On 8/13/2015 6:00 AM, Petr Vobornik wrote:
On 08/11/2015 08:42 AM, Jan Cholasta wrote:
On 10.8.2015 21:12, Endi Sukma Dewata wrote:
On 8/4/2015 10:32 AM, Endi Sukma Dewata wrote:
Martin, I do not think going on with business as usual is the right
thing to do here. We know this is going to bite.
I suggest Endy adds a *new* API if making it backwards compatible is
not
possible. The era of bumping whole API version must stop, the sooner
the
better.
My point is that we do not know yet how to do this kind of changes
long term.
So what I did not want to end up are 2 copy&pasted Vault plugins
maintained
forever, differing in just that.
If you know how to do this without copypasting, I will be fine with
that.
We probably can do it like this:
* the old plugin continues to provide Vault 1.0 functionality
* the new plugin will be a proxy to the old plugin except for the parts
that have changed in Vault 1.1.
Or the other way around:
* the new plugin will provide Vault 1.1 functionality
* the old plugin will be a proxy to the new plugin except for the parts
that needs to be maintained for Vault 1.0.
The first option is probably safer.
In any case, IPA 4.2.1 will only provide a single client for Vault 1.1,
but two services for Vault 1.0 and 1.1.
A new patch #369-1 is attached. It has been rebased on top of #372 and
#373 that fix the conflicting parameter while maintaining backward
compatibility.
I have modified the first version of the patch to maintain backward
compatibility and not require your patches #372 and #373. Should be much
easier to review. See attachment.
Jan approach seems better to me for 4.2.1. Endi, do you agree with the
changes? Could we proceed with the review?
Yes, please see the attached patch. I had to update it to remove buggy
code and revised the docs. I also had to rebase my other patches to make
sure they work with this patch.
--
Endi S. Dewata
>From c43df23159e5dafd47d5309b3b0f75de4870640b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Tue, 11 Aug 2015 08:19:59 +0200
Subject: [PATCH] Added CLI param and ACL for vault service operations.
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter. Due to name conflict,
the existing 'service' parameter has been renamed to
'servicename'.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
---
API.txt | 12 ++-
VERSION | 4 +-
install/share/vault.update | 1 +
ipalib/plugins/vault.py | 179 +++++++++++++++++++++------------------------
4 files changed, 95 insertions(+), 101 deletions(-)
diff --git a/API.txt b/API.txt
index
04f2f894f7667239d94a2a7278d0cc80704afeb5..9dbf86aedf2a1b62dabab21fb30bbceb2f0f237b
100644
--- a/API.txt
+++ b/API.txt
@@ -5434,13 +5434,14 @@ output: Entry('result', <type 'dict'>, Gettext('A
dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_add_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True,
multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5449,13 +5450,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_add_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True,
multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5547,13 +5549,14 @@ output: Entry('result', <type 'dict'>, Gettext('A
dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_remove_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True,
multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5562,13 +5565,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_remove_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True,
multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
diff --git a/VERSION b/VERSION
index
a3d586df47ab6a6136bd38c0151fe43876bf5ab3..c42bea06522dae55e1a89ff94ae394594086b467
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=148
-# Last change: ftweedal - add --out option to user-show
+IPA_API_VERSION_MINOR=149
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index
61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941
100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
default: objectClass: ipaVaultContainer
default: cn: vaults
default: aci:
(target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl
"Allow users to create private container"; allow (add) userdn =
"ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci:
(target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX";)(version 3.0; acl
"Allow services to create private container"; allow (add) userdn =
"ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version
3.0; acl "Container owners can manage vaults in the container"; allow(read,
search, compare, add, delete) userattr="parent[1].owner#USERDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version
3.0; acl "Indirect container owners can manage vaults in the container";
allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version
3.0; acl "Vault members can access the vault"; allow(read, search, compare)
userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
9a2995ca04cb99b0be46076541cea2638bf3ca56..5d367b376ef41427ed983f3eafe120ed477018d2
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -44,7 +44,7 @@ from ipalib.crud import PKQuery, Retrieve, Update
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\
- pkey_to_value
+ LDAPModMember, pkey_to_value
from ipalib.request import context
from ipalib.plugins.user import split_principal
from ipalib import _, ngettext
@@ -93,122 +93,91 @@ The secret can only be retrieved using the private key.
""") + _("""
EXAMPLES:
""") + _("""
- List private vaults:
+ List vaults:
ipa vault-find
+ [--user <user>|--service <service>|--shared]
""") + _("""
- List service vaults:
- ipa vault-find --service <service name>
-""") + _("""
- List shared vaults:
- ipa vault-find --shared
-""") + _("""
- List user vaults:
- ipa vault-find --user <username>
-""") + _("""
- Add a private vault:
+ Add a standard vault:
ipa vault-add <name>
-""") + _("""
- Add a service vault:
- ipa vault-add <name> --service <service name>
-""") + _("""
- Add a shared vault:
- ipa vault-add <name> --shared
-""") + _("""
- Add a user vault:
- ipa vault-add <name> --user <username>
+ [--user <user>|--service <service>|--shared]
""") + _("""
Add a symmetric vault:
- ipa vault-add <name> --type symmetric --password-file password.txt
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type symmetric --password-file password.txt
""") + _("""
Add an asymmetric vault:
- ipa vault-add <name> --type asymmetric --public-key-file public.pem
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type asymmetric --public-key-file public.pem
""") + _("""
- Show a private vault:
+ Show a vault:
ipa vault-show <name>
+ [--user <user>|--service <service>|--shared]
""") + _("""
- Show a service vault:
- ipa vault-show <name> --service <service name>
+ Modify a vault:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --desc <description>
""") + _("""
- Show a shared vault:
- ipa vault-show <name> --shared
-""") + _("""
- Show a user vault:
- ipa vault-show <name> --user <username>
-""") + _("""
- Modify a private vault:
- ipa vault-mod <name> --desc <description>
-""") + _("""
- Modify a service vault:
- ipa vault-mod <name> --service <service name> --desc <description>
-""") + _("""
- Modify a shared vault:
- ipa vault-mod <name> --shared --desc <description>
-""") + _("""
- Modify a user vault:
- ipa vault-mod <name> --user <username> --desc <description>
-""") + _("""
- Delete a private vault:
+ Delete a vault:
ipa vault-del <name>
-""") + _("""
- Delete a service vault:
- ipa vault-del <name> --service <service name>
-""") + _("""
- Delete a shared vault:
- ipa vault-del <name> --shared
-""") + _("""
- Delete a user vault:
- ipa vault-del <name> --user <username>
+ [--user <user>|--service <service>|--shared]
""") + _("""
Display vault configuration:
ipa vaultconfig-show
""") + _("""
- Archive data into private vault:
- ipa vault-archive <name> --in <input file>
-""") + _("""
- Archive data into service vault:
- ipa vault-archive <name> --service <service name> --in <input file>
-""") + _("""
- Archive data into shared vault:
- ipa vault-archive <name> --shared --in <input file>
-""") + _("""
- Archive data into user vault:
- ipa vault-archive <name> --user <username> --in <input file>
+ Archive data into standard vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
""") + _("""
Archive data into symmetric vault:
- ipa vault-archive <name> --in <input file>
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+ --password-file password.txt
""") + _("""
Archive data into asymmetric vault:
- ipa vault-archive <name> --in <input file>
-""") + _("""
- Retrieve data from private vault:
- ipa vault-retrieve <name> --out <output file>
-""") + _("""
- Retrieve data from service vault:
- ipa vault-retrieve <name> --service <service name> --out <output file>
-""") + _("""
- Retrieve data from shared vault:
- ipa vault-retrieve <name> --shared --out <output file>
-""") + _("""
- Retrieve data from user vault:
- ipa vault-retrieve <name> --user <username> --out <output file>
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+""") + _("""
+ Retrieve data from standard vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
""") + _("""
Retrieve data from symmetric vault:
- ipa vault-retrieve <name> --out data.bin
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+ --password-file password.txt
""") + _("""
Retrieve data from asymmetric vault:
- ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file> --private-key-file private.pem
""") + _("""
- Add a vault owner:
- ipa vault-add-owner <name> --users <usernames>
+ Add vault owners:
+ ipa vault-add-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Delete a vault owner:
- ipa vault-remove-owner <name> --users <usernames>
+ Delete vault owners:
+ ipa vault-remove-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Add a vault member:
- ipa vault-add-member <name> --users <usernames>
+ Add vault members:
+ ipa vault-add-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Delete a vault member:
- ipa vault-remove-member <name> --users <usernames>
+ Delete vault members:
+ ipa vault-remove-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""")
@@ -285,8 +254,8 @@ class vault(LDAPObject):
'ipavaulttype',
]
attribute_members = {
- 'owner': ['user', 'group'],
- 'member': ['user', 'group'],
+ 'owner': ['user', 'group', 'service'],
+ 'member': ['user', 'group', 'service'],
}
label = _('Vaults')
@@ -340,6 +309,11 @@ class vault(LDAPObject):
label=_('Owner groups'),
flags=['no_create', 'no_update', 'no_search'],
),
+ Str(
+ 'owner_service?',
+ label=_('Owner services'),
+ flags=['no_create', 'no_update', 'no_search'],
+ ),
)
def get_dn(self, *keys, **options):
@@ -1440,8 +1414,23 @@ class vault_retrieve_internal(PKQuery):
return response
+class VaultModMember(LDAPModMember):
+ def get_options(self):
+ for param in super(VaultModMember, self).get_options():
+ if param.name == 'service' and param not in vault_options:
+ param = param.clone_rename('services')
+ yield param
+
+ def get_member_dns(self, **options):
+ if 'services' in options:
+ options['service'] = options.pop('services')
+ else:
+ options.pop('service', None)
+ return super(VaultModMember, self).get_member_dns(**options)
+
+
@register()
-class vault_add_owner(LDAPAddMember):
+class vault_add_owner(VaultModMember, LDAPAddMember):
__doc__ = _('Add owners to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options
@@ -1465,7 +1454,7 @@ class vault_add_owner(LDAPAddMember):
@register()
-class vault_remove_owner(LDAPRemoveMember):
+class vault_remove_owner(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove owners from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options
@@ -1489,14 +1478,14 @@ class vault_remove_owner(LDAPRemoveMember):
@register()
-class vault_add_member(LDAPAddMember):
+class vault_add_member(VaultModMember, LDAPAddMember):
__doc__ = _('Add members to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options
@register()
-class vault_remove_member(LDAPRemoveMember):
+class vault_remove_member(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove members from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
