https://fedorahosted.org/freeipa/ticket/5057 -- David Kupka
From ea25f9942c529ab91f1fe09f4eed087c6e5e92be Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 10 Jun 2015 12:52:10 +0200 Subject: [PATCH] Stage User: Fix permissions naming and split them where apropriate.
Split permisions to basic actions. Change names to be consistent with other plugins. https://fedorahosted.org/freeipa/ticket/5057 --- ACI.txt | 28 ++++++------- VERSION | 2 +- ipalib/plugins/stageuser.py | 96 ++++++++++++++++++--------------------------- 3 files changed, 54 insertions(+), 72 deletions(-) diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..3d07e394565e814c454c2b821a35404213f2d277 100644 --- a/ACI.txt +++ b/ACI.txt @@ -237,25 +237,25 @@ aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || mem dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: dc=ipa,dc=example -aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Reactive delete users";allow (moddn) groupdn = "ldap:///cn=System: Reactive delete users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User kerberos principal key and password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User kerberos principal key and password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users by administrators";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read/Write delete Users by administrators";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Read/Write delete Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset userPassord and kerberos keys of delete users by administrator";allow (read,search,write) groupdn = "ldap:///cn=System: Reset userPassord and kerberos keys of delete users by administrator,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example";)(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Active Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Active Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Write Delete Users RDN by administrators";allow (write) groupdn = "ldap:///cn=System: Write Delete Users RDN by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: dc=ipa,dc=example +aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example diff --git a/VERSION b/VERSION index 535b3e228a3500f2013ea793b19a97d9fbd05021..dd7ac8965c38f43856da87a55381d6abb72a99a0 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=126 +IPA_API_VERSION_MINOR=127 # Last change: edewata - added vault-archive and vault-retrieve diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py index c8c92f41b62c4db9a5cf8c625ff6b0c35664ec5e..c8dac6fea536dd4a461722b2800761386fa624e4 100644 --- a/ipalib/plugins/stageuser.py +++ b/ipalib/plugins/stageuser.py @@ -112,12 +112,11 @@ class stageuser(baseuser): object_name = _('stage user') object_name_plural = _('stage users') managed_permissions = { - # - # Stage container - # - # Stage user provisioning and Stage user Administrators, - # allowed to create stage users - 'System: Add Stage Users by Provisioning and Administrators': { + # + # Stage container + # + # Allowed to create stage user + 'System: Add Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), @@ -126,33 +125,40 @@ class stageuser(baseuser): 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'}, }, - # Stage user administrators allowed to read kerberos/password - # when the user is activated (to copy them in the active entry) - 'System: Read Stage User kerberos principal key and password': { + # Allow to read kerberos/password + 'System: Read Stage User password': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'userPassword', 'krbPrincipalKey', + }, + 'default_privileges': {'Stage User Administrators'}, + }, + # Allow to update stage user + 'System: Modify Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=*)'}, - 'ipapermright': {'read', 'search', 'compare'}, - 'ipapermdefaultattr': { - 'userPassword', 'krbPrincipalKey', - }, + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allowed to delete stage users and - # to update them - 'System: Delete modify Stage Users by administrators': { + # Allow to delete stage user + 'System: Remove Stage User': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=*)'}, - 'ipapermright': {'delete','write'}, + 'ipapermright': {'delete'}, 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allowed to read any attributes - # of stage users - 'System: Read Stage Users by administrators': { + # Allow to read any attributes of stage users + 'System: Read Stage Users': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), @@ -162,36 +168,30 @@ class stageuser(baseuser): 'default_privileges': {'Stage User Administrators'}, }, # - # Delete container + # Preserve container # - # Stage user administrator allow to read all attributes (when delete - # an active user with preserve flag) - # We also need to reset some of the attributes syntax DN/credential - # so allowed write on all the attributes - 'System: Read/Write delete Users by administrators': { + # Allow to read Preserved User + 'System: Read Preserved Users': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, - 'ipapermright': {'read', 'search', 'compare', 'write'}, + 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # - # Stage user administrator allows to write the RDN - # when the delete user is undeleted - 'System: Write Delete Users RDN by administrators': { + # Allow to update Preserved User + 'System: Modify Preserved Users': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, 'ipapermright': {'write'}, - 'ipapermdefaultattr': {'uid'}, + 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allows to reset kerberos/password - # when a deleted user is preserved - 'System: Reset userPassord and kerberos keys of delete users by administrator': { + # Allow to reset Preserved User password + 'System: Reset Preserved User password': { 'ipapermlocation': DN(baseuser.delete_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.delete_container_dn, api.env.basedn), @@ -203,26 +203,10 @@ class stageuser(baseuser): 'default_privileges': {'Stage User Administrators'}, }, # - # Active container - # - # Stage user administrators need write right on RDN when - # the active user is deleted (preserved) - 'System: Write Active Users RDN by administrators': { - 'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn), - 'ipapermbindruletype': 'permission', - 'ipapermtarget': DN('uid=*', baseuser.active_container_dn, api.env.basedn), - 'ipapermtargetfilter': {'(objectclass=posixaccount)'}, - 'ipapermright': {'write'}, - 'ipapermdefaultattr': {'uid'}, - 'default_privileges': {'Stage User Administrators'}, - }, - # # Cross containers autorization # - # Stage user administrators need a moddn right when preserving - # a delete user. - # Note: targetfilter is the target parent container - 'System: Preserve an active user to a delete Users': { + # Allow to move active user to preserve container (user-del --preserve) + 'System: Preserve User': { 'ipapermlocation': DN(api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtargetfrom': DN(baseuser.active_container_dn, api.env.basedn), @@ -231,10 +215,8 @@ class stageuser(baseuser): 'ipapermright': {'moddn'}, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrators need a moddn right when undelete - # a delete user. - # Note: targetfilter is the target parent container - 'System: Reactive delete users': { + # Allow to move preserved user to active container (user-undel) + 'System: Undelete User': { 'ipapermlocation': DN(api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn), -- 2.4.2
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
