|
 |
590d18 |
From abcc2cbec338d22d86bd64f1af89e780cdad5a9f Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
590d18 |
Date: Thu, 3 Sep 2015 09:32:11 +0200
|
|
|
590d18 |
Subject: [PATCH] vault: add permissions and administrator privilege
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5250
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ACI.txt | 22 ++++++++
|
|
|
590d18 |
install/updates/40-delegation.update | 8 +++
|
|
|
590d18 |
ipalib/plugins/vault.py | 98 ++++++++++++++++++++++++++++++++++++
|
|
|
590d18 |
3 files changed, 128 insertions(+)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ACI.txt b/ACI.txt
|
|
|
590d18 |
index 99099275e1383f16aca122e05e34b2330f4d06a3..40fa822217eaee8d0966491b10cdf7e0739a87ce 100644
|
|
|
590d18 |
--- a/ACI.txt
|
|
|
590d18 |
+++ b/ACI.txt
|
|
|
590d18 |
@@ -338,6 +338,28 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
|
|
|
590d18 |
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
|
|
590d18 |
aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Add Vaults";allow (add) groupdn = "ldap:///cn=System: Add Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Delete Vaults";allow (delete) groupdn = "ldap:///cn=System: Delete Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "member")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Membership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "cn || description || ipavaultpublickey || ipavaultsalt || ipavaulttype || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Modify Vaults";allow (write) groupdn = "ldap:///cn=System: Modify Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipavaultpublickey || ipavaultsalt || ipavaulttype || member || memberhost || memberuser || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Read Vaults";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Add Vault Containers";allow (add) groupdn = "ldap:///cn=System: Add Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Delete Vault Containers";allow (delete) groupdn = "ldap:///cn=System: Delete Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Manage Vault Container Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Container Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "cn || description || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Modify Vault Containers";allow (write) groupdn = "ldap:///cn=System: Modify Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
+dn: dc=ipa,dc=example
|
|
|
590d18 |
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Read Vault Containers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
|
|
|
590d18 |
aci: (target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Add CA Certificate For Renewal";allow (add) groupdn = "ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
|
590d18 |
dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
|
|
|
590d18 |
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
|
|
|
590d18 |
index 8d4f6296cbed7fcc968c2193022cb50b488c8561..08906a663c818695b8af29449c6ce8fab2dfdbee 100644
|
|
|
590d18 |
--- a/install/updates/40-delegation.update
|
|
|
590d18 |
+++ b/install/updates/40-delegation.update
|
|
|
590d18 |
@@ -260,3 +260,11 @@ default:objectClass: groupofnames
|
|
|
590d18 |
default:objectClass: top
|
|
|
590d18 |
default:cn: CA Administrator
|
|
|
590d18 |
default:description: CA Administrator
|
|
|
590d18 |
+
|
|
|
590d18 |
+# Vault Administrators
|
|
|
590d18 |
+dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
590d18 |
+default:objectClass: nestedgroup
|
|
|
590d18 |
+default:objectClass: groupofnames
|
|
|
590d18 |
+default:objectClass: top
|
|
|
590d18 |
+default:cn: Vault Administrators
|
|
|
590d18 |
+default:description: Vault Administrators
|
|
|
590d18 |
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
|
|
|
590d18 |
index d9551c2f0cfc16973131c61db45bc606d2844fb6..1159a84d58eb152cccdd791c96a1c876754bfa7d 100644
|
|
|
590d18 |
--- a/ipalib/plugins/vault.py
|
|
|
590d18 |
+++ b/ipalib/plugins/vault.py
|
|
|
590d18 |
@@ -289,6 +289,7 @@ class vaultcontainer(LDAPObject):
|
|
|
590d18 |
object_name = _('vaultcontainer')
|
|
|
590d18 |
object_name_plural = _('vaultcontainers')
|
|
|
590d18 |
object_class = ['ipaVaultContainer']
|
|
|
590d18 |
+ permission_filter_objectclasses = ['ipaVaultContainer']
|
|
|
590d18 |
|
|
|
590d18 |
attribute_members = {
|
|
|
590d18 |
'owner': ['user', 'group', 'service'],
|
|
|
590d18 |
@@ -297,6 +298,48 @@ class vaultcontainer(LDAPObject):
|
|
|
590d18 |
label = _('Vault Containers')
|
|
|
590d18 |
label_singular = _('Vault Container')
|
|
|
590d18 |
|
|
|
590d18 |
+ managed_permissions = {
|
|
|
590d18 |
+ 'System: Read Vault Containers': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'read', 'search', 'compare'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'objectclass', 'cn', 'description', 'owner',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Add Vault Containers': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'add'},
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Delete Vault Containers': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'delete'},
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Modify Vault Containers': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'write'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'objectclass', 'cn', 'description',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Manage Vault Container Ownership': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'write'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'owner',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ }
|
|
|
590d18 |
+
|
|
|
590d18 |
takes_params = (
|
|
|
590d18 |
Str(
|
|
|
590d18 |
'owner_user?',
|
|
|
590d18 |
@@ -491,6 +534,7 @@ class vault(LDAPObject):
|
|
|
590d18 |
object_name_plural = _('vaults')
|
|
|
590d18 |
|
|
|
590d18 |
object_class = ['ipaVault']
|
|
|
590d18 |
+ permission_filter_objectclasses = ['ipaVault']
|
|
|
590d18 |
default_attributes = [
|
|
|
590d18 |
'cn',
|
|
|
590d18 |
'description',
|
|
|
590d18 |
@@ -513,6 +557,60 @@ class vault(LDAPObject):
|
|
|
590d18 |
label = _('Vaults')
|
|
|
590d18 |
label_singular = _('Vault')
|
|
|
590d18 |
|
|
|
590d18 |
+ managed_permissions = {
|
|
|
590d18 |
+ 'System: Read Vaults': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'read', 'search', 'compare'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'objectclass', 'cn', 'description', 'ipavaulttype',
|
|
|
590d18 |
+ 'ipavaultsalt', 'ipavaultpublickey', 'owner', 'member',
|
|
|
590d18 |
+ 'memberuser', 'memberhost',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Add Vaults': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'add'},
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Delete Vaults': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'delete'},
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Modify Vaults': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'write'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'objectclass', 'cn', 'description', 'ipavaulttype',
|
|
|
590d18 |
+ 'ipavaultsalt', 'ipavaultpublickey',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Manage Vault Ownership': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'write'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'owner',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'System: Manage Vault Membership': {
|
|
|
590d18 |
+ 'ipapermlocation': api.env.basedn,
|
|
|
590d18 |
+ 'ipapermtarget': DN(api.env.container_vault, api.env.basedn),
|
|
|
590d18 |
+ 'ipapermright': {'write'},
|
|
|
590d18 |
+ 'ipapermdefaultattr': {
|
|
|
590d18 |
+ 'member',
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ 'default_privileges': {'Vault Administrators'},
|
|
|
590d18 |
+ },
|
|
|
590d18 |
+ }
|
|
|
590d18 |
+
|
|
|
590d18 |
takes_params = (
|
|
|
590d18 |
Str(
|
|
|
590d18 |
'cn',
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|