'certrecord', 'cn', 'cnamerecord', 'dnamerecord', 'dnsclass', + 'dnsttl', 'dsrecord', 'hinforecord', 'idnsallowdynupdate', + 'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer', + 'idnsforwarders', 'idnsforwardpolicy', 'idnsname', + 'idnssoaexpire', 'idnssoaminimum', 'idnssoamname', + 'idnssoarefresh', 'idnssoaretry', 'idnssoarname', + 'idnssoaserial', 'idnsupdatepolicy', 'idnszoneactive', + 'keyrecord', 'kxrecord', 'locrecord', 'managedby', 'mdrecord', + 'minforecord', 'mxrecord', 'naptrrecord', 'nsecrecord', + 'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord', + 'sigrecord', 'srvrecord', 'sshfprecord', 'txtrecord', + }, + 'replaces': [ + '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + } def get_dn(self, *keys, **options): zone = keys[-1] @@ -3455,6 +3526,36 @@ class dnsconfig(LDAPObject): label=_('Zone refresh interval'), ), ) + managed_permissions = { + 'System: Write DNS Configuration': { + 'non_object': True, + 'ipapermright': {'write'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsConfigObject)'], + 'ipapermdefaultattr': { + 'idnsallowsyncptr', 'idnsforwarders', 'idnsforwardpolicy', + 'idnspersistentsearch', 'idnszonerefresh' + }, + 'replaces': [ + '(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX";)(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + 'System: Read DNS Configuration': { + 'non_object': True, + 'ipapermright': {'read'}, + 'ipapermlocation': api.env.basedn, + 'ipapermtarget': DN('cn=dns', api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=idnsConfigObject)'], + 'ipapermdefaultattr': { + 'objectclass', + 'idnsallowsyncptr', 'idnsforwarders', 'idnsforwardpolicy', + 'idnspersistentsearch', 'idnszonerefresh' + }, + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, + } def get_dn(self, *keys, **kwargs): return DN(api.env.container_dns, api.env.basedn) -- 1.9.0
From ef328c769ccbf525a53b23db25a1b94b6ede0438 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Fri, 13 Jun 2014 18:35:08 +0200 Subject: [PATCH] Remove the update_dns_permissions plugin This plugin created permissions that the managed permission updater would remove right away. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ipaserver/install/plugins/dns.py | 56 ---------------------------------------- 1 file changed, 56 deletions(-) diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 6e6c52f26cffd14800b79ae45e790c6d168ad049..76c57f2f0e62f87f7960ab96fb20f88627621a60 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -81,62 +81,6 @@ def execute(self, **options): api.register(update_dnszones) -class update_dns_permissions(PostUpdate): - """ - New DNS permissions need to be added only for updated machines with - enabled DNS. LDIF loaded by DNS installer would fail because of duplicate - entries otherwise. - """ - - _write_dns_perm_dn = DN(('cn', 'Write DNS Configuration'), - api.env.container_permission, api.env.basedn) - _write_dns_perm_entry = ['objectClass:groupofnames', - 'objectClass:top', - 'cn:Write DNS Configuration', - 'description:Write DNS Configuration', - 'member:%s' % DN(('cn', 'DNS Administrators'), ('cn', 'privileges'), ('cn', 'pbac'), - api.env.basedn), - 'member:%s' % DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), - api.env.basedn)] - - _read_dns_perm_dn = DN(('cn', 'Read DNS Entries'), - api.env.container_permission, api.env.basedn) - _read_dns_perm_entry = ['objectClass:top', - 'objectClass:groupofnames', - 'objectClass:ipapermission', - 'cn:Read DNS Entries', - 'description:Read DNS entries', - 'ipapermissiontype:SYSTEM', - 'member:%s' % DN(('cn', 'DNS Administrators'), ('cn', 'privileges'), ('cn', 'pbac'), - api.env.basedn), - 'member:%s' % DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), - api.env.basedn),] - - _write_dns_aci_dn = DN(api.env.basedn) - _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)] - - _read_dns_aci_dn = DN(api.env.container_dns, api.env.basedn) - _read_dns_aci_entry = ['add:aci:\'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,%(realm)s" or userattr = "parent[0,1].managedby#GROUPDN";)\'' % dict(realm=api.env.basedn) ] - - def execute(self, **options): - ldap = self.obj.backend - - if not dns_container_exists(ldap): - return (False, False, []) - - dnsupdates = {} - - # add default and updated entries - for dn, container, entry in ((self._write_dns_perm_dn, 'default', self._write_dns_perm_entry), - (self._read_dns_perm_dn, 'default', self._read_dns_perm_entry), - (self._write_dns_aci_dn, 'updates', self._write_dns_aci_entry), - (self._read_dns_aci_dn, 'updates', self._read_dns_aci_entry)): - - dnsupdates[dn] = {'dn': dn, container: entry} - - return (False, True, [dnsupdates]) - -api.register(update_dns_permissions) class update_dns_limits(PostUpdate): """ -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
