|
 |
590d18 |
From 82738f7ef90586668761a4f1215a734ab8c25f5a Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
590d18 |
Date: Mon, 10 Aug 2015 20:57:58 +0200
|
|
|
590d18 |
Subject: [PATCH] Fixed vault container ownership.
|
|
|
590d18 |
|
|
|
590d18 |
The vault-add command has been fixed such that if the user/service
|
|
|
590d18 |
private vault container does not exist yet it will be created and
|
|
|
590d18 |
owned by the user/service instead of the vault creator.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5194
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/vault.py | 27 ++++++++++++++++++++++++---
|
|
|
590d18 |
1 file changed, 24 insertions(+), 3 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
|
|
|
590d18 |
index b5a12d5c3da599d7f5afaed90f579ad3a23c27cd..88c63071f04462aa240a70d3a3eeac2d04e66062 100644
|
|
|
590d18 |
--- a/ipalib/plugins/vault.py
|
|
|
590d18 |
+++ b/ipalib/plugins/vault.py
|
|
|
590d18 |
@@ -704,12 +704,33 @@ class vault_add_internal(LDAPCreate):
|
|
|
590d18 |
else:
|
|
|
590d18 |
owner_dn = self.api.Object.user.get_dn(name)
|
|
|
590d18 |
|
|
|
590d18 |
+ parent_dn = DN(*dn[1:])
|
|
|
590d18 |
+
|
|
|
590d18 |
+ container_dn = DN(self.api.Object.vault.container_dn,
|
|
|
590d18 |
+ self.api.env.basedn)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ services_dn = DN(('cn', 'services'), container_dn)
|
|
|
590d18 |
+ users_dn = DN(('cn', 'users'), container_dn)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if dn.endswith(services_dn):
|
|
|
590d18 |
+ # service container should be owned by the service
|
|
|
590d18 |
+ service = parent_dn[0]['cn']
|
|
|
590d18 |
+ parent_owner_dn = self.api.Object.service.get_dn(service)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ elif dn.endswith(users_dn):
|
|
|
590d18 |
+ # user container should be owned by the user
|
|
|
590d18 |
+ user = parent_dn[0]['cn']
|
|
|
590d18 |
+ parent_owner_dn = self.api.Object.user.get_dn(user)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ else:
|
|
|
590d18 |
+ parent_owner_dn = owner_dn
|
|
|
590d18 |
+
|
|
|
590d18 |
try:
|
|
|
590d18 |
- parent_dn = DN(*dn[1:])
|
|
|
590d18 |
- self.obj.create_container(parent_dn, owner_dn)
|
|
|
590d18 |
- except errors.DuplicateEntry, e:
|
|
|
590d18 |
+ self.obj.create_container(parent_dn, parent_owner_dn)
|
|
|
590d18 |
+ except errors.DuplicateEntry as e:
|
|
|
590d18 |
pass
|
|
|
590d18 |
|
|
|
590d18 |
+ # vault should be owned by the creator
|
|
|
590d18 |
entry_attrs['owner'] = owner_dn
|
|
|
590d18 |
|
|
|
590d18 |
return dn
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|