Re: [Freeipa-devel] [PATCH] 619 more aci target docs
David O'Brien wrote: Rob Crittenden wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob I might be nit-picking now... This might be a function of how the underlying code works in combination with using US English, but why do we have both zip code and postal code? + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors If postalcode is required in the ACI, and Zip Code is en-US, then that's fine. And, ...the admin group TO manage... admins edit THE address of editors Like I said, this might be nit-picking for man pages, but what can I say? I'm a writer. ACK from me with those couple of updates. Yeah, the LDAP attribute is postalCode. Updates applied, pushed to master. thanks rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob I might be nit-picking now... This might be a function of how the underlying code works in combination with using US English, but why do we have both zip code and postal code? + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors If postalcode is required in the ACI, and Zip Code is en-US, then that's fine. And, ...the admin group TO manage... admins edit THE address of editors Like I said, this might be nit-picking for man pages, but what can I say? I'm a writer. ACK from me with those couple of updates. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
David O'Brien wrote:
Rob Crittenden wrote:
I added some more documentation and examples to the aci plugin on
targets.
ticket 310
rob
NACK
Running behind with reviews, sorry. Just a few minor fixes:
s/targetted/targeted/
s/This is primarily meant to be able to allow users to add/remove
members of a specific group only./This is primarily designed to enable
users to add or remove members of a specific group.
(I _think_ I understood that ok, and didn't change the meaning. Further,
if this target is only designed for this purpose, you don't need
primarily. If it does something else, what is it?)
I couldn't grok 100% the subtree target description.
s/... the ACI is allowed to do, they are one or more of:/... the ACI
is allowed to do, and are one or more of:
For consistency's sake, s/lets/allows/ etc. Also see below:
allows members of the addusers taskgroup
lets members of the editors... group?
lets members of the admin group
You might need to review the examples a bit.
cheers
Updated patch.
rob
From 973c42462f1e1d7b453c513c9ea74d878b5acf1c Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Thu, 2 Dec 2010 11:05:54 -0500
Subject: [PATCH] Provide list of available attributes for use in ACI UI.
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
---
install/share/bootstrap-template.ldif |1 -
ipalib/plugins/baseldap.py| 23 ++-
ipalib/plugins/host.py|1 +
ipalib/plugins/internal.py|2 +-
ipalib/plugins/service.py |1 +
ipalib/plugins/user.py|1 +
6 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 7946526..4f10f07 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -218,7 +218,6 @@ ipaUserObjectClasses: inetuser
ipaUserObjectClasses: posixaccount
ipaUserObjectClasses: krbprincipalaux
ipaUserObjectClasses: krbticketpolicyaux
-ipaUserObjectClasses: radiusprofile
ipaUserObjectClasses: ipaobject
ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 3894e18..7d382f9 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -197,6 +197,8 @@ class LDAPObject(Object):
uuid_attribute = ''
attribute_members = {}
rdnattr = None
+# Can bind as this entry (has userPassword or krbPrincipalKey)
+bindable = False
container_not_found_msg = _('container entry (%(container)s) not found')
parent_not_found_msg = _('%(parent)s: %(oname)s not found')
@@ -293,14 +295,33 @@ class LDAPObject(Object):
'parent_object', 'container_dn', 'object_name', 'object_name_plural',
'object_class', 'object_class_config', 'default_attributes', 'label',
'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name',
-'takes_params', 'rdn_attribute',
+'takes_params', 'rdn_attribute', 'bindable',
)
+
def __json__(self):
+ldap = self.backend
json_dict = dict(
(a, getattr(self, a)) for a in self.json_friendly_attributes
)
if self.primary_key:
json_dict['primary_key'] = self.primary_key.name
+objectclasses = self.object_class
+if self.object_class_config:
+config = ldap.get_ipa_config()[1]
+objectclasses = config.get(
+self.object_class_config, objectclasses
+)
+# Get list of available attributes for this object for use
+# in the ACI UI.
+attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
+attrlist = []
+# Go through the MUST first
+for (oid, attr) in attrs[0].iteritems():
+attrlist.append(attr.names[0])
+# And now the MAY
+for (oid, attr) in attrs[1].iteritems():
+attrlist.append(attr.names[0])
+json_dict['aciattrs'] = attrlist
json_dict['methods'] = [m for m in self.methods]
return json_dict
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index a9589c6..437b7d5 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -165,6 +165,7 @@ class host(LDAPObject):
'memberof': ['hostgroup', 'netgroup', 'role'],
'managedby': ['host'],
}
+bindable = True
label = _('Hosts')
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 708d829..ddef160 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -56,7 +56,7 @@ class json_metadata(Command):
((objname, json_serialize(self.api.Object[objname])), )
)
)
-retval= dict([(metadata,meta), (messages,dict())])
+retval=
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: David O'Brien wrote: Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers Updated patch. rob Ok, the right updated patch this time. rob From 0e32a5c12c79384d5f22c69474f45112ae2c6def Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 2 Dec 2010 13:25:00 -0500 Subject: [PATCH] Add more information and examples on targets. ticket 310 --- ipalib/plugins/aci.py | 39 +-- 1 files changed, 33 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index c0f47e3..acb6121 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -47,11 +47,23 @@ An ACI consists of three parts: 3. bind rules The target is a set of rules that define which LDAP objects are being -targetted. This can include a list of attributes, an area of that LDAP +targeted. This can include a list of attributes, an area of that LDAP tree or an LDAP filter. -The permissions define what the ACI is allowed to do, they are one or more -of: +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant add permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the the ACI is allowed to do, and are one or +more of: 1. write - write one or more attributes 2. read - read one or more attributes 3. add - add a new entry to the tree @@ -71,18 +83,33 @@ http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.htm EXAMPLES: +NOTE: ACIs are now added via the permision plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + Add an ACI so that the group secretaries can update the address on any user: + ipa group-add --desc=Office secretaries secretaries ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write Secretaries write addresses Show the new ACI: ipa aci-show Secretaries write addresses - Add an ACI that allows members of the addusers taskgroup to add new users: - ipa aci-add --type=user --taskgroup=addusers --permissions=add Add new users + Add an ACI that allows members of the addusers permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add Add new users - Add an ACI that lets members of the edotors manage members of the admins group: + Add an ACI that allows members of the editors manage members of the admins group: ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors Editors manage admins + Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter=(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com) Edit the address of those who work for the boss + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree=cn=*,cn=orange,cn=accounts,dc=example,dc=com --desc=Add Orange Entries add_orange + + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 619 more aci target docs
I added some more documentation and examples to the aci plugin on targets. ticket 310 rob From f155f75ce44e53bb8e6122e0eea9c2e308c7ab36 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 24 Nov 2010 14:48:51 -0500 Subject: [PATCH] Add more information and examples on targets. ticket 310 --- ipalib/plugins/aci.py | 25 ++--- 1 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 14c354a..fd2d8f9 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -50,6 +50,15 @@ The target is a set of rules that define which LDAP objects are being targetted. This can include a list of attributes, an area of that LDAP tree or an LDAP filter. +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily meant to be able to allow users to add/remove members of a specific group only. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: this is meant as a fail-safe for the type object. It is meant as a +way to apply to a type of object (e.g. user, group, host, etc). + The permissions define what the ACI is allowed to do, they are one or more of: 1. write - write one or more attributes @@ -77,12 +86,22 @@ EXAMPLES: Show the new ACI: ipa aci-show Secretaries write addresses - Add an ACI that allows members of the addusers taskgroup to add new users: - ipa aci-add --type=user --taskgroup=addusers --permissions=add Add new users + Add an ACI that allows members of the addusers permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add Add new users - Add an ACI that lets members of the edotors manage members of the admins group: + Add an ACI that lets members of the editors manage members of the admins group: ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors Editors manage admins + Add an ACI that lets members of the admin group manage the street and zipcode of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode admins edit address of editors + + Add an ACI that lets the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter=(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com) Edit the address of those who work for the boss + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options: + ipa aci-add --permissions=add --subtree=cn=*,cn=orange,cn=accounts,dc=example,dc=com --permission=editsamba Add Orange Entries + + The show command shows the raw 389-ds ACI. IMPORTANT: When modifying the target attributes of an existing ACI you -- 1.7.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
