[Freeipa-devel] [PATCH] 369 Added CLI param and ACL for vault service operations.
Endi Sukma Dewata
edewata at redhat.com
Mon Aug 10 19:12:30 UTC 2015
On 8/4/2015 10:32 AM, Endi Sukma Dewata wrote:
>>> Martin, I do not think going on with business as usual is the right
>>> thing to do here. We know this is going to bite.
>>> I suggest Endy adds a *new* API if making it backwards compatible is not
>>> possible. The era of bumping whole API version must stop, the sooner the
>>> better.
>>
>> My point is that we do not know yet how to do this kind of changes
>> long term.
>> So what I did not want to end up are 2 copy&pasted Vault plugins
>> maintained
>> forever, differing in just that.
>>
>> If you know how to do this without copypasting, I will be fine with that.
>
> We probably can do it like this:
> * the old plugin continues to provide Vault 1.0 functionality
> * the new plugin will be a proxy to the old plugin except for the parts
> that have changed in Vault 1.1.
>
> Or the other way around:
> * the new plugin will provide Vault 1.1 functionality
> * the old plugin will be a proxy to the new plugin except for the parts
> that needs to be maintained for Vault 1.0.
>
> The first option is probably safer.
>
> In any case, IPA 4.2.1 will only provide a single client for Vault 1.1,
> but two services for Vault 1.0 and 1.1.
A new patch #369-1 is attached. It has been rebased on top of #372 and
#373 that fix the conflicting parameter while maintaining backward
compatibility.
--
Endi S. Dewata
-------------- next part --------------
>From 7f461c8fe5d567e9ddad3684a60037cdd90e833c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 30 Jul 2015 23:20:34 +0200
Subject: [PATCH] Added CLI param and ACL for vault service operations.
The CLIs to manage vault owners and members have been modified
to accept services in addition to users and groups. A new ACL
has been added to allow a service to create its own service
container.
https://fedorahosted.org/freeipa/ticket/5172
---
API.txt | 12 ++++++++----
VERSION | 4 ++--
install/share/vault.update | 1 +
ipalib/plugins/vault.py | 21 +++++++++++++++------
4 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/API.txt b/API.txt
index 9a777bd029d88f6882a9db341822544c6d1e7b5a..81527bf60bb440ddfdacb25d63e211b154182487 100644
--- a/API.txt
+++ b/API.txt
@@ -5436,12 +5436,13 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault2_add_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5451,12 +5452,13 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault2_add_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5549,12 +5551,13 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault2_remove_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -5564,12 +5567,13 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault2_remove_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
diff --git a/VERSION b/VERSION
index e656524418e5fedbd318e6998aa67ffc20750533..5309f3ddcc9ca05e8e4e6f59054f40ff70f9fc8c 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=149
-# Last change: edewata - Fixed conflicting vault 'service' option.
+IPA_API_VERSION_MINOR=150
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
default: objectClass: ipaVaultContainer
default: cn: vaults
default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e32d378dbdc7118c2fd60aeabe7a3993c2d63c9c..427b1ea1588af2fb09a99181b8773abdf8099b8d 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -199,16 +199,20 @@ EXAMPLES:
ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
""") + _("""
Add a vault owner:
- ipa vault-add-owner <name> --users <usernames>
+ ipa vault-add-owner <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Delete a vault owner:
- ipa vault-remove-owner <name> --users <usernames>
+ ipa vault-remove-owner <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Add a vault member:
- ipa vault-add-member <name> --users <usernames>
+ ipa vault-add-member <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Delete a vault member:
- ipa vault-remove-member <name> --users <usernames>
+ ipa vault-remove-member <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""")
@@ -499,8 +503,8 @@ class vault2(LDAPObject):
'ipavaulttype',
]
attribute_members = {
- 'owner': ['user', 'group'],
- 'member': ['user', 'group'],
+ 'owner': ['user', 'group', 'service'],
+ 'member': ['user', 'group', 'service'],
}
label = _('Vaults')
@@ -554,6 +558,11 @@ class vault2(LDAPObject):
label=_('Owner groups'),
flags=['no_create', 'no_update', 'no_search'],
),
+ Str(
+ 'owner_service?',
+ label=_('Owner services'),
+ flags=['no_create', 'no_update', 'no_search'],
+ ),
)
def get_dn(self, *keys, **options):
--
2.4.3
More information about the Freeipa-devel
mailing list