[Freeipa-devel] [PATCH] 369 Added CLI param and ACL for vault service operations.
Endi Sukma Dewata
edewata at redhat.com
Fri Jul 31 15:07:36 UTC 2015
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter. Due to name conflict,
the existing 'service' parameter has been renamed to
'servicename'.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
--
Endi S. Dewata
-------------- next part --------------
From 9259bb2da81d323a15398c678bfc58e32434364a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 30 Jul 2015 23:20:34 +0200
Subject: [PATCH] Added CLI param and ACL for vault service operations.
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter. Due to name conflict,
the existing 'service' parameter has been renamed to
'servicename'.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
---
API.txt | 40 ++++++++++++++++++---------------
VERSION | 4 ++--
install/share/vault.update | 1 +
ipalib/plugins/vault.py | 56 ++++++++++++++++++++++++++++++++++------------
4 files changed, 67 insertions(+), 34 deletions(-)
diff --git a/API.txt b/API.txt
index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..0e1525da26b3b0f850f338b7bf2a83b043c9d399 100644
--- a/API.txt
+++ b/API.txt
@@ -5407,7 +5407,7 @@ option: Str('password?', cli_name='password')
option: Str('password_file?', cli_name='password_file')
option: Str('public_key_file?', cli_name='public_key_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
@@ -5425,7 +5425,7 @@ option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False,
option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
@@ -5433,13 +5433,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_add_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5448,13 +5449,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_add_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5471,7 +5473,7 @@ option: Str('in?')
option: Str('password?', cli_name='password')
option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
@@ -5484,7 +5486,7 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False,
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Bytes('nonce')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
@@ -5497,7 +5499,7 @@ command: vault_del
args: 1,5,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('continue', autofill=True, cli_name='continue', default=False)
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
@@ -5514,7 +5516,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Int('sizelimit?', autofill=False, minvalue=0)
option: Int('timelimit?', autofill=False, minvalue=0)
@@ -5537,7 +5539,7 @@ option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', def
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
@@ -5546,13 +5548,14 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: vault_remove_member
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5561,13 +5564,14 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: vault_remove_owner
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('service*', alwaysask=True, cli_name='services', csv=True)
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
option: Str('username?', cli_name='user')
@@ -5585,7 +5589,7 @@ option: Str('password_file?', cli_name='password_file')
option: Bytes('private_key?', cli_name='private_key')
option: Str('private_key_file?', cli_name='private_key_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
@@ -5597,7 +5601,7 @@ args: 1,7,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
@@ -5612,7 +5616,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
-option: Str('service?')
+option: Str('servicename?', cli_name='service')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index 2b78af50bf1e811cbcd04f6c69b8d506c98fdedb..ada3a9b9ead98ef9610cff09cb2f57504c6353ea 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=147
-# Last change: mbasti - Consolidate DNS RR in API and schema
+IPA_API_VERSION_MINOR=148
+# Last change: edewata - Added CLI param and ACL for vault service operations
diff --git a/install/share/vault.update b/install/share/vault.update
index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -8,6 +8,7 @@ default: objectClass: top
default: objectClass: ipaVaultContainer
default: cn: vaults
default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 81197f9328c7ed890fa336f464bfcda475ac6189..9e54acac1ce3d7a8247f82511a955dc763a9513d 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -198,16 +198,20 @@ EXAMPLES:
ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
""") + _("""
Add a vault owner:
- ipa vault-add-owner <name> --users <usernames>
+ ipa vault-add-owner <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Delete a vault owner:
- ipa vault-remove-owner <name> --users <usernames>
+ ipa vault-remove-owner <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Add a vault member:
- ipa vault-add-member <name> --users <usernames>
+ ipa vault-add-member <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""") + _("""
Delete a vault member:
- ipa vault-remove-member <name> --users <usernames>
+ ipa vault-remove-member <name> [--users <usernames>] \
+ [--groups <goupnames>] [--services <service names>]
""")
register = Registry()
@@ -215,7 +219,8 @@ register = Registry()
vault_options = (
Str(
- 'service?',
+ 'servicename?',
+ cli_name='service',
doc=_('Service name of the service vault'),
),
Flag(
@@ -257,8 +262,8 @@ class vault(LDAPObject):
'ipavaulttype',
]
attribute_members = {
- 'owner': ['user', 'group'],
- 'member': ['user', 'group'],
+ 'owner': ['user', 'group', 'service'],
+ 'member': ['user', 'group', 'service'],
}
label = _('Vaults')
@@ -312,6 +317,11 @@ class vault(LDAPObject):
label=_('Owner groups'),
flags=['no_create', 'no_update', 'no_search'],
),
+ Str(
+ 'owner_service?',
+ label=_('Owner services'),
+ flags=['no_create', 'no_update', 'no_search'],
+ ),
)
def get_dn(self, *keys, **options):
@@ -319,7 +329,7 @@ class vault(LDAPObject):
Generates vault DN from parameters.
"""
- service = options.get('service')
+ service = options.get('servicename')
shared = options.get('shared')
user = options.get('username')
@@ -662,6 +672,29 @@ class vault_add_internal(LDAPCreate):
raise errors.InvocationError(
format=_('KRA service is not enabled'))
+ parent_dn = DN(*dn[1:])
+
+ container_dn = DN(self.api.Object.vault.container_dn,
+ self.api.env.basedn)
+
+ services_dn = DN(('cn', 'services'), container_dn)
+ users_dn = DN(('cn', 'users'), container_dn)
+
+ if dn.endswith(services_dn):
+ # service container should be owned by the service
+ service = parent_dn[0]['cn']
+ parent_owner_dn = self.api.Object.service.get_dn(service)
+
+ elif dn.endswith(users_dn):
+ # user container should be owned by the user
+ user = parent_dn[0]['cn']
+ parent_owner_dn = self.api.Object.user.get_dn(user)
+
+ try:
+ self.obj.create_container(parent_dn, parent_owner_dn)
+ except errors.DuplicateEntry, e:
+ pass
+
principal = getattr(context, 'principal')
(name, realm) = split_principal(principal)
if '/' in name:
@@ -669,12 +702,7 @@ class vault_add_internal(LDAPCreate):
else:
owner_dn = self.api.Object.user.get_dn(name)
- try:
- parent_dn = DN(*dn[1:])
- self.obj.create_container(parent_dn, owner_dn)
- except errors.DuplicateEntry, e:
- pass
-
+ # vault should be owned by the creator
entry_attrs['owner'] = owner_dn
return dn
--
2.4.3
More information about the Freeipa-devel
mailing list