ipaserver.plugins.permission.permission¶
- class ipaserver.plugins.permission.permission(api)[source]¶
Bases:
ipaserver.plugins.baseldap.LDAPObject
Permission object.
Public Data Attributes:
Inherited from
LDAPObject
Inherited from
Object
Public Methods:
reject_system
(entry)Raise if permission entry has unknown flags, or is a SYSTEM perm
postprocess_result
(entry, options)Update a permission entry for output (in place)
get_effective_attrs
(entry)make_aci
(entry)Make an ACI string from the given permission entry
add_aci
(permission_entry)Add the ACI coresponding to the given permission entry
remove_aci
(permission_entry)Remove the ACI corresponding to the given permission entry
update_aci
(permission_entry[, old_name])Update the ACI corresponding to the given permission entry
check_attrs
(result, *keys, **options)Re-build the ACI to determine if there are rights that only work when there are attributes defined.
upgrade_permission
(entry[, target_entry, ...])Upgrade the given permission entry to V2, in-place
make_type_filter
(obj)Make a filter for a --type based permission from an Object
preprocess_options
(options[, ...])Preprocess options (in-place)
validate_permission
(entry)Inherited from
LDAPObject
get_dn
(*keys, **kwargs)Construct an LDAP DN.
get_dn_if_exists
(*keys, **kwargs)has_objectclass
(classes, objectclass)convert_attribute_members
(entry_attrs, ...)get_indirect_members
(entry_attrs, attrs_list)get_memberindirect
(group_entry)Get indirect members
get_memberofindirect
(entry)get_password_attributes
(ldap, dn, entry_attrs)Search on the entry to determine if it has a password or keytab set.
handle_not_found
(*keys)Handle NotFound exception
handle_duplicate_entry
(*keys)__json__
()Inherited from
Object
params_minus
(*names)Yield all Param whose name is not in
names
.get_dn
(*keys, **kwargs)Construct an LDAP DN.
This method gets called by HasParam._create_param_namespace().
__json__
()Inherited from
Plugin
__init__
(api)finalize
()Finalize plugin initialization.
Finalize plugin initialization if it has not yet been finalized.
__repr__
()Return 'module_name.class_name()' representation.
Inherited from
ReadOnly
__lock__
()Put this instance into a read-only state.
Return True if instance is locked, otherwise False.
__setattr__
(name, value)If unlocked, set attribute named
name
tovalue
.__delattr__
(name)If unlocked, delete attribute named
name
.Private Data Attributes:
Inherited from
ReadOnly
_ReadOnly__locked
Private Methods:
_get_filter_attr_info
(entry)Get information on filter-related virtual attributes
_replace_aci
(permission_entry[, old_name, ...])Replace ACI corresponding to permission_entry
_get_aci_entry_and_string
(permission_entry)Get the entry and ACI corresponding to the permission entry
Inherited from
Object
Do custom finalization.
_Object__get_attrs
(name)Inherited from
HasParam
_get_param_iterable
(name[, verb])Return an iterable of params defined by the attribute named
name
._filter_param_by_context
(name[, env])Filter params on attribute named
name
by environmentenv
._create_param_namespace
(name[, env])Inherited from
Plugin
_Plugin__name_getter
()_Plugin__full_name_getter
()_Plugin__bases_getter
()_Plugin__doc_getter
()_Plugin__summary_getter
()Do custom finalization.
- property Backend¶
- property Command¶
- NO_CLI = False¶
- __annotations__ = {}¶
- __delattr__(name)¶
If unlocked, delete attribute named
name
.If this instance is locked, an AttributeError will be raised.
- Parameters
name – Name of attribute to delete.
- __dict__ = mappingproxy({'__module__': 'ipaserver.plugins.permission', '__doc__': '\n Permission object.\n ', 'container_dn': ipapython.dn.DN('cn=permissions,cn=pbac'), 'object_name': Gettext('permission', domain='ipa', localedir=None), 'object_name_plural': Gettext('permissions', domain='ipa', localedir=None), 'object_class': ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'], 'permission_filter_objectclasses': ['ipapermission'], 'default_attributes': ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', 'ipapermtarget'], 'attribute_members': {'member': ['privilege'], 'memberindirect': ['role']}, 'allow_rename': True, 'managed_permissions': {'System: Read Permissions': {'replaces_global_anonymous_aci': True, 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'objectclass', 'ipapermtargetfilter', 'ipapermexcludedattr', 'member', 'businesscategory', 'ipapermright', 'ipapermtarget', 'ipapermincludedattr', 'ipapermdefaultattr', 'seealso', 'o', 'ipapermlocation', 'ipapermbindruletype', 'memberuser', 'ou', 'memberhost', 'owner', 'cn', 'description', 'ipapermissiontype', 'memberof'}, 'default_privileges': {'RBAC Readers'}}, 'System: Read ACIs': {'non_object': True, 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'replaces_global_anonymous_aci': True, 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'aci'}, 'default_privileges': {'RBAC Readers'}}, 'System: Modify Privilege Membership': {'ipapermright': {'write'}, 'ipapermdefaultattr': {'member'}, 'replaces': ['(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Delegation Administrator'}}}, 'label': Gettext('Permissions', domain='ipa', localedir=None), 'label_singular': Gettext('Permission', domain='ipa', localedir=None), 'takes_params': (Str('cn', cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), pattern=u'^[-_ a-zA-Z0-9.:/]+$', pattern_errmsg=u'May only contain letters, numbers, -, _, ., :, /, and space', primary_key=True), StrEnum('ipapermright*', cli_metavar=u"['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", cli_name='right', doc=Gettext('Rights to grant (read, search, compare, write, add, delete, all)', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Granted rights', domain='ipa', localedir=None), values=[u'read', u'search', u'compare', u'write', u'add', u'delete', u'all']), Str('attrs*', doc=Gettext('All attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission', u'virtual_attribute'], label=Gettext('Effective attributes', domain='ipa', localedir=None)), Str('ipapermincludedattr*', cli_name='includedattrs', doc=Gettext('User-specified attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Included attributes', domain='ipa', localedir=None)), Str('ipapermexcludedattr*', cli_name='excludedattrs', doc=Gettext('User-specified attributes to which the permission explicitly does not apply', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Excluded attributes', domain='ipa', localedir=None)), Str('ipapermdefaultattr*', cli_name='defaultattrs', doc=Gettext('Attributes to which the permission applies by default', domain='ipa', localedir=None), flags=[u'no_create', u'no_update'], label=Gettext('Default attributes', domain='ipa', localedir=None)), StrEnum('ipapermbindruletype', autofill=True, cli_metavar=u"['permission', 'all', 'anonymous', 'self']", cli_name='bindtype', default=u'permission', doc=Gettext('Bind rule type', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission'], label=Gettext('Bind rule type', domain='ipa', localedir=None), values=[u'permission', u'all', u'anonymous', u'self']), DNOrURL('ipapermlocation?', cli_name='subtree', doc=Gettext('Subtree to apply permissions to', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Subtree', domain='ipa', localedir=None), normalizer=<lambda>), Str('extratargetfilter*', prevalidate_filter, cli_name='filter', doc=Gettext('Extra target filter', domain='ipa', localedir=None), flags=[u'virtual_attribute'], label=Gettext('Extra target filter', domain='ipa', localedir=None)), Str('ipapermtargetfilter*', prevalidate_filter, cli_name='rawfilter', doc=Gettext('All target filters, including those implied by type and memberof', domain='ipa', localedir=None), label=Gettext('Raw target filter', domain='ipa', localedir=None)), DNParam('ipapermtarget?', cli_name='target', doc=Gettext('Optional DN to apply the permission to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN', domain='ipa', localedir=None)), DNParam('ipapermtargetto?', cli_name='targetto', doc=Gettext('Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN subtree', domain='ipa', localedir=None)), DNParam('ipapermtargetfrom?', cli_name='targetfrom', doc=Gettext('Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Origin DN subtree', domain='ipa', localedir=None)), Str('memberof*', doc=Gettext('Target members of a group (sets memberOf targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Member of group', domain='ipa', localedir=None)), Str('targetgroup?', doc=Gettext('User group to apply permissions to (sets target)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Target group', domain='ipa', localedir=None)), Str('type?', validate_type, doc=Gettext('Type of IPA object (sets subtree and objectClass targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Type', domain='ipa', localedir=None)), Str('permissions*', doc=Gettext('Deprecated; use ipapermright', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('filter*', doc=Gettext('Deprecated; use extratargetfilter', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('subtree*', doc=Gettext('Deprecated; use ipapermlocation', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('ipapermissiontype+', flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Permission flags', domain='ipa', localedir=None)), Str('aci', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('ACI', domain='ipa', localedir=None))), 'reject_system': <function permission.reject_system>, '_get_filter_attr_info': <function permission._get_filter_attr_info>, 'postprocess_result': <function permission.postprocess_result>, 'get_effective_attrs': <function permission.get_effective_attrs>, 'make_aci': <function permission.make_aci>, 'add_aci': <function permission.add_aci>, 'remove_aci': <function permission.remove_aci>, 'update_aci': <function permission.update_aci>, '_replace_aci': <function permission._replace_aci>, 'check_attrs': <function permission.check_attrs>, '_get_aci_entry_and_string': <function permission._get_aci_entry_and_string>, 'upgrade_permission': <function permission.upgrade_permission>, 'make_type_filter': <function permission.make_type_filter>, 'preprocess_options': <function permission.preprocess_options>, 'validate_permission': <function permission.validate_permission>, '__annotations__': {}})¶
- __init__(api)¶
- __islocked__()¶
Return True if instance is locked, otherwise False.
- __json__()¶
- __lock__()¶
Put this instance into a read-only state.
After the instance has been locked, attempting to set or delete an attribute will raise an AttributeError.
- __module__ = 'ipaserver.plugins.permission'¶
- __repr__()¶
Return ‘module_name.class_name()’ representation.
This representation could be used to instantiate this Plugin instance given the appropriate environment.
- __setattr__(name, value)¶
If unlocked, set attribute named
name
tovalue
.If this instance is locked, an AttributeError will be raised.
- Parameters
name – Name of attribute to set.
value – Value to assign to attribute.
- __weakref__¶
list of weak references to the object (if defined)
- _create_param_namespace(name, env=None)¶
- _filter_param_by_context(name, env=None)¶
Filter params on attribute named
name
by environmentenv
.For example:
>>> from ipalib.config import Env >>> class Example(HasParam): ... ... takes_args = ( ... Str('foo_only', include=['foo']), ... Str('not_bar', exclude=['bar']), ... 'both', ... ) ... ... def get_args(self): ... return self._get_param_iterable('args') ... ... >>> eg = Example() >>> foo = Env(context='foo') >>> bar = Env(context='bar') >>> another = Env(context='another') >>> (foo.context, bar.context, another.context) (u'foo', u'bar', u'another') >>> list(eg._filter_param_by_context('args', foo)) [Str('foo_only', include=['foo']), Str('not_bar', exclude=['bar']), Str('both')] >>> list(eg._filter_param_by_context('args', bar)) [Str('both')] >>> list(eg._filter_param_by_context('args', another)) [Str('not_bar', exclude=['bar']), Str('both')]
- _get_aci_entry_and_string(permission_entry, name=None, notfound_ok=False, cached_acientry=None)[source]¶
Get the entry and ACI corresponding to the permission entry
- Parameters
name – The name of the permission, or None for the cn
notfound_ok – If true, (acientry, None) will be returned on missing ACI, rather than raising exception
cached_acientry – See upgrade_permission()
- _get_filter_attr_info(entry)[source]¶
Get information on filter-related virtual attributes
Returns a dict with this information: ‘implicit_targetfilters’: targetfilters implied by memberof and type ‘memberof’: list of names of groups from memberof ‘type’: the type
- _get_param_iterable(name, verb='takes')¶
Return an iterable of params defined by the attribute named
name
.A sequence of params can be defined one of three ways: as a
tuple
; as a callable that returns an iterable; or as a param spec (a Param orstr
instance). This method returns a uniform iterable regardless of how the param sequence was defined.For example, when defined with a tuple:
>>> class ByTuple(HasParam): ... takes_args = (Param('foo'), Param('bar')) ... >>> by_tuple = ByTuple() >>> list(by_tuple._get_param_iterable('args')) [Param('foo'), Param('bar')]
Or you can define your param sequence with a callable when you need to reference attributes on your plugin instance (for validation rules, etc.). For example:
>>> class ByCallable(HasParam): ... def takes_args(self): ... yield Param('foo', self.validate_foo) ... yield Param('bar', self.validate_bar) ... ... def validate_foo(self, _, value, **kw): ... if value != 'Foo': ... return _("must be 'Foo'") ... ... def validate_bar(self, _, value, **kw): ... if value != 'Bar': ... return _("must be 'Bar'") ... >>> by_callable = ByCallable() >>> list(by_callable._get_param_iterable('args')) [Param('foo', validate_foo), Param('bar', validate_bar)]
Lastly, as a convenience for when a param sequence contains a single param, your defining attribute may a param spec (either a Param or an
str
instance). For example:>>> class BySpec(HasParam): ... takes_args = Param('foo') ... takes_options = 'bar?' ... >>> by_spec = BySpec() >>> list(by_spec._get_param_iterable('args')) [Param('foo')] >>> list(by_spec._get_param_iterable('options')) ['bar?']
For information on how an
str
param spec is interpreted, see the create_param() and parse_param_spec() functions in the ipalib.parameters module.Also see HasParam._filter_param_by_context().
- _on_finalize()¶
Do custom finalization.
This method is called from finalize(). Subclasses can override this method in order to add custom finalization.
- _replace_aci(permission_entry, old_name=None, new_acistring=None)[source]¶
Replace ACI corresponding to permission_entry
- Parameters
old_name – the old name of the permission, if different from new
new_acistring – new ACI string; if None the ACI is just deleted
- Returns
tuple: - entry - removed ACI string, or None if none existed previously
- allow_rename = True¶
- already_exists_msg = Gettext('%(oname)s with name "%(pkey)s" already exists', domain='ipa', localedir=None)¶
- property api¶
Return API instance passed to __init__().
- attribute_members = {'member': ['privilege'], 'memberindirect': ['role']}¶
- backend = None¶
- backend_name = 'ldap2'¶
- bases = (<class 'ipaserver.plugins.baseldap.LDAPObject'>,)¶
- bindable = False¶
- check_attrs(result, *keys, **options)[source]¶
Re-build the ACI to determine if there are rights that only work when there are attributes defined.
- container_dn = ipapython.dn.DN('cn=permissions,cn=pbac')¶
- container_not_found_msg = Gettext('container entry (%(container)s) not found', domain='ipa', localedir=None)¶
- property context¶
- convert_attribute_members(entry_attrs, *keys, **options)¶
- default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', 'ipapermtarget']¶
- disallow_object_classes = []¶
- doc = '\n Permission object.\n '¶
- ensure_finalized()¶
Finalize plugin initialization if it has not yet been finalized.
- property env¶
- finalize()¶
Finalize plugin initialization.
This method calls _on_finalize() and locks the plugin object.
Subclasses should not override this method. Custom finalization is done in _on_finalize().
- class finalize_attr(name, value=None)¶
Bases:
object
Create a stub object for plugin attribute that isn’t set until the finalization of the plugin initialization.
When the stub object is accessed, it calls ensure_finalized() to make sure the plugin initialization is finalized. The stub object is expected to be replaced with the actual attribute value during the finalization (preferably in _on_finalize()), otherwise an AttributeError is raised.
This is used to implement on-demand finalization of plugin initialization.
- __annotations__ = {}¶
- __get__(obj, cls)¶
- __init__(name, value=None)¶
- __module__ = 'ipalib.plugable'¶
- __slots__ = ('name', 'value')¶
- name¶
- value¶
- full_name = 'permission/1'¶
- get_ancestor_primary_keys()¶
- get_dn(*keys, **kwargs)¶
Construct an LDAP DN.
- get_dn_if_exists(*keys, **kwargs)¶
- get_indirect_members(entry_attrs, attrs_list)¶
- get_memberindirect(group_entry)¶
Get indirect members
- get_memberofindirect(entry)¶
- get_params()¶
This method gets called by HasParam._create_param_namespace().
- get_password_attributes(ldap, dn, entry_attrs)¶
Search on the entry to determine if it has a password or keytab set.
A tuple is used to determine which attribute is set in entry_attrs. The value is set to True/False whether a given password type is set.
- get_primary_key_from_dn(dn)¶
- handle_duplicate_entry(*keys)¶
- handle_not_found(*keys)¶
Handle NotFound exception
Must raise errors.NotFound again.
- has_objectclass(classes, objectclass)¶
- json_friendly_attributes = ('parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'label_singular', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', 'takes_params', 'rdn_attribute', 'bindable', 'relationships')¶
- label = Gettext('Permissions', domain='ipa', localedir=None)¶
- label_singular = Gettext('Permission', domain='ipa', localedir=None)¶
- limit_object_classes = []¶
- managed_permissions = {'System: Modify Privilege Membership': {'default_privileges': {'Delegation Administrator'}, 'ipapermdefaultattr': {'member'}, 'ipapermright': {'write'}, 'replaces': ['(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Read ACIs': {'default_privileges': {'RBAC Readers'}, 'ipapermdefaultattr': {'aci'}, 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'ipapermright': {'compare', 'read', 'search'}, 'non_object': True, 'replaces_global_anonymous_aci': True}, 'System: Read Permissions': {'default_privileges': {'RBAC Readers'}, 'ipapermdefaultattr': {'businesscategory', 'cn', 'description', 'ipapermbindruletype', 'ipapermdefaultattr', 'ipapermexcludedattr', 'ipapermincludedattr', 'ipapermissiontype', 'ipapermlocation', 'ipapermright', 'ipapermtarget', 'ipapermtargetfilter', 'member', 'memberhost', 'memberof', 'memberuser', 'o', 'objectclass', 'ou', 'owner', 'seealso'}, 'ipapermright': {'compare', 'read', 'search'}, 'replaces_global_anonymous_aci': True}}¶
- methods = None¶
- name = 'permission'¶
- object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']¶
- object_class_config = None¶
- object_name = Gettext('permission', domain='ipa', localedir=None)¶
- object_name_plural = Gettext('permissions', domain='ipa', localedir=None)¶
- object_not_found_msg = Gettext('%(pkey)s: %(oname)s not found', domain='ipa', localedir=None)¶
- params = None¶
- params_minus(*names)¶
Yield all Param whose name is not in
names
.
- params_minus_pk = None¶
- parent_not_found_msg = Gettext('%(parent)s: %(oname)s not found', domain='ipa', localedir=None)¶
- parent_object = ''¶
- password_attributes = []¶
- permission_filter_objectclasses = ['ipapermission']¶
- possible_objectclasses = []¶
- postprocess_result(entry, options)[source]¶
Update a permission entry for output (in place)
- Parameters
entry – The entry to update
options – Command options. Contains keys such as
raw
,all
,pkey_only
,version
.
- preprocess_options(options, return_filter_ops=False, merge_targetfilter=False)[source]¶
Preprocess options (in-place)
- Parameters
options – A dictionary of options
return_filter_ops –
If false, assumes there is no pre-existing entry; additional values of ipapermtargetfilter are added to options. If true, a dictionary of operations on ipapermtargetfilter is returned. These operations must be performed after the existing entry is retrieved. The dict has the following keys:
- remove: list of regular expression objects;
implicit values that match any of them should be removed
add: list of values to be added, after any removals
- Merge_targetfilter
If true, the extratargetfilter is copied into ipapermtargetfilter.
- primary_key = None¶
- rdn_attribute = ''¶
- relationships = {'member': ('Member', '', 'no_'), 'memberindirect': ('Indirect Member', None, 'no_indirect_'), 'membermanager': ('Group membership managed by', 'membermanager_', 'not_membermanager_'), 'memberof': ('Member Of', 'in_', 'not_in_'), 'memberofindirect': ('Indirect Member Of', None, 'not_in_indirect_')}¶
- remove_aci(permission_entry)[source]¶
Remove the ACI corresponding to the given permission entry
- Returns
tuple: - entry - removed ACI string, or None if none existed previously
- search_attributes = []¶
- search_attributes_config = None¶
- search_display_attributes = []¶
- summary = 'Permission object.'¶
- takes_params = (Str('cn', cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), pattern=u'^[-_ a-zA-Z0-9.:/]+$', pattern_errmsg=u'May only contain letters, numbers, -, _, ., :, /, and space', primary_key=True), StrEnum('ipapermright*', cli_metavar=u"['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", cli_name='right', doc=Gettext('Rights to grant (read, search, compare, write, add, delete, all)', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Granted rights', domain='ipa', localedir=None), values=[u'read', u'search', u'compare', u'write', u'add', u'delete', u'all']), Str('attrs*', doc=Gettext('All attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission', u'virtual_attribute'], label=Gettext('Effective attributes', domain='ipa', localedir=None)), Str('ipapermincludedattr*', cli_name='includedattrs', doc=Gettext('User-specified attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Included attributes', domain='ipa', localedir=None)), Str('ipapermexcludedattr*', cli_name='excludedattrs', doc=Gettext('User-specified attributes to which the permission explicitly does not apply', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Excluded attributes', domain='ipa', localedir=None)), Str('ipapermdefaultattr*', cli_name='defaultattrs', doc=Gettext('Attributes to which the permission applies by default', domain='ipa', localedir=None), flags=[u'no_create', u'no_update'], label=Gettext('Default attributes', domain='ipa', localedir=None)), StrEnum('ipapermbindruletype', autofill=True, cli_metavar=u"['permission', 'all', 'anonymous', 'self']", cli_name='bindtype', default=u'permission', doc=Gettext('Bind rule type', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission'], label=Gettext('Bind rule type', domain='ipa', localedir=None), values=[u'permission', u'all', u'anonymous', u'self']), DNOrURL('ipapermlocation?', cli_name='subtree', doc=Gettext('Subtree to apply permissions to', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Subtree', domain='ipa', localedir=None), normalizer=<lambda>), Str('extratargetfilter*', prevalidate_filter, cli_name='filter', doc=Gettext('Extra target filter', domain='ipa', localedir=None), flags=[u'virtual_attribute'], label=Gettext('Extra target filter', domain='ipa', localedir=None)), Str('ipapermtargetfilter*', prevalidate_filter, cli_name='rawfilter', doc=Gettext('All target filters, including those implied by type and memberof', domain='ipa', localedir=None), label=Gettext('Raw target filter', domain='ipa', localedir=None)), DNParam('ipapermtarget?', cli_name='target', doc=Gettext('Optional DN to apply the permission to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN', domain='ipa', localedir=None)), DNParam('ipapermtargetto?', cli_name='targetto', doc=Gettext('Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN subtree', domain='ipa', localedir=None)), DNParam('ipapermtargetfrom?', cli_name='targetfrom', doc=Gettext('Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Origin DN subtree', domain='ipa', localedir=None)), Str('memberof*', doc=Gettext('Target members of a group (sets memberOf targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Member of group', domain='ipa', localedir=None)), Str('targetgroup?', doc=Gettext('User group to apply permissions to (sets target)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Target group', domain='ipa', localedir=None)), Str('type?', validate_type, doc=Gettext('Type of IPA object (sets subtree and objectClass targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Type', domain='ipa', localedir=None)), Str('permissions*', doc=Gettext('Deprecated; use ipapermright', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('filter*', doc=Gettext('Deprecated; use extratargetfilter', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('subtree*', doc=Gettext('Deprecated; use ipapermlocation', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('ipapermissiontype+', flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Permission flags', domain='ipa', localedir=None)), Str('aci', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('ACI', domain='ipa', localedir=None)))¶
- update_aci(permission_entry, old_name=None)[source]¶
Update the ACI corresponding to the given permission entry
- Returns
tuple: - entry - removed ACI string, or None if none existed previously
- upgrade_permission(entry, target_entry=None, output_only=False, cached_acientry=None)[source]¶
Upgrade the given permission entry to V2, in-place
The entry is only upgraded if it is a plain old-style permission, that is, it has no flags set.
- Parameters
target_entry – If given,
target_entry
is filled from information taken from the ACI corresponding toentry
. If None,entry
itself is filledoutput_only – If true, the flags & objectclass are not updated to V2. Used for the -find and -show commands.
cached_acientry – Optional pre-retreived entry that contains the existing ACI. If it is None or its DN does not match the location DN, cached_acientry is ignored and the entry is retreived from LDAP.
- uuid_attribute = ''¶
- version = '1'¶