#xPc @sddkTddklZlZlZddklZlZlZddkl Z ddkl Z ddk l Z l Z edZdZed d ed ed d ed fZdZdefdYZeiedefdYZeiedefdYZeiedefdYZeiedefdYZeiedefdYZeiedefdYZeiede fdYZ!eie!de"fd YZ#eie#d!S("i(t*(tapit_tngettext(tFlagtStrtStrEnum(tcontext(terrors(tDNt EditableDNs Permissions A permission enables fine-grained delegation of rights. A permission is a human-readable form of a 389-ds Access Control Rule, or instruction (ACI). A permission grants the right to perform a specific task such as adding a user, modifying a group, etc. A permission may not contain other permissions. * A permission grants access to read, write, add or delete. * A privilege combines similar permissions (for example all the permissions needed to add a user). * A role grants a set of privileges to users, groups, hosts or hostgroups. A permission is made up of a number of different parts: 1. The name of the permission. 2. The target of the permission. 3. The rights granted by the permission. Rights define what operations are allowed, and may be one or more of the following: 1. write - write one or more attributes 2. read - read one or more attributes 3. add - add a new entry to the tree 4. delete - delete an existing entry 5. all - all permissions are granted Read permission is granted for most attributes by default so the read permission is not expected to be used very often. Note the distinction between attributes and entries. The permissions are independent, so being able to add a user does not mean that the user will be editable. There are a number of allowed targets: 1. type: a type of object (user, group, etc). 2. memberof: a member of a group or hostgroup 3. filter: an LDAP filter 4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a super-set of the "type" target. 5. targetgroup: grant access to modify a specific group (such as granting the rights to manage group membership) EXAMPLES: Add a permission that grants the creation of users: ipa permission-add --type=user --permissions=add "Add Users" Add a permission that grants the ability to manage group membership: ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" u permissiontipapermissiontypetlabelsPermission TypetacitACIcstfd|DS(sReturn a dict that includes entries from `options` that are in `keys` example: >>> filtered = filter_options({'a': 1, 'b': 2, 'c': 3}, ['a', 'c']) >>> filtered == {'a': 1, 'c': 3} True c3s4x-|]&}|jo||fVqqWdS(N((t.0tk(toptions(s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pys ds (tdict(Rtkeys((Rs=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pytfilter_options\st permissioncBs7eZdZeiiZedZedZ ddgZ ddddd gZ d d dd d ddddg Z hdgd6Z eZedZedZeddddeddeddddeddddeddedd eed!dd ded"ded#d ed$d%d&d'ed(dd ded)ded*d+dAd&d'ed3ddded4ded5d&d'ed6ddded7ded8d&d'ed9ddded:ded;d&d'ed<ddded=ded>d&d'fZd?Zd@ZRS(Bs Permission object. Rt permissionst groupofnamest ipapermissiontcntmembertmemberoftmemberindirectR R tgrouptattrsttypetfiltertsubtreet targetgroupt privileget Permissionst Permissiontcli_nametnameR sPermission namet primary_keytpatterns^[-_ a-zA-Z0-9]+$tpattern_errmsgs2May only contain letters, numbers, -, _, and spaces permissions+tdocsLComma-separated list of permissions to grant (read, write, add, delete, all)tcsvsattrs*t Attributess"Comma-separated list of attributest normalizercCs |iS((tlower(tvalue((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pytstflagst ask_createstype?tTypesIType of IPA object (user, group, host, hostgroup, service, netgroup, dns)tvaluesuuserugroupuhostuserviceu hostgroupunetgroupu dnsrecords memberof?sMember of groupsTarget members of a groupsfilter?tFilters'Legal LDAP filter (e.g. ou=Engineering)ssubtree?tSubtreesSubtree to apply permissions tos targetgroup?s Target groups"User group to apply permissions tocGspy|i|dg\}}Wn#tij o|i|nXd|jod|djotSntS(NR tSYSTEM(t get_entryRtNotFoundthandle_not_foundtFalsetTrue(tselftldaptdnRt entry_attrs((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyt check_systems  cs tfd|iDS(s:Return option dictionary that only includes ACI attributesc3s9x2|]+\}}|ijo||fVqqWdS(N(taci_attributes(RRtv(R>(s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pys s (Rtitems(R>R((R>s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pytfilter_aci_attributess(uuserugroupuhostuserviceu hostgroupunetgroupu dnsrecord(t__name__t __module__t__doc__Rtenvtcontainer_permissiont container_dnRt object_nametobject_name_pluralt object_classtdefault_attributesRCtattribute_membersR=trdn_is_primary_keyR tlabel_singularRRt takes_paramsRBRF(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRfsx                                   tpermission_addcBs?eZedZedZeieZdZdZ RS(sAdd a new permission.sAdded permission "%(value)s"c Ost|tpt|ii|}t|d<|d|dR?R@RAt attrs_listRRtoptsto((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyt pre_callbacks   c Osgt|tpt|ii|}t|d<|d|dR?R@RARRR`Rctattrtetignore((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyt post_callbacks2      ! ( RGRHRRIt msg_summaryt LDAPCreatethas_output_paramst output_paramsRbRk(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRUs     tpermission_add_noacicBsoeZedZedZeieZeZ e ddeddd fZ dZ dZ d ZRS( s&Add a system permission without an ACIsAdded permission "%(value)s"spermissiontype?R sPermission typeR5uSYSTEMccs!|iiiddddVdS(NR)R*(R[R(tclonetNone(R>((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pytget_args sccsFx?tt|iD](}|i|iijoqn|VqWdS(N(tsuperRpt get_optionsR'R[RC(R>toption((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRus cOsBt|tpt|id}|o|g|dR?R@RAR_RRtpermission_type((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRbs (uSYSTEM(RGRHRRIRlRmRnRoR=tNO_CLIRt takes_optionsRsRuRb(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRps        Rec BsceZedZedZeieddeddddgded fZd ZRS( sDelete a permission.sDeleted permission "%(value)s"tforceR tForceR2t no_optiont no_outputR+s"force delete of SYSTEM permissionscOst|tpt|id o6|ii||| otidtdny!|i i i |ddt Wnti j onX|S(NR|tinfos&A SYSTEM permission may not be removediRW(RYR RZRxR[RBRtACIErrorRRR]RgR\R:(R>R?R@RR((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRb/s+ !( RGRHRRIRlt LDAPDeleteR{RRb(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRe"s     tpermission_modcBsHeZedZedZeieZdZdZ dZ RS(sModify a permission.sModified permission "%(value)s"c Os.t|tpt|ii|||ptidtdny(|i||d|ii \}}Wn&ti j o|ii |nXd|jo|doyyt |}|ddWn+t tfj o} td|nX|d|d_|i||d|ii \}}tiWqti j oqXqtiddd td n|ii|} ttd tt| djoF|d | d R?R@RAR_RRRtnew_dnRiR`Ra((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRbDsL "   $     cOsP|idjo6t|tiottd}|odSqFn|dS(Nt update_entryR(t func_nameRYRt EmptyModlisttgetattrR(R>RRtexct call_funct call_argst call_kwargsR((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyt exc_callbackxs  c Ost|tpt|d}d|joT|iii|dtd|d|iii|dtd|d|d}nt|dddg}|iii ||d }x0|D](} | i d p|| || R?R@RARRRtcommon_optionsRctr((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRks    ( RGRHRRIRlt LDAPUpdateRnRoRbRRk(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyR>s     4 tpermission_findcBs<eZedZedddZeieZdZ RS(sSearch for permissions.s%(count)d permission matcheds%(count)d permissions matchedic Os|idd}|idt}|px|D]}|\} } yyt|ddg} |iii| dddt| d} x3|ii D]%} | | jo| | | | |D]6}|\} } | d| ddjo t}PqqW|pt|ddg} |iii| d| d}|d} |d=|o-| h||iii|iii6f}n | |f}| |f|jo/t||jo|i|qt}PqqqqW|S(NRt pkey_onlyRRiRWRcsACI not found for %st sizelimititipasearchrecordslimittacinamet truncatedRR@(tpopRrR<RRR]taci_showR\R[RCRR:tdebugtget_ipa_configRFtaci_findR=RR(R'Rtappend(R>R?tentriesRtargsRRRtentryR@RRR Rht max_entriestconfigR`t aciresultstresultstfoundRt new_entry((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRksn   &         ' ( RGRHRRIRRlt LDAPSearchRnRoRk(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRs   RcBs*eZedZeieZdZRS(s'Display information about a permission.c Ost|tptyut|ddg}|iii|ddt|d}x3|ii D]%}||jo||||R?R@RARRRR Rh((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRks    & (RGRHRRIt LDAPRetrieveRnRoRk(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRs  tpermission_add_membercBseZdZeZRS(s& Add members to a permission. (RGRHRIR=Rz(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRstpermission_remove_membercBseZdZeZRS(s+ Remove members from a permission. (RGRHRIR=Rz(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyRsN($tipalib.plugins.baseldaptipalibRRRRRRtipalib.requestRRt ipapython.dnR R RIR\RoRt LDAPObjectRtregisterRmRURpRReRRRRRRt LDAPAddMemberRtLDAPRemoveMemberR(((s=/usr/lib/python2.6/site-packages/ipalib/plugins/permission.pyts> 4     ^ 6   Y O