URL: https://github.com/freeipa/freeipa/pull/1837 Author: rcritten Title: #1837: [Backport][ipa-4-6] ACL: Allow hosts to remove services they manage Action: opened
PR body: """ This PR was opened automatically because PR #1829 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1837/head:pr1837 git checkout pr1837
From 01f1a90fbafd95dd38ef50b7ad34655e41584bb3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 18 Apr 2018 13:05:41 +0300 Subject: [PATCH] ACL: Allow hosts to remove services they manage Allow hosts to delete services they own. This is an ACL that complements existing one that allows to create services on the same host. Add a test that creates a host and then attempts to create and delete a service using its own host keytab. Fixes: https://pagure.io/freeipa/issue/7486 --- install/updates/20-aci.update | 3 ++- ipatests/test_xmlrpc/test_service_plugin.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index dec2e16ee4..bab3141445 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -120,10 +120,11 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe dn: $SUFFIX add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) -# Hosts can add their own services +# Hosts can add and delete their own services dn: cn=services,cn=accounts,$SUFFIX remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) # CIFS service on the master can manage ID ranges dn: cn=ranges,cn=etc,$SUFFIX diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 6985f75ee4..c910269df3 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -31,6 +31,7 @@ from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker +from ipatests.util import change_principal, host_keytab import base64 from ipapython.dn import DN @@ -1343,3 +1344,30 @@ def test_update_indicator(self, indicators_host, indicators_service): updates={u'krbprincipalauthind': u'radius'}, expected_updates={u'krbprincipalauthind': [u'radius']} ) + + +@pytest.fixture(scope='function') +def managing_host(request): + tracker = HostTracker(name=u'managinghost2', fqdn=fqdn2) + return tracker.make_fixture(request) + + +@pytest.fixture(scope='function') +def managed_service(request): + tracker = ServiceTracker( + name=u'managed-service', host_fqdn=fqdn2) + return tracker.make_fixture(request) + + +@pytest.mark.tier1 +class TestManagedServices(XMLRPC_test): + def test_managed_service( + self, managing_host, managed_service): + """ Add a host and then add a service as a host + Finally, remove the service as a host """ + managing_host.ensure_exists() + with host_keytab(managing_host.name) as keytab_filename: + with change_principal(managing_host.attrs['krbcanonicalname'][0], + keytab=keytab_filename): + managed_service.create() + managed_service.delete()
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org