[Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1

Petr Viktorin pviktori at redhat.com
Wed Feb 26 09:44:42 UTC 2014 

Hello,
Here are a few fixes/improvements, and the first part of a managed 
permission updater.

The patches should go in this order but don't need to be ACKed/pushed 
all at once.


Design: 
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566


This part is a "preview" of sorts, to get the basic mechanism and the 
metadata format reviewed before I add all of the default read permissions.
It implements the first section of "Default Permission Updater" in the 
design; "Replacing legacy default permissions" and "Removing the global 
anonymous read ACI" is left for later.
Metadata is added for the netgroup plugin* for starters, so installing 
this will give you two shiny new read permissions:

$ ipa permission-find ipa: --all
---------------------
2 permissions matched
---------------------
   dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
   Permission name: ipa:Read Netgroup Membership
   Permissions: read, compare, search
   Effective attributes: externalhost, member, memberof, memberuser
   Default attributes: member, memberof, memberuser, externalhost
   Bind rule type: all
   Subtree: cn=ng,cn=alt,$SUFFIX
   Target filter: (objectclass=ipanisnetgroup)
   Type: netgroup
   ipapermissiontype: V2, MANAGED, SYSTEM
   objectclass: ipapermission, groupofnames, top, ipapermissionv2

   dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
   Permission name: ipa:Read Netgroups
   Permissions: read, compare, search
   Effective attributes: cn, description, hostcategory, ipaenabledflag, 
ipauniqueid, nisdomainname, usercategory
   Default attributes: cn, usercategory, hostcategory, ipauniqueid, 
ipaenabledflag, nisdomainname, description
   Bind rule type: all
   Subtree: cn=ng,cn=alt,$SUFFIX
   Target filter: (objectclass=ipanisnetgroup)
   Type: netgroup
   ipapermissiontype: V2, MANAGED, SYSTEM
   objectclass: ipapermission, groupofnames, top, ipapermissionv2
----------------------------
Number of entries returned 2
----------------------------

with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:

(targetattr = "externalhost || member || memberof || 
memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 
3.0;acl "permission:ipa:Read Netgroup Membership";allow 
(read,compare,search) userdn = "ldap:///all";)
(targetattr = "cn || description || hostcategory || ipaenabledflag || 
ipauniqueid || nisdomainname || usercategory")(targetfilter = 
"(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:ipa:Read 
Netgroups";allow (read,compare,search) userdn = "ldap:///all";)



Patches:

0473: Enables refactoring that will make it more clear (to humans and 
machines) what plugins code depends on.
https://fedorahosted.org/freeipa/ticket/4185

0474: Fix handling of the search term for legacy permissions
My code that's in master now handles the search term incorrectly. This 
does a better job.

0475: Fix tests that relied on some assumptions I'll be breaking

0476: Allow modifying (but not creating) permissions with ":" in the name

0477: Permission updater & sample metadata


-- 
Petr³

(* picked by fair dice roll)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0473-Allow-indexing-API-object-types-by-class.patch
Type: text/x-patch
Size: 4114 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0474-permission-find-Fix-handling-of-the-search-term-for-.patch
Type: text/x-patch
Size: 3632 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0475-test_permission_plugin-Fix-tests-that-make-too-broad.patch
Type: text/x-patch
Size: 6973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0476-Allow-modifying-permissions-with-in-the-name.patch
Type: text/x-patch
Size: 11359 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0477-Add-Object-metadata-and-update-plugin-for-managed-pe.patch
Type: text/x-patch
Size: 8998 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140226/f7124ad4/attachment-0004.bin>

More information about the Freeipa-devel mailing list