[Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
JR Aquino
JR.Aquino at citrix.com
Tue May 10 20:38:14 UTC 2011
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
> JR Aquino wrote:
>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
>>
>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.
>>>
>>> An Administrator should have the ability to quickly identify the rights a user will have in the system.
>>>
>>> For example. With the patch added, my user show looks like this:
>>>
>>> # ipa user-show tester --all
>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
>>> User login: tester
>>> First name: Tester
>>> Last name: Engineering
>>> Full name: Tester Engineering
>>> Display name: Tester Engineering
>>> Initials: TE
>>> Home directory: /home/tester
>>> GECOS field: Tester Engineering
>>> Login shell: /bin/sh
>>> Kerberos principal: tester at EXAMPLE.COM
>>> UID: 1829800388
>>> GID: 1829800388
>>> Account disabled: False
>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration
>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>>> memberofindirect_HBAC rule: development
>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount
>>>
>>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> OPPS, forgot to have PATCH in the subject.
>>
>
> I think you need this as well, right?
>
> - 'memberof': ['group', 'netgroup', 'role'],
> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch
Type: application/octet-stream
Size: 3082 bytes
Desc: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110510/13d7f29b/attachment.obj>
More information about the Freeipa-devel
mailing list