Re: [Freeipa-devel] [PATCH] 619 more aci target docs
David O'Brien wrote: Rob Crittenden wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob I might be nit-picking now... This might be a function of how the underlying code works in combination with using US English, but why do we have both zip code and postal code? + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors If postalcode is required in the ACI, and Zip Code is en-US, then that's fine. And, ...the admin group TO manage... admins edit THE address of editors Like I said, this might be nit-picking for man pages, but what can I say? I'm a writer. ACK from me with those couple of updates. Yeah, the LDAP attribute is postalCode. Updates applied, pushed to master. thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob I might be nit-picking now... This might be a function of how the underlying code works in combination with using US English, but why do we have both zip code and postal code? + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors If postalcode is required in the ACI, and Zip Code is en-US, then that's fine. And, ...the admin group TO manage... admins edit THE address of editors Like I said, this might be nit-picking for man pages, but what can I say? I'm a writer. ACK from me with those couple of updates. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob From 973c42462f1e1d7b453c513c9ea74d878b5acf1c Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 11:05:54 -0500 Subject: [PATCH] Provide list of available attributes for use in ACI UI. Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446 --- install/share/bootstrap-template.ldif |1 - ipalib/plugins/baseldap.py| 23 ++- ipalib/plugins/host.py|1 + ipalib/plugins/internal.py|2 +- ipalib/plugins/service.py |1 + ipalib/plugins/user.py|1 + 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..4f10f07 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -218,7 +218,6 @@ ipaUserObjectClasses: inetuser ipaUserObjectClasses: posixaccount ipaUserObjectClasses: krbprincipalaux ipaUserObjectClasses: krbticketpolicyaux -ipaUserObjectClasses: radiusprofile ipaUserObjectClasses: ipaobject ipaDefaultEmailDomain: $DOMAIN ipaMigrationEnabled: FALSE diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 3894e18..7d382f9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -197,6 +197,8 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdnattr = None +# Can bind as this entry (has userPassword or krbPrincipalKey) +bindable = False container_not_found_msg = _('container entry (%(container)s) not found') parent_not_found_msg = _('%(parent)s: %(oname)s not found') @@ -293,14 +295,33 @@ class LDAPObject(Object): 'parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', -'takes_params', 'rdn_attribute', +'takes_params', 'rdn_attribute', 'bindable', ) + def __json__(self): +ldap = self.backend json_dict = dict( (a, getattr(self, a)) for a in self.json_friendly_attributes ) if self.primary_key: json_dict['primary_key'] = self.primary_key.name +objectclasses = self.object_class +if self.object_class_config: +config = ldap.get_ipa_config()[1] +objectclasses = config.get( +self.object_class_config, objectclasses +) +# Get list of available attributes for this object for use +# in the ACI UI. +attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) +attrlist = [] +# Go through the MUST first +for (oid, attr) in attrs[0].iteritems(): +attrlist.append(attr.names[0]) +# And now the MAY +for (oid, attr) in attrs[1].iteritems(): +attrlist.append(attr.names[0]) +json_dict['aciattrs'] = attrlist json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index a9589c6..437b7d5 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -165,6 +165,7 @@ class host(LDAPObject): 'memberof': ['hostgroup', 'netgroup', 'role'], 'managedby': ['host'], } +bindable = True label = _('Hosts') diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index 708d829..ddef160 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -56,7 +56,7 @@ class json_metadata(Command): ((objname, json_serialize(self.api.Object[objname])), ) ) ) -retval= dict([(metadata,meta), (messages,dict())]) +retval=
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob From 0e32a5c12c79384d5f22c69474f45112ae2c6def Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 13:25:00 -0500 Subject: [PATCH] Add more information and examples on targets. ticket 310 --- ipalib/plugins/aci.py | 39 +-- 1 files changed, 33 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index c0f47e3..acb6121 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -47,11 +47,23 @@ An ACI consists of three parts: 3. bind rules The target is a set of rules that define which LDAP objects are being -targetted. This can include a list of attributes, an area of that LDAP +targeted. This can include a list of attributes, an area of that LDAP tree or an LDAP filter. -The permissions define what the ACI is allowed to do, they are one or more -of: +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant add permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the the ACI is allowed to do, and are one or +more of: 1. write - write one or more attributes 2. read - read one or more attributes 3. add - add a new entry to the tree @@ -71,18 +83,33 @@ http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.htm EXAMPLES: +NOTE: ACIs are now added via the permision plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + Add an ACI so that the group secretaries can update the address on any user: + ipa group-add --desc=Office secretaries secretaries ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write Secretaries write addresses Show the new ACI: ipa aci-show Secretaries write addresses - Add an ACI that allows members of the addusers taskgroup to add new users: - ipa aci-add --type=user --taskgroup=addusers --permissions=add Add new users + Add an ACI that allows members of the addusers permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add Add new users - Add an ACI that lets members of the edotors manage members of the admins group: + Add an ACI that allows members of the editors manage members of the admins group: ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors Editors manage admins + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter=(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com) Edit the address of those who work for the boss + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree=cn=*,cn=orange,cn=accounts,dc=example,dc=com --desc=Add Orange Entries add_orange + + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 619 more aci target docs
I added some more documentation and examples to the aci plugin on targets. ticket 310 rob From f155f75ce44e53bb8e6122e0eea9c2e308c7ab36 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 24 Nov 2010 14:48:51 -0500 Subject: [PATCH] Add more information and examples on targets. ticket 310 --- ipalib/plugins/aci.py | 25 ++--- 1 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 14c354a..fd2d8f9 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -50,6 +50,15 @@ The target is a set of rules that define which LDAP objects are being targetted. This can include a list of attributes, an area of that LDAP tree or an LDAP filter. +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily meant to be able to allow users to add/remove members of a specific group only. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: this is meant as a fail-safe for the type object. It is meant as a +way to apply to a type of object (e.g. user, group, host, etc). + The permissions define what the ACI is allowed to do, they are one or more of: 1. write - write one or more attributes @@ -77,12 +86,22 @@ EXAMPLES: Show the new ACI: ipa aci-show Secretaries write addresses - Add an ACI that allows members of the addusers taskgroup to add new users: - ipa aci-add --type=user --taskgroup=addusers --permissions=add Add new users + Add an ACI that allows members of the addusers permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add Add new users - Add an ACI that lets members of the edotors manage members of the admins group: + Add an ACI that lets members of the editors manage members of the admins group: ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors Editors manage admins + Add an ACI that lets members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors + + Add an ACI that lets the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter=(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com) Edit the address of those who work for the boss + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options: + ipa aci-add --permissions=add --subtree=cn=*,cn=orange,cn=accounts,dc=example,dc=com --permission=editsamba Add Orange Entries + + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI you -- 1.7.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel