[Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1
Petr Viktorin
pviktori at redhat.com
Wed Feb 26 09:44:42 UTC 2014
Hello,
Here are a few fixes/improvements, and the first part of a managed
permission updater.
The patches should go in this order but don't need to be ACKed/pushed
all at once.
Design:
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This part is a "preview" of sorts, to get the basic mechanism and the
metadata format reviewed before I add all of the default read permissions.
It implements the first section of "Default Permission Updater" in the
design; "Replacing legacy default permissions" and "Removing the global
anonymous read ACI" is left for later.
Metadata is added for the netgroup plugin* for starters, so installing
this will give you two shiny new read permissions:
$ ipa permission-find ipa: --all
---------------------
2 permissions matched
---------------------
dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroup Membership
Permissions: read, compare, search
Effective attributes: externalhost, member, memberof, memberuser
Default attributes: member, memberof, memberuser, externalhost
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroups
Permissions: read, compare, search
Effective attributes: cn, description, hostcategory, ipaenabledflag,
ipauniqueid, nisdomainname, usercategory
Default attributes: cn, usercategory, hostcategory, ipauniqueid,
ipaenabledflag, nisdomainname, description
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
----------------------------
Number of entries returned 2
----------------------------
with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:
(targetattr = "externalhost || member || memberof ||
memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version
3.0;acl "permission:ipa:Read Netgroup Membership";allow
(read,compare,search) userdn = "ldap:///all";)
(targetattr = "cn || description || hostcategory || ipaenabledflag ||
ipauniqueid || nisdomainname || usercategory")(targetfilter =
"(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:ipa:Read
Netgroups";allow (read,compare,search) userdn = "ldap:///all";)
Patches:
0473: Enables refactoring that will make it more clear (to humans and
machines) what plugins code depends on.
https://fedorahosted.org/freeipa/ticket/4185
0474: Fix handling of the search term for legacy permissions
My code that's in master now handles the search term incorrectly. This
does a better job.
0475: Fix tests that relied on some assumptions I'll be breaking
0476: Allow modifying (but not creating) permissions with ":" in the name
0477: Permission updater & sample metadata
--
Petr³
(* picked by fair dice roll)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0473-Allow-indexing-API-object-types-by-class.patch
Type: text/x-patch
Size: 4114 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0474-permission-find-Fix-handling-of-the-search-term-for-.patch
Type: text/x-patch
Size: 3632 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0475-test_permission_plugin-Fix-tests-that-make-too-broad.patch
Type: text/x-patch
Size: 6973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0476-Allow-modifying-permissions-with-in-the-name.patch
Type: text/x-patch
Size: 11359 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0477-Add-Object-metadata-and-update-plugin-for-managed-pe.patch
Type: text/x-patch
Size: 8998 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0004.bin>
More information about the Freeipa-devel
mailing list