╤Є ь ╥Xc@sЇddklZlZddklZlZlZlZlZlZddk Tddkl Z lZe dГZde dГfZ dДZd ДZd efdДГYZeieГdefd ДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZ defdДГYZ!de"fdДГYZ#eie#Гd e$fd!ДГYZ%eie%Гd"e"fd#ДГYZ&eie&Гd$e$fd%ДГYZ'eie'Гd&e"fd'ДГYZ(eie(Гd(e$fd)ДГYZ)eie)Гd*e"fd+ДГYZ*eie*Гd,e$fd-ДГYZ+eie+Гd.S(/i (tapiterrors(t AccessTimetPasswordtStrtStrEnumtBooltDeprecatedParam(t*(t_tngettexts Host-based access control Control who can access what services on what hosts. You can use HBAC to control which users or groups can access a service, or group of services, on a target host. You can also specify a category of users and target hosts. This is currently limited to "all", but might be expanded in the future. Target hosts in HBAC rules must be hosts managed by IPA. The available services and groups of services are controlled by the hbacsvc and hbacsvcgroup plug-ins respectively. EXAMPLES: Create a rule, "test1", that grants all users access to the host "server" from anywhere: ipa hbacrule-add --usercat=all test1 ipa hbacrule-add-host --hosts=server.example.com test1 Display the properties of a named HBAC rule: ipa hbacrule-show test1 Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbacrule-add --hostcat=all john_sshd ipa hbacrule-add-user --users=john john_sshd ipa hbacrule-add-service --hbacsvcs=sshd john_sshd Create a rule for a new service group. This lets the user john access the FTP service on any machine from any machine: ipa hbacsvcgroup-add ftpers ipa hbacsvc-add sftp ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers ipa hbacrule-add --hostcat=all john_ftp ipa hbacrule-add-user --users=john john_ftp ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp Disable a named HBAC rule: ipa hbacrule-disable test1 Remove a named HBAC rule: ipa hbacrule-del allow_server thbacs"Host-based access control commandscCs9|iГdjo"tidddtdГГВndS(Ntdenytnamettypeterrors"The deny type has been deprecated.(tlowerRtValidationErrorR (tugettextR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyt validate_type[scCsБ||jol||dj o[t||Гttfjo||diГ}n||iГ}|djotSntSdS(sF See if options[attribute] is lower-case 'all' in a safe way. itallN(tNoneRtlistttupleRtTruetFalse(toptionst attributetvalue((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytis_all_s thbacrulecBsўeZdZeiiZedГZedГZ ddgZ ddddd d dddd ddddgZdZdZ hddgd6ddgd6ddgd 6ddgd6ZedГZedГZeddddedГdeГed edd!d"ed#Гded$Гd%dSd(d&d)ed*d+d,d-d.gГed/dd0ded1Гd"ed2Гd%dTГed4dd5ded6Гd"ed7Гd%dUГed8Гed9dd:ded;Гd"ed<Гd%dVГed=dd>ded?ГГed@dedAГd,d-gГedBdedCГd,dDdEdFgГedGdedHГd,dDdEdFgГedIdedJГd,dDdEdFgГedKdedLГd,dDdEdFgГedMГedNГedOdedPГd,dDdEdFgГedQdedRГd,dDdEdFgГefZRS(Ws HBAC object. s HBAC rules HBAC rulestipaassociationtipahbacruletcntipaenabledflagtdescriptiontusercategorythostcategorytsourcehostcategorytservicecategoryt memberusert sourcehostt memberhostt memberservicetmemberhostgrouptexternalhosttipauniqueidtusertgroupthostt hostgroupthbacsvcthbacsvcgroups HBAC Ruless HBAC Ruletcli_nameR tlabels Rule nametprimary_keytaccessruletypeRtdocsRule type (allow)s Rule typetvaluesuallowudenytdefaulttautofilltexcludetwebuitflagst no_optiont no_outputs usercategory?tusercats User categorys!User category the rule applies toualls hostcategory?thostcats Host categorys!Host category the rule applies tossourcehostcategory?sservicecategory?t servicecatsService categorys$Service category the rule applies tosdescription?tdesctDescriptionsipaenabledflag?tEnabledsmemberuser_user?tUserst no_createt no_updatet no_searchsmemberuser_group?sUser Groupssmemberhost_host?tHostssmemberhost_hostgroup?sHost Groupsssourcehost_host?ssourcehost_hostgroup?smemberservice_hbacsvc?tServicessmemberservice_hbacsvcgroup?sService Groups(uallowudeny(uall(uall(uall(t__name__t __module__t__doc__Rtenvtcontainer_hbactcontainer_dnR tobject_nametobject_name_pluraltobject_classtdefault_attributestuuid_attributet rdn_attributetattribute_membersR6tlabel_singularRRRRRRtexternal_host_paramttakes_params(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRnsЦ thbacrule_addcBs)eZedГZedГZdДZRS(sCreate a new HBAC rule.sAdded HBAC rule "%(value)s"cOs%t|tГptВd|d<|S(NtTRUER"(t isinstancetDNtAssertionError(tselftldaptdntentry_attrst attrs_listtkeysR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytpre_callback▐s (RNROR RPtmsg_summaryRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR^┘sthbacrule_delcBs)eZedГZedГZdДZRS(sDelete an HBAC rule.sDeleted HBAC rule "%(value)s"cOsСt|tГptВtd|dГ}tiid|Н}|doCti d|dd|ii did|ddd dГВn|S( NtseealsoitcounttkeyR6tselinuxusermapt dependenttresultR!(R`RaRbtdictRtCommandtselinuxusermap_findRRtDependentEntrytObjectR[(RcRdReRhRtkwt_entries((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRiьsC(RNROR RPRjRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRkчsthbacrule_modcBs)eZedГZedГZdДZRS(sModify an HBAC rule.sModified HBAC rule "%(value)s"cOst|tГptВy|i||Г\}}Wn&tij o|ii|МnXt|dГo)d|joti dt dГГВnt|dГo)d|joti dt dГГВnt|dГo)d |joti dt d ГГВn|S(NR$R(treasonsBuser category cannot be set to 'all' while there are allowed usersR%R*sBhost category cannot be set to 'all' while there are allowed hostsR'R+sHservice category cannot be set to 'all' while there are allowed services(R`RaRbt get_entryRtNotFoundtobjthandle_not_foundRtMutuallyExclusiveErrorR (RcRdReRfRgRhR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRi¤s(RNROR RPRjRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRy°st hbacrule_findcBs&eZedГZedddГZRS(sSearch for HBAC rules.s%(count)d HBAC rule matcheds%(count)d HBAC rules matchedi(RNROR RPR Rj(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRАst hbacrule_showcBseZedГZRS(s'Display the properties of an HBAC rule.(RNROR RP(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRБsthbacrule_enablecBs2eZedГZedГZeiZdДZRS(sEnable an HBAC rule.sEnabled HBAC rule "%(value)s"cCsР|ii}|ii|Г}hdd6}y|i||ГWn;tij on'tij o|ii|ГnXtdt d|ГS(NR_R"RqR( R}tbackendtget_dntupdate_entryRtEmptyModlistR|R~RrR(RcR!RdReRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytexecute%s ( RNROR RPRjtoutputtstandard_valuet has_outputRЗ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRВs thbacrule_disablecBs2eZedГZedГZeiZdДZRS(sDisable an HBAC rule.sDisabled HBAC rule "%(value)s"cCsР|ii}|ii|Г}hdd6}y|i||ГWn;tij on'tij o|ii|ГnXtdt d|ГS(NtFALSER"RqR( R}RГRДRЕRRЖR|R~RrR(RcR!RdReRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЗ@s ( RNROR RPRjRИRЙRКRЗ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЛ:s thbacrule_add_accesstimecBsAeZdZeddddedГГfZdДZdДZRS(s- Add an access time to an HBAC rule. t accesstimeR5ttimeR6sAccess timecKs╡|ii}|ii|Г}|i|dgГ\}}|idgГi|dГy|i||ГWn;tij on'ti j o|ii |ГnXtdtГS(NRОRq( R}RГRДR{t setdefaulttappendRЕRRЖR|R~RrR(RcR!RRdReRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЗascKs/|i|iГ|id|d|fГdS(Ns(Added access time "%s" to HBAC rule "%s"RО(t print_nameR tprint_dashed(RcttextuiRqR!R((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytoutput_for_cliss(RNRORPRR t takes_optionsRЗRХ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRНUs thbacrule_remove_accesstimecBsAeZdZeddddedГГfZdДZdДZRS(s* Remove access time to HBAC rule. saccesstime?R5RПR6sAccess timecKs╗|ii}|ii|Г}|i|dgГ\}}y1|idgГi|dГ|i||ГWnAtti fj on'ti j o|ii|ГnXtdt ГS(NRОRq(R}RГRДR{RРtremoveRЕt ValueErrorRRЖR|R~RrR(RcR!RRdReRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЗЙscKs/|i|iГ|id|d|fГdS(Ns,Removed access time "%s" from HBAC rule "%s"RО(RТR RУ(RcRФRqR!R((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRХЫs(RNRORPRR RЦRЗRХ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЧ~s thbacrule_add_usercBs,eZedГZdgZdZdДZRS(s%Add users and groups to an HBAC rule.R(s%i object added.s%i objects added.cOsкt|tГptВy"|i||iiГ\}}Wn&tij o|ii|МnXd|jo7|ddi Гdjoti dtdГГВn|S(NR$iRRzs.users cannot be added when user category='all'(R`RaRbR{R}RWRR|R~RRR (RcRdRetfoundt not_foundRhRRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRiмs" (s%i object added.s%i objects added.(RNROR RPtmember_attributestmember_count_outRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЪжs thbacrule_remove_usercBs#eZedГZdgZdZRS(s*Remove users and groups from an HBAC rule.R(s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRЭRЮ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRЯ╗s thbacrule_add_hostcBs,eZedГZdgZdZdДZRS(s0Add target hosts and hostgroups to an HBAC rule.R*s%i object added.s%i objects added.cOsкt|tГptВy"|i||iiГ\}}Wn&tij o|ii|МnXd|jo7|ddi Гdjoti dtdГГВn|S(NR%iRRzs.hosts cannot be added when host category='all'(R`RaRbR{R}RWRR|R~RRR (RcRdReRЫRЬRhRRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRi╩s" (s%i object added.s%i objects added.(RNROR RPRЭRЮRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRа─s thbacrule_remove_hostcBs#eZedГZdgZdZRS(s5Remove target hosts and hostgroups from an HBAC rule.R*s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRЭRЮ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRб┘s thbacrule_add_sourcehostcBs&eZeZdgZdZdДZRS(R)s%i object added.s%i objects added.cKstiddГВdS(NR Rв(RtDeprecationError(RcRw((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytvalidateшs(s%i object added.s%i objects added.(RNRORtNO_CLIRЭRЮRд(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRвтs thbacrule_remove_sourcehostcBs&eZeZdgZdZdДZRS(R)s%i object removed.s%i objects removed.cKstiddГВdS(NR Rж(RRг(RcRw((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRдЇs(s%i object removed.s%i objects removed.(RNRORRеRЭRЮRд(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRжюs thbacrule_add_servicecBs,eZedГZdgZdZdДZRS(sAdd services to an HBAC rule.R+s%i object added.s%i objects added.cOsкt|tГptВy"|i||iiГ\}}Wn&tij o|ii|МnXd|jo7|ddi Гdjoti dtdГГВn|S(NR'iRRzs4services cannot be added when service category='all'(R`RaRbR{R}RWRR|R~RRR (RcRdReRЫRЬRhRRf((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRis" (s%i object added.s%i objects added.(RNROR RPRЭRЮRi(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRз·s thbacrule_remove_servicecBs#eZedГZdgZdZRS(s4Remove service and service groups from an HBAC rule.R+s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRЭRЮ(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRиs N(,tipalibRRRRRRRRtipalib.plugins.baseldapR R RPttopicRRt LDAPObjectRtregistert LDAPCreateR^t LDAPDeleteRkt LDAPUpdateRyt LDAPSearchRАtLDAPRetrieveRБt LDAPQueryRВRЛRНRЧt LDAPAddMemberRЪtLDAPRemoveMemberRЯRаRбRвRжRзRи(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytsT. . h )(