From 6fc35156d91ce2265f02ed12224bce08c21b99e6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 22 2024 08:00:39 +0000 Subject: Add permissions for topologysegment I don't know why these weren't added originally when the topology plugin was created. Add them all to the 'Replication Administrators' privilege Fixes: https://pagure.io/freeipa/issue/9594 Signed-off-by: Rob Crittenden Reviewed-By: Alexander Bokovoy --- diff --git a/ACI.txt b/ACI.txt index 1d0b177..13b0a64 100644 --- a/ACI.txt +++ b/ACI.txt @@ -374,6 +374,14 @@ dn: cn=sudorules,cn=sudo,dc=ipa,dc=example aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entryusn || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || modifytimestamp || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) +dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py index ef21e43..be0cf3d 100644 --- a/ipaserver/plugins/topology.py +++ b/ipaserver/plugins/topology.py @@ -104,6 +104,7 @@ class topologysegment(LDAPObject): object_name = _('segment') object_name_plural = _('segments') object_class = ['iparepltoposegment'] + permission_filter_objectclasses = ['iparepltoposegment'] default_attributes = [ 'cn', 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode', @@ -115,6 +116,38 @@ class topologysegment(LDAPObject): 'cn', 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode', 'ipaReplTopoSegmentLeftNode' ] + managed_permissions = { + 'System: Read Topology Segments': { + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', + 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode', + 'ipaReplTopoSegmentLeftNode', 'ipaReplTopoConfRoot', + 'ipaReplTopoSegmentStatus','nsds5replicastripattrs', + 'nsds5replicatedattributelist', + 'nsds5replicatedattributelisttotal', + }, + 'default_privileges': {'Replication Administrators'}, + }, + 'System: Add Topology Segments': { + 'ipapermright': {'add'}, + 'default_privileges': {'Replication Administrators'}, + }, + 'System: Remove Topology Segments': { + 'ipapermright': {'delete'}, + 'default_privileges': {'Replication Administrators'}, + }, + 'System: Modify Topology Segments': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode', + 'ipaReplTopoSegmentLeftNode', 'nsds5replicastripattrs', + 'nsds5replicatedattributelist', + 'nsds5replicatedattributelisttotal', + }, + 'default_privileges': {'Replication Administrators'}, + }, + } label = _('Topology Segments') label_singular = _('Topology Segment')