80 lines
7.2 KiB
Diff
80 lines
7.2 KiB
Diff
|
From ebccaac3cf8a5688739d76426924469d5b4df6b1 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Mon, 10 Jun 2024 14:54:41 -0400
|
||
|
Subject: [PATCH] Add iparepltopoconf objectclass to topology permissions
|
||
|
|
||
|
The domain and ca objects were unreadable which caused
|
||
|
the conneciton lines between nodes in the UI to not be
|
||
|
visible.
|
||
|
|
||
|
Also add a manual ACI to allow reading the min/max
|
||
|
domain level.
|
||
|
|
||
|
Fixes: https://pagure.io/freeipa/issue/9594
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||
|
---
|
||
|
ACI.txt | 8 ++++----
|
||
|
install/updates/40-replication.update | 11 +++++++++++
|
||
|
ipaserver/plugins/topology.py | 2 +-
|
||
|
3 files changed, 16 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/ACI.txt b/ACI.txt
|
||
|
index 13b0a64bde6b29503b048630f1c718e5e30759b2..50c8824d43cd6d3ca9a381b5d34425cb0197508c 100644
|
||
|
--- a/ACI.txt
|
||
|
+++ b/ACI.txt
|
||
|
@@ -375,13 +375,13 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry
|
||
|
dn: dc=ipa,dc=example
|
||
|
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||
|
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
|
||
|
-aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
|
||
|
-aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
+aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
|
||
|
-aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
+aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
|
||
|
-aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||
|
dn: cn=trusts,dc=ipa,dc=example
|
||
|
aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
|
||
|
dn: cn=trusts,dc=ipa,dc=example
|
||
|
diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update
|
||
|
index 06b6613ed4c9ede935f879ee46ed5e7d5a0935ba..6dc38e36d96b4e019eb35f9d0367bfc7a202af98 100644
|
||
|
--- a/install/updates/40-replication.update
|
||
|
+++ b/install/updates/40-replication.update
|
||
|
@@ -28,3 +28,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||
|
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||
|
remove:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||
|
add:aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||
|
+
|
||
|
+dn: cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX
|
||
|
+default:objectClass: top
|
||
|
+default:objectClass: groupofnames
|
||
|
+default:objectClass: ipapermission
|
||
|
+default:cn: Read domain level
|
||
|
+default:ipapermissiontype: SYSTEM
|
||
|
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||
|
+
|
||
|
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||
|
+add:aci: (targetattr = "ipamaxdomainlevel || ipamindomainlevel")(version 3.0;acl "permission:Read domain level";allow (read, search, compare) groupdn = "ldap:///cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX";)
|
||
|
diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
|
||
|
index be0cf3d705267af66e20fb990b2fed72b61d2c49..1401fe259226c12abe42a5670d3ce1812c27cc05 100644
|
||
|
--- a/ipaserver/plugins/topology.py
|
||
|
+++ b/ipaserver/plugins/topology.py
|
||
|
@@ -104,7 +104,7 @@ class topologysegment(LDAPObject):
|
||
|
object_name = _('segment')
|
||
|
object_name_plural = _('segments')
|
||
|
object_class = ['iparepltoposegment']
|
||
|
- permission_filter_objectclasses = ['iparepltoposegment']
|
||
|
+ permission_filter_objectclasses = ['iparepltoposegment', 'iparepltopoconf']
|
||
|
default_attributes = [
|
||
|
'cn',
|
||
|
'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
|
||
|
--
|
||
|
2.45.2
|
||
|
|