URL: https://github.com/freeipa/freeipa/pull/617 Author: stlaz Title: #617: Allow renaming of sudo rules Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/617/head:pr617 git checkout pr617
From 5eb4c77e8bd624eee2466face9934c8a56641ed5 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 16 Mar 2017 16:22:52 +0100 Subject: [PATCH] Allow renaming of HBAC and sudo rules This allows renaming of some objects that don't necessarily contain their own private key in their DN. https://pagure.io/freeipa/issue/2466 --- API.txt | 6 ++++-- VERSION.m4 | 4 ++-- ipaserver/plugins/baseldap.py | 6 ++++-- ipaserver/plugins/hbacrule.py | 1 + ipaserver/plugins/sudorule.py | 1 + 5 files changed, 12 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index f0bd1b6..7594157 100644 --- a/API.txt +++ b/API.txt @@ -2163,7 +2163,7 @@ output: ListOfEntries('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('truncated', type=[<type 'bool'>]) command: hbacrule_mod/1 -args: 1,16,3 +args: 1,17,3 arg: Str('cn', cli_name='name') option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny']) option: Str('addattr*', cli_name='addattr') @@ -2175,6 +2175,7 @@ option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'a option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') option: Flag('rights', autofill=True, default=False) option: StrEnum('servicecategory?', autofill=False, cli_name='servicecat', values=[u'all']) option: Str('setattr*', cli_name='setattr') @@ -5402,7 +5403,7 @@ output: ListOfEntries('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('truncated', type=[<type 'bool'>]) command: sudorule_mod/1 -args: 1,20,3 +args: 1,21,3 arg: Str('cn', cli_name='sudorule_name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -5419,6 +5420,7 @@ option: StrEnum('ipasudorunasgroupcategory?', autofill=False, cli_name='runasgro option: StrEnum('ipasudorunasusercategory?', autofill=False, cli_name='runasusercat', values=[u'all']) option: Flag('no_members', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr') option: Int('sudoorder?', autofill=False, cli_name='order', default=0) diff --git a/VERSION.m4 b/VERSION.m4 index cfac2a9..6c4213d 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000) # # ######################################################## define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 223) -# Last change: Add domain resolution order to ID views +define(IPA_API_VERSION_MINOR, 224) +# Last change: Add rename option to some *_mod commands ######################################################## diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index 79ba7fc..410fc54 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -550,6 +550,7 @@ class LDAPObject(Object): uuid_attribute = '' attribute_members = {} rdn_is_primary_key = False # Do we need RDN change to do a rename? + allow_rename = False password_attributes = [] # Can bind as this entry (has userPassword or krbPrincipalKey) bindable = False @@ -1384,7 +1385,7 @@ def _get_rename_option(self): def get_options(self): for option in super(LDAPUpdate, self).get_options(): yield option - if self.obj.rdn_is_primary_key: + if self.obj.rdn_is_primary_key or self.obj.allow_rename: yield self._get_rename_option() def execute(self, *keys, **options): @@ -1420,7 +1421,8 @@ def execute(self, *keys, **options): rdnupdate = False try: - if self.obj.rdn_is_primary_key and 'rename' in options: + if ((self.obj.rdn_is_primary_key or self.obj.allow_rename) and + 'rename' in options): if not options['rename']: raise errors.ValidationError(name='rename', error=u'can\'t be empty') entry_attrs[self.obj.primary_key.name] = options['rename'] diff --git a/ipaserver/plugins/hbacrule.py b/ipaserver/plugins/hbacrule.py index 60e5e60..2495702 100644 --- a/ipaserver/plugins/hbacrule.py +++ b/ipaserver/plugins/hbacrule.py @@ -141,6 +141,7 @@ class hbacrule(LDAPObject): ] uuid_attribute = 'ipauniqueid' rdn_attribute = 'ipauniqueid' + allow_rename = True attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py index 9077107..28c3f21 100644 --- a/ipaserver/plugins/sudorule.py +++ b/ipaserver/plugins/sudorule.py @@ -145,6 +145,7 @@ class sudorule(LDAPObject): ] uuid_attribute = 'ipauniqueid' rdn_attribute = 'ipauniqueid' + allow_rename = True attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'],
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
