[Freeipa-devel] [PATCH] 369 Added CLI param and ACL for vault service operations.
Endi Sukma Dewata
edewata at redhat.com
Thu Aug 13 16:23:59 UTC 2015
On 8/13/2015 6:00 AM, Petr Vobornik wrote:
> On 08/11/2015 08:42 AM, Jan Cholasta wrote:
>> On 10.8.2015 21:12, Endi Sukma Dewata wrote:
>>> On 8/4/2015 10:32 AM, Endi Sukma Dewata wrote:
>>>>>> Martin, I do not think going on with business as usual is the right
>>>>>> thing to do here. We know this is going to bite.
>>>>>> I suggest Endy adds a *new* API if making it backwards compatible is
>>>>>> not
>>>>>> possible. The era of bumping whole API version must stop, the sooner
>>>>>> the
>>>>>> better.
>>>>>
>>>>> My point is that we do not know yet how to do this kind of changes
>>>>> long term.
>>>>> So what I did not want to end up are 2 copy&pasted Vault plugins
>>>>> maintained
>>>>> forever, differing in just that.
>>>>>
>>>>> If you know how to do this without copypasting, I will be fine with
>>>>> that.
>>>>
>>>> We probably can do it like this:
>>>> * the old plugin continues to provide Vault 1.0 functionality
>>>> * the new plugin will be a proxy to the old plugin except for the parts
>>>> that have changed in Vault 1.1.
>>>>
>>>> Or the other way around:
>>>> * the new plugin will provide Vault 1.1 functionality
>>>> * the old plugin will be a proxy to the new plugin except for the parts
>>>> that needs to be maintained for Vault 1.0.
>>>>
>>>> The first option is probably safer.
>>>>
>>>> In any case, IPA 4.2.1 will only provide a single client for Vault 1.1,
>>>> but two services for Vault 1.0 and 1.1.
>>>
>>> A new patch #369-1 is attached. It has been rebased on top of #372 and
>>> #373 that fix the conflicting parameter while maintaining backward
>>> compatibility.
>>
>> I have modified the first version of the patch to maintain backward
>> compatibility and not require your patches #372 and #373. Should be much
>> easier to review. See attachment.
>
> Jan approach seems better to me for 4.2.1. Endi, do you agree with the
> changes? Could we proceed with the review?
Yes, please see the attached patch. I had to update it to remove buggy
code and revised the docs. I also had to rebase my other patches to make
sure they work with this patch.
--
Endi S. Dewata
-------------- next part --------------
>From c43df23159e5dafd47d5309b3b0f75de4870640b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Tue, 11 Aug 2015 08:19:59 +0200
Subject: [PATCH] Added CLI param and ACL for vault service operations.
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter. Due to name conflict,
the existing 'service' parameter has been renamed to
'servicename'.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
---
API.txt | 12 ++-
VERSION | 4 +-
install/share/vault.update | 1 +
ipalib/plugins/vault.py | 179 +++++++++++++++++++++------------------------
4 files changed, 95 insertions(+), 101 deletions(-)
diff --git a/API.txt b/API.txt
index 04f2f894f7667239d94a2a7278d0cc80704afeb5..9dbf86aedf2a1b62dabab21fb30bbceb2f0f237b 100644
--- a/API.txt
+++ b/API.txt
@@ -5434,13 +5434,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_add_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5449,13 +5450,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_add_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5547,13 +5549,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_remove_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5562,13 +5565,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_remove_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('service?')
+option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False)
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
diff --git a/VERSION b/VERSION
index a3d586df47ab6a6136bd38c0151fe43876bf5ab3..c42bea06522dae55e1a89ff94ae394594086b467 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=148
-# Last change: ftweedal - add --out option to user-show
+IPA_API_VERSION_MINOR=149
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
default: objectClass: ipaVaultContainer
default: cn: vaults
default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 9a2995ca04cb99b0be46076541cea2638bf3ca56..5d367b376ef41427ed983f3eafe120ed477018d2 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -44,7 +44,7 @@ from ipalib.crud import PKQuery, Retrieve, Update
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\
- pkey_to_value
+ LDAPModMember, pkey_to_value
from ipalib.request import context
from ipalib.plugins.user import split_principal
from ipalib import _, ngettext
@@ -93,122 +93,91 @@ The secret can only be retrieved using the private key.
""") + _("""
EXAMPLES:
""") + _("""
- List private vaults:
+ List vaults:
ipa vault-find
+ [--user <user>|--service <service>|--shared]
""") + _("""
- List service vaults:
- ipa vault-find --service <service name>
-""") + _("""
- List shared vaults:
- ipa vault-find --shared
-""") + _("""
- List user vaults:
- ipa vault-find --user <username>
-""") + _("""
- Add a private vault:
+ Add a standard vault:
ipa vault-add <name>
-""") + _("""
- Add a service vault:
- ipa vault-add <name> --service <service name>
-""") + _("""
- Add a shared vault:
- ipa vault-add <name> --shared
-""") + _("""
- Add a user vault:
- ipa vault-add <name> --user <username>
+ [--user <user>|--service <service>|--shared]
""") + _("""
Add a symmetric vault:
- ipa vault-add <name> --type symmetric --password-file password.txt
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type symmetric --password-file password.txt
""") + _("""
Add an asymmetric vault:
- ipa vault-add <name> --type asymmetric --public-key-file public.pem
+ ipa vault-add <name>
+ [--user <user>|--service <service>|--shared]
+ --type asymmetric --public-key-file public.pem
""") + _("""
- Show a private vault:
+ Show a vault:
ipa vault-show <name>
+ [--user <user>|--service <service>|--shared]
""") + _("""
- Show a service vault:
- ipa vault-show <name> --service <service name>
+ Modify a vault:
+ ipa vault-mod <name>
+ [--user <user>|--service <service>|--shared]
+ --desc <description>
""") + _("""
- Show a shared vault:
- ipa vault-show <name> --shared
-""") + _("""
- Show a user vault:
- ipa vault-show <name> --user <username>
-""") + _("""
- Modify a private vault:
- ipa vault-mod <name> --desc <description>
-""") + _("""
- Modify a service vault:
- ipa vault-mod <name> --service <service name> --desc <description>
-""") + _("""
- Modify a shared vault:
- ipa vault-mod <name> --shared --desc <description>
-""") + _("""
- Modify a user vault:
- ipa vault-mod <name> --user <username> --desc <description>
-""") + _("""
- Delete a private vault:
+ Delete a vault:
ipa vault-del <name>
-""") + _("""
- Delete a service vault:
- ipa vault-del <name> --service <service name>
-""") + _("""
- Delete a shared vault:
- ipa vault-del <name> --shared
-""") + _("""
- Delete a user vault:
- ipa vault-del <name> --user <username>
+ [--user <user>|--service <service>|--shared]
""") + _("""
Display vault configuration:
ipa vaultconfig-show
""") + _("""
- Archive data into private vault:
- ipa vault-archive <name> --in <input file>
-""") + _("""
- Archive data into service vault:
- ipa vault-archive <name> --service <service name> --in <input file>
-""") + _("""
- Archive data into shared vault:
- ipa vault-archive <name> --shared --in <input file>
-""") + _("""
- Archive data into user vault:
- ipa vault-archive <name> --user <username> --in <input file>
+ Archive data into standard vault:
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
""") + _("""
Archive data into symmetric vault:
- ipa vault-archive <name> --in <input file>
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+ --password-file password.txt
""") + _("""
Archive data into asymmetric vault:
- ipa vault-archive <name> --in <input file>
-""") + _("""
- Retrieve data from private vault:
- ipa vault-retrieve <name> --out <output file>
-""") + _("""
- Retrieve data from service vault:
- ipa vault-retrieve <name> --service <service name> --out <output file>
-""") + _("""
- Retrieve data from shared vault:
- ipa vault-retrieve <name> --shared --out <output file>
-""") + _("""
- Retrieve data from user vault:
- ipa vault-retrieve <name> --user <username> --out <output file>
+ ipa vault-archive <name>
+ [--user <user>|--service <service>|--shared]
+ --in <input file>
+""") + _("""
+ Retrieve data from standard vault:
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
""") + _("""
Retrieve data from symmetric vault:
- ipa vault-retrieve <name> --out data.bin
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file>
+ --password-file password.txt
""") + _("""
Retrieve data from asymmetric vault:
- ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
+ ipa vault-retrieve <name>
+ [--user <user>|--service <service>|--shared]
+ --out <output file> --private-key-file private.pem
""") + _("""
- Add a vault owner:
- ipa vault-add-owner <name> --users <usernames>
+ Add vault owners:
+ ipa vault-add-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Delete a vault owner:
- ipa vault-remove-owner <name> --users <usernames>
+ Delete vault owners:
+ ipa vault-remove-owner <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Add a vault member:
- ipa vault-add-member <name> --users <usernames>
+ Add vault members:
+ ipa vault-add-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""") + _("""
- Delete a vault member:
- ipa vault-remove-member <name> --users <usernames>
+ Delete vault members:
+ ipa vault-remove-member <name>
+ [--user <user>|--service <service>|--shared]
+ [--users <users>] [--groups <groups>] [--services <services>]
""")
@@ -285,8 +254,8 @@ class vault(LDAPObject):
'ipavaulttype',
]
attribute_members = {
- 'owner': ['user', 'group'],
- 'member': ['user', 'group'],
+ 'owner': ['user', 'group', 'service'],
+ 'member': ['user', 'group', 'service'],
}
label = _('Vaults')
@@ -340,6 +309,11 @@ class vault(LDAPObject):
label=_('Owner groups'),
flags=['no_create', 'no_update', 'no_search'],
),
+ Str(
+ 'owner_service?',
+ label=_('Owner services'),
+ flags=['no_create', 'no_update', 'no_search'],
+ ),
)
def get_dn(self, *keys, **options):
@@ -1440,8 +1414,23 @@ class vault_retrieve_internal(PKQuery):
return response
+class VaultModMember(LDAPModMember):
+ def get_options(self):
+ for param in super(VaultModMember, self).get_options():
+ if param.name == 'service' and param not in vault_options:
+ param = param.clone_rename('services')
+ yield param
+
+ def get_member_dns(self, **options):
+ if 'services' in options:
+ options['service'] = options.pop('services')
+ else:
+ options.pop('service', None)
+ return super(VaultModMember, self).get_member_dns(**options)
+
+
@register()
-class vault_add_owner(LDAPAddMember):
+class vault_add_owner(VaultModMember, LDAPAddMember):
__doc__ = _('Add owners to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options
@@ -1465,7 +1454,7 @@ class vault_add_owner(LDAPAddMember):
@register()
-class vault_remove_owner(LDAPRemoveMember):
+class vault_remove_owner(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove owners from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options
@@ -1489,14 +1478,14 @@ class vault_remove_owner(LDAPRemoveMember):
@register()
-class vault_add_member(LDAPAddMember):
+class vault_add_member(VaultModMember, LDAPAddMember):
__doc__ = _('Add members to a vault.')
takes_options = LDAPAddMember.takes_options + vault_options
@register()
-class vault_remove_member(LDAPRemoveMember):
+class vault_remove_member(VaultModMember, LDAPRemoveMember):
__doc__ = _('Remove members from a vault.')
takes_options = LDAPRemoveMember.takes_options + vault_options
--
2.1.0
More information about the Freeipa-devel
mailing list