On 8/4/2015 10:32 AM, Endi Sukma Dewata wrote:
Martin, I do not think going on with business as usual is the right
thing to do here. We know this is going to bite.
I suggest Endy adds a *new* API if making it backwards compatible is not
possible. The era of bumping whole API version must stop, the sooner the
better.

My point is that we do not know yet how to do this kind of changes
long term.
So what I did not want to end up are 2 copy&pasted Vault plugins
maintained
forever, differing in just that.

If you know how to do this without copypasting, I will be fine with that.

We probably can do it like this:
* the old plugin continues to provide Vault 1.0 functionality
* the new plugin will be a proxy to the old plugin except for the parts
that have changed in Vault 1.1.

Or the other way around:
* the new plugin will provide Vault 1.1 functionality
* the old plugin will be a proxy to the new plugin except for the parts
that needs to be maintained for Vault 1.0.

The first option is probably safer.

In any case, IPA 4.2.1 will only provide a single client for Vault 1.1,
but two services for Vault 1.0 and 1.1.

A new patch #369-1 is attached. It has been rebased on top of #372 and #373 that fix the conflicting parameter while maintaining backward compatibility.

--
Endi S. Dewata
>From 7f461c8fe5d567e9ddad3684a60037cdd90e833c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Thu, 30 Jul 2015 23:20:34 +0200
Subject: [PATCH] Added CLI param and ACL for vault service operations.

The CLIs to manage vault owners and members have been modified
to accept services in addition to users and groups. A new ACL
has been added to allow a service to create its own service
container.

https://fedorahosted.org/freeipa/ticket/5172
---
 API.txt                    | 12 ++++++++----
 VERSION                    |  4 ++--
 install/share/vault.update |  1 +
 ipalib/plugins/vault.py    | 21 +++++++++++++++------
 4 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 
9a777bd029d88f6882a9db341822544c6d1e7b5a..81527bf60bb440ddfdacb25d63e211b154182487
 100644
--- a/API.txt
+++ b/API.txt
@@ -5436,12 +5436,13 @@ output: Entry('result', <type 'dict'>, Gettext('A 
dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault2_add_member
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
 option: Str('servicename?', cli_name='service')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5451,12 +5452,13 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault2_add_owner
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
 option: Str('servicename?', cli_name='service')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5549,12 +5551,13 @@ output: Entry('result', <type 'dict'>, Gettext('A 
dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault2_remove_member
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
 option: Str('servicename?', cli_name='service')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5564,12 +5567,13 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault2_remove_owner
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
 option: Str('servicename?', cli_name='service')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
diff --git a/VERSION b/VERSION
index 
e656524418e5fedbd318e6998aa67ffc20750533..5309f3ddcc9ca05e8e4e6f59054f40ff70f9fc8c
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=149
-# Last change: edewata - Fixed conflicting vault 'service' option.
+IPA_API_VERSION_MINOR=150
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index 
61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941
 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
 default: objectClass: ipaVaultContainer
 default: cn: vaults
 default: aci: 
(target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl 
"Allow users to create private container"; allow (add) userdn = 
"ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: 
(target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl 
"Allow services to create private container"; allow (add) userdn = 
"ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 
3.0; acl "Container owners can manage vaults in the container"; allow(read, 
search, compare, add, delete) userattr="parent[1].owner#USERDN";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 
3.0; acl "Indirect container owners can manage vaults in the container"; 
allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
 default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 
3.0; acl "Vault members can access the vault"; allow(read, search, compare) 
userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
e32d378dbdc7118c2fd60aeabe7a3993c2d63c9c..427b1ea1588af2fb09a99181b8773abdf8099b8d
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -199,16 +199,20 @@ EXAMPLES:
    ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
 """) + _("""
  Add a vault owner:
-   ipa vault-add-owner <name> --users <usernames>
+   ipa vault-add-owner <name> [--users <usernames>] \
+       [--groups <goupnames>] [--services <service names>]
 """) + _("""
  Delete a vault owner:
-   ipa vault-remove-owner <name> --users <usernames>
+   ipa vault-remove-owner <name> [--users <usernames>] \
+       [--groups <goupnames>] [--services <service names>]
 """) + _("""
  Add a vault member:
-   ipa vault-add-member <name> --users <usernames>
+   ipa vault-add-member <name> [--users <usernames>] \
+       [--groups <goupnames>] [--services <service names>]
 """) + _("""
  Delete a vault member:
-   ipa vault-remove-member <name> --users <usernames>
+   ipa vault-remove-member <name> [--users <usernames>] \
+       [--groups <goupnames>] [--services <service names>]
 """)
 
 
@@ -499,8 +503,8 @@ class vault2(LDAPObject):
         'ipavaulttype',
     ]
     attribute_members = {
-        'owner': ['user', 'group'],
-        'member': ['user', 'group'],
+        'owner': ['user', 'group', 'service'],
+        'member': ['user', 'group', 'service'],
     }
 
     label = _('Vaults')
@@ -554,6 +558,11 @@ class vault2(LDAPObject):
             label=_('Owner groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        Str(
+            'owner_service?',
+            label=_('Owner services'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
     )
 
     def get_dn(self, *keys, **options):
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to