[Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
Adam Young
ayoung at redhat.com
Wed May 11 03:07:43 UTC 2011
On 05/10/2011 04:38 PM, JR Aquino wrote:
> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
>
>> JR Aquino wrote:
>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
>>>
>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.
>>>>
>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system.
>>>>
>>>> For example. With the patch added, my user show looks like this:
>>>>
>>>> # ipa user-show tester --all
>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
>>>> User login: tester
>>>> First name: Tester
>>>> Last name: Engineering
>>>> Full name: Tester Engineering
>>>> Display name: Tester Engineering
>>>> Initials: TE
>>>> Home directory: /home/tester
>>>> GECOS field: Tester Engineering
>>>> Login shell: /bin/sh
>>>> Kerberos principal: tester at EXAMPLE.COM
>>>> UID: 1829800388
>>>> GID: 1829800388
>>>> Account disabled: False
>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration
>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>>>> memberofindirect_HBAC rule: development
>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount
>>>>
>>>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>> OPPS, forgot to have PATCH in the subject.
>>>
>> I think you need this as well, right?
>>
>> - 'memberof': ['group', 'netgroup', 'role'],
>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
> Some scope change.
>
> Added memberof and memberofindirect
>
> Added to user.py host.py group.py hostgroup.py
>
> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.
>
> xmlrpc tests check out
>
> Please review
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating
additional memberof attributes. It has nothing to do with the
memberofindirect:
"attribute_members": {
"memberof": [
"group",
"netgroup",
"role",
"hbacrule",
"sudorule"
],
"memberofindirect": [
"group",
"netgroup",
"role",
"hbacrule",
"sudorule"
]
},
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110510/2fc6e918/attachment.htm>
More information about the Freeipa-devel
mailing list