[Freeipa-devel] [PATCH] 374 Fixed vault container ownership.
Endi Sukma Dewata
edewata at redhat.com
Mon Aug 10 19:45:18 UTC 2015
The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
--
Endi S. Dewata
-------------- next part --------------
From 35c2e903c1208591a3cabfd715cf297cb9de506d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 10 Aug 2015 20:57:58 +0200
Subject: [PATCH] Fixed vault container ownership.
The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
---
ipalib/plugins/vault.py | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 427b1ea1588af2fb09a99181b8773abdf8099b8d..be1560181322d8323ab6d8f169e106a404aa0617 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -924,12 +924,33 @@ class vault2_add_internal(LDAPCreate):
else:
owner_dn = self.api.Object.user.get_dn(name)
+ parent_dn = DN(*dn[1:])
+
+ container_dn = DN(self.api.Object.vault.container_dn,
+ self.api.env.basedn)
+
+ services_dn = DN(('cn', 'services'), container_dn)
+ users_dn = DN(('cn', 'users'), container_dn)
+
+ if dn.endswith(services_dn):
+ # service container should be owned by the service
+ service = parent_dn[0]['cn']
+ parent_owner_dn = self.api.Object.service.get_dn(service)
+
+ elif dn.endswith(users_dn):
+ # user container should be owned by the user
+ user = parent_dn[0]['cn']
+ parent_owner_dn = self.api.Object.user.get_dn(user)
+
+ else:
+ parent_owner_dn = owner_dn
+
try:
- parent_dn = DN(*dn[1:])
- self.obj.create_container(parent_dn, owner_dn)
+ self.obj.create_container(parent_dn, parent_owner_dn)
except errors.DuplicateEntry, e:
pass
+ # vault should be owned by the creator
entry_attrs['owner'] = owner_dn
return dn
--
2.4.3
More information about the Freeipa-devel
mailing list