Ñò ìÿÒXc@sôddklZlZddklZlZlZlZlZlZddk Tddkl Z l Z e dƒZ de dƒfZ d„Zd „Zd efd „ƒYZeieƒd efd „ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZeieƒdefd„ƒYZ defd„ƒYZ!de"fd„ƒYZ#eie#ƒd e$fd!„ƒYZ%eie%ƒd"e"fd#„ƒYZ&eie&ƒd$e$fd%„ƒYZ'eie'ƒd&e"fd'„ƒYZ(eie(ƒd(e$fd)„ƒYZ)eie)ƒd*e"fd+„ƒYZ*eie*ƒd,e$fd-„ƒYZ+eie+ƒd.S(/iÿÿÿÿ(tapiterrors(t AccessTimetPasswordtStrtStrEnumtBooltDeprecatedParam(t*(t_tngettexts  Host-based access control Control who can access what services on what hosts. You can use HBAC to control which users or groups can access a service, or group of services, on a target host. You can also specify a category of users and target hosts. This is currently limited to "all", but might be expanded in the future. Target hosts in HBAC rules must be hosts managed by IPA. The available services and groups of services are controlled by the hbacsvc and hbacsvcgroup plug-ins respectively. EXAMPLES: Create a rule, "test1", that grants all users access to the host "server" from anywhere: ipa hbacrule-add --usercat=all test1 ipa hbacrule-add-host --hosts=server.example.com test1 Display the properties of a named HBAC rule: ipa hbacrule-show test1 Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbacrule-add --hostcat=all john_sshd ipa hbacrule-add-user --users=john john_sshd ipa hbacrule-add-service --hbacsvcs=sshd john_sshd Create a rule for a new service group. This lets the user john access the FTP service on any machine from any machine: ipa hbacsvcgroup-add ftpers ipa hbacsvc-add sftp ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers ipa hbacrule-add --hostcat=all john_ftp ipa hbacrule-add-user --users=john john_ftp ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp Disable a named HBAC rule: ipa hbacrule-disable test1 Remove a named HBAC rule: ipa hbacrule-del allow_server thbacs"Host-based access control commandscCs9|iƒdjo"tidddtdƒƒ‚ndS(Ntdenytnamettypeterrors"The deny type has been deprecated.(tlowerRtValidationErrorR (tugettextR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyt validate_type[scCs||jol||dj o[t||ƒttfjo||diƒ}n||iƒ}|djotSntSdS(sF See if options[attribute] is lower-case 'all' in a safe way. itallN(tNoneRtlistttupleRtTruetFalse(toptionst attributetvalue((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytis_all_s  thbacrulecBs÷eZdZeiiZedƒZedƒZ ddgZ ddddd d d dd d ddddgZ dZ dZ hddgd 6ddgd6ddgd 6ddgd6ZedƒZedƒZeddddedƒdeƒed edd!d"ed#ƒded$ƒd%dSd(d&d)ed*d+d,d-d.gƒed/dd0ded1ƒd"ed2ƒd%dTƒed4dd5ded6ƒd"ed7ƒd%dUƒed8ƒed9dd:ded;ƒd"ed<ƒd%dVƒed=dd>ded?ƒƒed@dedAƒd,d-gƒedBdedCƒd,dDdEdFgƒedGdedHƒd,dDdEdFgƒedIdedJƒd,dDdEdFgƒedKdedLƒd,dDdEdFgƒedMƒedNƒedOdedPƒd,dDdEdFgƒedQdedRƒd,dDdEdFgƒefZRS(Ws HBAC object. s HBAC rules HBAC rulestipaassociationt ipahbacruletcntipaenabledflagt descriptiont usercategoryt hostcategorytsourcehostcategorytservicecategoryt memberusert sourcehostt memberhostt memberservicetmemberhostgroupt externalhostt ipauniqueidtusertgroupthostt hostgroupthbacsvct hbacsvcgroups HBAC Ruless HBAC Ruletcli_nameR tlabels Rule namet primary_keytaccessruletypeRtdocsRule type (allow)s Rule typetvaluesuallowudenytdefaulttautofilltexcludetwebuitflagst no_optiont no_outputs usercategory?tusercats User categorys!User category the rule applies toualls hostcategory?thostcats Host categorys!Host category the rule applies tossourcehostcategory?sservicecategory?t servicecatsService categorys$Service category the rule applies tos description?tdesct Descriptionsipaenabledflag?tEnabledsmemberuser_user?tUserst no_createt no_updatet no_searchsmemberuser_group?s User Groupssmemberhost_host?tHostssmemberhost_hostgroup?s Host Groupsssourcehost_host?ssourcehost_hostgroup?smemberservice_hbacsvc?tServicessmemberservice_hbacsvcgroup?sService Groups(uallowudeny(uall(uall(uall(t__name__t __module__t__doc__Rtenvtcontainer_hbact container_dnR t object_nametobject_name_pluralt object_classtdefault_attributestuuid_attributet rdn_attributetattribute_membersR6tlabel_singularRRRRRRtexternal_host_paramt takes_params(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRns–                                                t hbacrule_addcBs)eZedƒZedƒZd„ZRS(sCreate a new HBAC rule.sAdded HBAC rule "%(value)s"cOsd|d<|S(NtTRUER"((tselftldaptdnt entry_attrst attrs_listtkeysR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyt pre_callbackÞs (RNROR RPt msg_summaryRf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR^Ùs  t hbacrule_delcBs)eZedƒZedƒZd„ZRS(sDelete an HBAC rule.sDeleted HBAC rule "%(value)s"cOsztd|dƒ}tiid|}|doCtid|dd|iidid|ddd dƒ‚n|S( NtseealsoitcounttkeyR6tselinuxusermapt dependenttresultR!( tdictRtCommandtselinuxusermap_findRRtDependentEntrytObjectR[(R`RaRbReRtkwt_entries((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRfìs  C(RNROR RPRgRf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRhçs  t hbacrule_modcBs)eZedƒZedƒZd„ZRS(sModify an HBAC rule.sModified HBAC rule "%(value)s"cOsôy|i||ƒ\}}Wn&tij o|ii|ŒnXt|dƒo)d|jotidtdƒƒ‚nt|dƒo)d|jotidtdƒƒ‚nt|dƒo)d |jotidtd ƒƒ‚n|S( NR$R(treasonsBuser category cannot be set to 'all' while there are allowed usersR%R*sBhost category cannot be set to 'all' while there are allowed hostsR'R+sHservice category cannot be set to 'all' while there are allowed services(t get_entryRtNotFoundtobjthandle_not_foundRtMutuallyExclusiveErrorR (R`RaRbRcRdReR((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRfýs(RNROR RPRgRf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRvøs  t hbacrule_findcBs&eZedƒZedddƒZRS(sSearch for HBAC rules.s%(count)d HBAC rule matcheds%(count)d HBAC rules matchedi(RNROR RPR Rg(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR}s t hbacrule_showcBseZedƒZRS(s'Display the properties of an HBAC rule.(RNROR RP(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR~sthbacrule_enablecBs2eZedƒZedƒZeiZd„ZRS(sEnable an HBAC rule.sEnabled HBAC rule "%(value)s"cCs|ii}|ii|ƒ}hdd6}y|i||ƒWn;tij on'tij o|ii|ƒnXtdt d|ƒS(NR_R"RnR( Rztbackendtget_dnt update_entryRt EmptyModlistRyR{RoR(R`R!RaRbRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytexecute%s  ( RNROR RPRgtoutputtstandard_valuet has_outputR„(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRs   thbacrule_disablecBs2eZedƒZedƒZeiZd„ZRS(sDisable an HBAC rule.sDisabled HBAC rule "%(value)s"cCs|ii}|ii|ƒ}hdd6}y|i||ƒWn;tij on'tij o|ii|ƒnXtdt d|ƒS(NtFALSER"RnR( RzR€RR‚RRƒRyR{RoR(R`R!RaRbRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR„@s  ( RNROR RPRgR…R†R‡R„(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRˆ:s   thbacrule_add_accesstimecBsAeZdZeddddedƒƒfZd„Zd„ZRS(s- Add an access time to an HBAC rule. t accesstimeR5ttimeR6s Access timecKsµ|ii}|ii|ƒ}|i|dgƒ\}}|idgƒi|dƒy|i||ƒWn;tij on'ti j o|ii |ƒnXt dt ƒS(NR‹Rn( RzR€RRxt setdefaulttappendR‚RRƒRyR{RoR(R`R!RRaRbRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR„as  cKs/|i|iƒ|id|d|fƒdS(Ns(Added access time "%s" to HBAC rule "%s"R‹(t print_nameR t print_dashed(R`ttextuiRnR!R((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytoutput_for_cliss(RNRORPRR t takes_optionsR„R’(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRŠUs   thbacrule_remove_accesstimecBsAeZdZeddddedƒƒfZd„Zd„ZRS(s* Remove access time to HBAC rule. s accesstime?R5RŒR6s Access timecKs»|ii}|ii|ƒ}|i|dgƒ\}}y1|idgƒi|dƒ|i||ƒWnAtti fj on'ti j o|ii |ƒnXt dt ƒS(NR‹Rn(RzR€RRxRtremoveR‚t ValueErrorRRƒRyR{RoR(R`R!RRaRbRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR„‰s  cKs/|i|iƒ|id|d|fƒdS(Ns,Removed access time "%s" from HBAC rule "%s"R‹(RR R(R`R‘RnR!R((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR’›s(RNRORPRR R“R„R’(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR”~s   thbacrule_add_usercBs,eZedƒZdgZdZd„ZRS(s%Add users and groups to an HBAC rule.R(s%i object added.s%i objects added.cOs“y"|i||iiƒ\}}Wn&tij o|ii|ŒnXd|jo7|ddiƒdjotidtdƒƒ‚n|S(NR$iRRws.users cannot be added when user category='all'( RxRzRWRRyR{RR|R (R`RaRbtfoundt not_foundReRRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRf¬s"  (s%i object added.s%i objects added.(RNROR RPtmember_attributestmember_count_outRf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR—¦s  thbacrule_remove_usercBs#eZedƒZdgZdZRS(s*Remove users and groups from an HBAC rule.R(s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRšR›(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRœ»s  thbacrule_add_hostcBs,eZedƒZdgZdZd„ZRS(s0Add target hosts and hostgroups to an HBAC rule.R*s%i object added.s%i objects added.cOs“y"|i||iiƒ\}}Wn&tij o|ii|ŒnXd|jo7|ddiƒdjotidtdƒƒ‚n|S(NR%iRRws.hosts cannot be added when host category='all'( RxRzRWRRyR{RR|R (R`RaRbR˜R™ReRRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRfÊs"  (s%i object added.s%i objects added.(RNROR RPRšR›Rf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRÄs  thbacrule_remove_hostcBs#eZedƒZdgZdZRS(s5Remove target hosts and hostgroups from an HBAC rule.R*s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRšR›(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRžÙs  thbacrule_add_sourcehostcBs&eZeZdgZdZd„ZRS(R)s%i object added.s%i objects added.cKstiddƒ‚dS(NR RŸ(RtDeprecationError(R`Rt((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytvalidateès(s%i object added.s%i objects added.(RNRORtNO_CLIRšR›R¡(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRŸâs thbacrule_remove_sourcehostcBs&eZeZdgZdZd„ZRS(R)s%i object removed.s%i objects removed.cKstiddƒ‚dS(NR R£(RR (R`Rt((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR¡ôs(s%i object removed.s%i objects removed.(RNRORR¢RšR›R¡(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR£îs thbacrule_add_servicecBs,eZedƒZdgZdZd„ZRS(sAdd services to an HBAC rule.R+s%i object added.s%i objects added.cOs“y"|i||iiƒ\}}Wn&tij o|ii|ŒnXd|jo7|ddiƒdjotidtdƒƒ‚n|S(NR'iRRws4services cannot be added when service category='all'( RxRzRWRRyR{RR|R (R`RaRbR˜R™ReRRc((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyRfs"  (s%i object added.s%i objects added.(RNROR RPRšR›Rf(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR¤ús  thbacrule_remove_servicecBs#eZedƒZdgZdZRS(s4Remove service and service groups from an HBAC rule.R+s%i object removed.s%i objects removed.(s%i object removed.s%i objects removed.(RNROR RPRšR›(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pyR¥s  N(,tipalibRRRRRRRRtipalib.plugins.baseldapR R RPttopicRRt LDAPObjectRtregistert LDAPCreateR^t LDAPDeleteRht LDAPUpdateRvt LDAPSearchR}t LDAPRetrieveR~t LDAPQueryRRˆRŠR”t LDAPAddMemberR—tLDAPRemoveMemberRœRRžRŸR£R¤R¥(((s;/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.pytsT. .   h        )(