ipaserver.plugins.permission.permission

class ipaserver.plugins.permission.permission(api)[source]

Bases: ipaserver.plugins.baseldap.LDAPObject

Permission object.

Public Methods:

reject_system(entry)

Raise if permission entry has unknown flags, or is a SYSTEM perm

postprocess_result(entry, options)

Update a permission entry for output (in place)

get_effective_attrs(entry)

make_aci(entry)

Make an ACI string from the given permission entry

add_aci(permission_entry)

Add the ACI coresponding to the given permission entry

remove_aci(permission_entry)

Remove the ACI corresponding to the given permission entry

update_aci(permission_entry[, old_name])

Update the ACI corresponding to the given permission entry

check_attrs(result, *keys, **options)

Re-build the ACI to determine if there are rights that only work when there are attributes defined.

upgrade_permission(entry[, target_entry, ...])

Upgrade the given permission entry to V2, in-place

make_type_filter(obj)

Make a filter for a --type based permission from an Object

preprocess_options(options[, ...])

Preprocess options (in-place)

validate_permission(entry)

Inherited from LDAPObject

get_dn(*keys, **kwargs)

Construct an LDAP DN.

get_dn_if_exists(*keys, **kwargs)

get_primary_key_from_dn(dn)

get_ancestor_primary_keys()

has_objectclass(classes, objectclass)

convert_attribute_members(entry_attrs, ...)

get_indirect_members(entry_attrs, attrs_list)

get_memberindirect(group_entry)

Get indirect members

get_memberofindirect(entry)

get_password_attributes(ldap, dn, entry_attrs)

Search on the entry to determine if it has a password or keytab set.

handle_not_found(*keys)

Handle NotFound exception

handle_duplicate_entry(*keys)

__json__()

Inherited from Object

backend

methods

params

primary_key

params_minus_pk

params_minus(*names)

Yield all Param whose name is not in names.

get_dn(*keys, **kwargs)

Construct an LDAP DN.

get_params()

This method gets called by HasParam._create_param_namespace().

__json__()

Inherited from Plugin

__init__(api)

finalize()

Finalize plugin initialization.

ensure_finalized()

Finalize plugin initialization if it has not yet been finalized.

__repr__()

Return 'module_name.class_name()' representation.

Inherited from ReadOnly

__lock__()

Put this instance into a read-only state.

__islocked__()

Return True if instance is locked, otherwise False.

__setattr__(name, value)

If unlocked, set attribute named name to value.

__delattr__(name)

If unlocked, delete attribute named name.

Private Data Attributes:

Inherited from ReadOnly

_ReadOnly__locked

Private Methods:

_get_filter_attr_info(entry)

Get information on filter-related virtual attributes

_replace_aci(permission_entry[, old_name, ...])

Replace ACI corresponding to permission_entry

_get_aci_entry_and_string(permission_entry)

Get the entry and ACI corresponding to the permission entry

Inherited from Object

_on_finalize()

Do custom finalization.

_Object__get_attrs(name)

Inherited from HasParam

_get_param_iterable(name[, verb])

Return an iterable of params defined by the attribute named name.

_filter_param_by_context(name[, env])

Filter params on attribute named name by environment env.

_create_param_namespace(name[, env])

Inherited from Plugin

_Plugin__name_getter()

_Plugin__full_name_getter()

_Plugin__bases_getter()

_Plugin__doc_getter()

_Plugin__summary_getter()

_on_finalize()

Do custom finalization.


property Backend
property Command
NO_CLI = False
__annotations__ = {}
__delattr__(name)

If unlocked, delete attribute named name.

If this instance is locked, an AttributeError will be raised.

Parameters

name – Name of attribute to delete.

__dict__ = mappingproxy({'__module__': 'ipaserver.plugins.permission', '__doc__': '\n    Permission object.\n    ', 'container_dn': ipapython.dn.DN('cn=permissions,cn=pbac'), 'object_name': Gettext('permission', domain='ipa', localedir=None), 'object_name_plural': Gettext('permissions', domain='ipa', localedir=None), 'object_class': ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2'], 'permission_filter_objectclasses': ['ipapermission'], 'default_attributes': ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', 'ipapermtarget'], 'attribute_members': {'member': ['privilege'], 'memberindirect': ['role']}, 'allow_rename': True, 'managed_permissions': {'System: Read Permissions': {'replaces_global_anonymous_aci': True, 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'objectclass', 'ipapermtargetfilter', 'ipapermexcludedattr', 'member', 'businesscategory', 'ipapermright', 'ipapermtarget', 'ipapermincludedattr', 'ipapermdefaultattr', 'seealso', 'o', 'ipapermlocation', 'ipapermbindruletype', 'memberuser', 'ou', 'memberhost', 'owner', 'cn', 'description', 'ipapermissiontype', 'memberof'}, 'default_privileges': {'RBAC Readers'}}, 'System: Read ACIs': {'non_object': True, 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'replaces_global_anonymous_aci': True, 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'aci'}, 'default_privileges': {'RBAC Readers'}}, 'System: Modify Privilege Membership': {'ipapermright': {'write'}, 'ipapermdefaultattr': {'member'}, 'replaces': ['(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Delegation Administrator'}}}, 'label': Gettext('Permissions', domain='ipa', localedir=None), 'label_singular': Gettext('Permission', domain='ipa', localedir=None), 'takes_params': (Str('cn', cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), pattern=u'^[-_ a-zA-Z0-9.:/]+$', pattern_errmsg=u'May only contain letters, numbers, -, _, ., :, /, and space', primary_key=True), StrEnum('ipapermright*', cli_metavar=u"['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", cli_name='right', doc=Gettext('Rights to grant (read, search, compare, write, add, delete, all)', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Granted rights', domain='ipa', localedir=None), values=[u'read', u'search', u'compare', u'write', u'add', u'delete', u'all']), Str('attrs*', doc=Gettext('All attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission', u'virtual_attribute'], label=Gettext('Effective attributes', domain='ipa', localedir=None)), Str('ipapermincludedattr*', cli_name='includedattrs', doc=Gettext('User-specified attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Included attributes', domain='ipa', localedir=None)), Str('ipapermexcludedattr*', cli_name='excludedattrs', doc=Gettext('User-specified attributes to which the permission explicitly does not apply', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Excluded attributes', domain='ipa', localedir=None)), Str('ipapermdefaultattr*', cli_name='defaultattrs', doc=Gettext('Attributes to which the permission applies by default', domain='ipa', localedir=None), flags=[u'no_create', u'no_update'], label=Gettext('Default attributes', domain='ipa', localedir=None)), StrEnum('ipapermbindruletype', autofill=True, cli_metavar=u"['permission', 'all', 'anonymous', 'self']", cli_name='bindtype', default=u'permission', doc=Gettext('Bind rule type', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission'], label=Gettext('Bind rule type', domain='ipa', localedir=None), values=[u'permission', u'all', u'anonymous', u'self']), DNOrURL('ipapermlocation?', cli_name='subtree', doc=Gettext('Subtree to apply permissions to', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Subtree', domain='ipa', localedir=None), normalizer=<lambda>), Str('extratargetfilter*', prevalidate_filter, cli_name='filter', doc=Gettext('Extra target filter', domain='ipa', localedir=None), flags=[u'virtual_attribute'], label=Gettext('Extra target filter', domain='ipa', localedir=None)), Str('ipapermtargetfilter*', prevalidate_filter, cli_name='rawfilter', doc=Gettext('All target filters, including those implied by type and memberof', domain='ipa', localedir=None), label=Gettext('Raw target filter', domain='ipa', localedir=None)), DNParam('ipapermtarget?', cli_name='target', doc=Gettext('Optional DN to apply the permission to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN', domain='ipa', localedir=None)), DNParam('ipapermtargetto?', cli_name='targetto', doc=Gettext('Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN subtree', domain='ipa', localedir=None)), DNParam('ipapermtargetfrom?', cli_name='targetfrom', doc=Gettext('Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Origin DN subtree', domain='ipa', localedir=None)), Str('memberof*', doc=Gettext('Target members of a group (sets memberOf targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Member of group', domain='ipa', localedir=None)), Str('targetgroup?', doc=Gettext('User group to apply permissions to (sets target)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Target group', domain='ipa', localedir=None)), Str('type?', validate_type, doc=Gettext('Type of IPA object (sets subtree and objectClass targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Type', domain='ipa', localedir=None)), Str('permissions*', doc=Gettext('Deprecated; use ipapermright', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('filter*', doc=Gettext('Deprecated; use extratargetfilter', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('subtree*', doc=Gettext('Deprecated; use ipapermlocation', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('ipapermissiontype+', flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Permission flags', domain='ipa', localedir=None)), Str('aci', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('ACI', domain='ipa', localedir=None))), 'reject_system': <function permission.reject_system>, '_get_filter_attr_info': <function permission._get_filter_attr_info>, 'postprocess_result': <function permission.postprocess_result>, 'get_effective_attrs': <function permission.get_effective_attrs>, 'make_aci': <function permission.make_aci>, 'add_aci': <function permission.add_aci>, 'remove_aci': <function permission.remove_aci>, 'update_aci': <function permission.update_aci>, '_replace_aci': <function permission._replace_aci>, 'check_attrs': <function permission.check_attrs>, '_get_aci_entry_and_string': <function permission._get_aci_entry_and_string>, 'upgrade_permission': <function permission.upgrade_permission>, 'make_type_filter': <function permission.make_type_filter>, 'preprocess_options': <function permission.preprocess_options>, 'validate_permission': <function permission.validate_permission>, '__annotations__': {}})
__init__(api)
__islocked__()

Return True if instance is locked, otherwise False.

__json__()
__lock__()

Put this instance into a read-only state.

After the instance has been locked, attempting to set or delete an attribute will raise an AttributeError.

__module__ = 'ipaserver.plugins.permission'
__repr__()

Return ‘module_name.class_name()’ representation.

This representation could be used to instantiate this Plugin instance given the appropriate environment.

__setattr__(name, value)

If unlocked, set attribute named name to value.

If this instance is locked, an AttributeError will be raised.

Parameters
  • name – Name of attribute to set.

  • value – Value to assign to attribute.

__weakref__

list of weak references to the object (if defined)

_create_param_namespace(name, env=None)
_filter_param_by_context(name, env=None)

Filter params on attribute named name by environment env.

For example:

>>> from ipalib.config import Env
>>> class Example(HasParam):
...
...     takes_args = (
...         Str('foo_only', include=['foo']),
...         Str('not_bar', exclude=['bar']),
...         'both',
...     )
...
...     def get_args(self):
...         return self._get_param_iterable('args')
...
...
>>> eg = Example()
>>> foo = Env(context='foo')
>>> bar = Env(context='bar')
>>> another = Env(context='another')
>>> (foo.context, bar.context, another.context)
(u'foo', u'bar', u'another')
>>> list(eg._filter_param_by_context('args', foo))
[Str('foo_only', include=['foo']), Str('not_bar', exclude=['bar']), Str('both')]
>>> list(eg._filter_param_by_context('args', bar))
[Str('both')]
>>> list(eg._filter_param_by_context('args', another))
[Str('not_bar', exclude=['bar']), Str('both')]
_get_aci_entry_and_string(permission_entry, name=None, notfound_ok=False, cached_acientry=None)[source]

Get the entry and ACI corresponding to the permission entry

Parameters
  • name – The name of the permission, or None for the cn

  • notfound_ok – If true, (acientry, None) will be returned on missing ACI, rather than raising exception

  • cached_acientry – See upgrade_permission()

_get_filter_attr_info(entry)[source]

Get information on filter-related virtual attributes

Returns a dict with this information: ‘implicit_targetfilters’: targetfilters implied by memberof and type ‘memberof’: list of names of groups from memberof ‘type’: the type

_get_param_iterable(name, verb='takes')

Return an iterable of params defined by the attribute named name.

A sequence of params can be defined one of three ways: as a tuple; as a callable that returns an iterable; or as a param spec (a Param or str instance). This method returns a uniform iterable regardless of how the param sequence was defined.

For example, when defined with a tuple:

>>> class ByTuple(HasParam):
...     takes_args = (Param('foo'), Param('bar'))
...
>>> by_tuple = ByTuple()
>>> list(by_tuple._get_param_iterable('args'))
[Param('foo'), Param('bar')]

Or you can define your param sequence with a callable when you need to reference attributes on your plugin instance (for validation rules, etc.). For example:

>>> class ByCallable(HasParam):
...     def takes_args(self):
...         yield Param('foo', self.validate_foo)
...         yield Param('bar', self.validate_bar)
...
...     def validate_foo(self, _, value, **kw):
...         if value != 'Foo':
...             return _("must be 'Foo'")
...
...     def validate_bar(self, _, value, **kw):
...         if value != 'Bar':
...             return _("must be 'Bar'")
...
>>> by_callable = ByCallable()
>>> list(by_callable._get_param_iterable('args'))
[Param('foo', validate_foo), Param('bar', validate_bar)]

Lastly, as a convenience for when a param sequence contains a single param, your defining attribute may a param spec (either a Param or an str instance). For example:

>>> class BySpec(HasParam):
...     takes_args = Param('foo')
...     takes_options = 'bar?'
...
>>> by_spec = BySpec()
>>> list(by_spec._get_param_iterable('args'))
[Param('foo')]
>>> list(by_spec._get_param_iterable('options'))
['bar?']

For information on how an str param spec is interpreted, see the create_param() and parse_param_spec() functions in the ipalib.parameters module.

Also see HasParam._filter_param_by_context().

_on_finalize()

Do custom finalization.

This method is called from finalize(). Subclasses can override this method in order to add custom finalization.

_replace_aci(permission_entry, old_name=None, new_acistring=None)[source]

Replace ACI corresponding to permission_entry

Parameters
  • old_name – the old name of the permission, if different from new

  • new_acistring – new ACI string; if None the ACI is just deleted

Returns

tuple: - entry - removed ACI string, or None if none existed previously

add_aci(permission_entry)[source]

Add the ACI coresponding to the given permission entry

allow_rename = True
already_exists_msg = Gettext('%(oname)s with name "%(pkey)s" already exists', domain='ipa', localedir=None)
property api

Return API instance passed to __init__().

attribute_members = {'member': ['privilege'], 'memberindirect': ['role']}
backend = None
backend_name = 'ldap2'
bases = (<class 'ipaserver.plugins.baseldap.LDAPObject'>,)
bindable = False
check_attrs(result, *keys, **options)[source]

Re-build the ACI to determine if there are rights that only work when there are attributes defined.

container_dn = ipapython.dn.DN('cn=permissions,cn=pbac')
container_not_found_msg = Gettext('container entry (%(container)s) not found', domain='ipa', localedir=None)
property context
convert_attribute_members(entry_attrs, *keys, **options)
default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', 'ipapermtarget']
disallow_object_classes = []
doc = '\n    Permission object.\n    '
ensure_finalized()

Finalize plugin initialization if it has not yet been finalized.

property env
finalize()

Finalize plugin initialization.

This method calls _on_finalize() and locks the plugin object.

Subclasses should not override this method. Custom finalization is done in _on_finalize().

class finalize_attr(name, value=None)

Bases: object

Create a stub object for plugin attribute that isn’t set until the finalization of the plugin initialization.

When the stub object is accessed, it calls ensure_finalized() to make sure the plugin initialization is finalized. The stub object is expected to be replaced with the actual attribute value during the finalization (preferably in _on_finalize()), otherwise an AttributeError is raised.

This is used to implement on-demand finalization of plugin initialization.

__annotations__ = {}
__get__(obj, cls)
__init__(name, value=None)
__module__ = 'ipalib.plugable'
__slots__ = ('name', 'value')
name
value
full_name = 'permission/1'
get_ancestor_primary_keys()
get_dn(*keys, **kwargs)

Construct an LDAP DN.

get_dn_if_exists(*keys, **kwargs)
get_effective_attrs(entry)[source]
get_indirect_members(entry_attrs, attrs_list)
get_memberindirect(group_entry)

Get indirect members

get_memberofindirect(entry)
get_params()

This method gets called by HasParam._create_param_namespace().

get_password_attributes(ldap, dn, entry_attrs)

Search on the entry to determine if it has a password or keytab set.

A tuple is used to determine which attribute is set in entry_attrs. The value is set to True/False whether a given password type is set.

get_primary_key_from_dn(dn)
handle_duplicate_entry(*keys)
handle_not_found(*keys)

Handle NotFound exception

Must raise errors.NotFound again.

has_objectclass(classes, objectclass)
hidden_attributes = ['objectclass', 'aci']
json_friendly_attributes = ('parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'label_singular', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', 'takes_params', 'rdn_attribute', 'bindable', 'relationships')
label = Gettext('Permissions', domain='ipa', localedir=None)
label_singular = Gettext('Permission', domain='ipa', localedir=None)
limit_object_classes = []
make_aci(entry)[source]

Make an ACI string from the given permission entry

make_type_filter(obj)[source]

Make a filter for a –type based permission from an Object

managed_permissions = {'System: Modify Privilege Membership': {'default_privileges': {'Delegation Administrator'}, 'ipapermdefaultattr': {'member'}, 'ipapermright': {'write'}, 'replaces': ['(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Read ACIs': {'default_privileges': {'RBAC Readers'}, 'ipapermdefaultattr': {'aci'}, 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'ipapermright': {'compare', 'read', 'search'}, 'non_object': True, 'replaces_global_anonymous_aci': True}, 'System: Read Permissions': {'default_privileges': {'RBAC Readers'}, 'ipapermdefaultattr': {'businesscategory', 'cn', 'description', 'ipapermbindruletype', 'ipapermdefaultattr', 'ipapermexcludedattr', 'ipapermincludedattr', 'ipapermissiontype', 'ipapermlocation', 'ipapermright', 'ipapermtarget', 'ipapermtargetfilter', 'member', 'memberhost', 'memberof', 'memberuser', 'o', 'objectclass', 'ou', 'owner', 'seealso'}, 'ipapermright': {'compare', 'read', 'search'}, 'replaces_global_anonymous_aci': True}}
methods = None
name = 'permission'
object_class = ['top', 'groupofnames', 'ipapermission', 'ipapermissionv2']
object_class_config = None
object_name = Gettext('permission', domain='ipa', localedir=None)
object_name_plural = Gettext('permissions', domain='ipa', localedir=None)
object_not_found_msg = Gettext('%(pkey)s: %(oname)s not found', domain='ipa', localedir=None)
params = None
params_minus(*names)

Yield all Param whose name is not in names.

params_minus_pk = None
parent_not_found_msg = Gettext('%(parent)s: %(oname)s not found', domain='ipa', localedir=None)
parent_object = ''
password_attributes = []
permission_filter_objectclasses = ['ipapermission']
possible_objectclasses = []
postprocess_result(entry, options)[source]

Update a permission entry for output (in place)

Parameters
  • entry – The entry to update

  • options – Command options. Contains keys such as raw, all, pkey_only, version.

preprocess_options(options, return_filter_ops=False, merge_targetfilter=False)[source]

Preprocess options (in-place)

Parameters
  • options – A dictionary of options

  • return_filter_ops

    If false, assumes there is no pre-existing entry; additional values of ipapermtargetfilter are added to options. If true, a dictionary of operations on ipapermtargetfilter is returned. These operations must be performed after the existing entry is retrieved. The dict has the following keys:

    • remove: list of regular expression objects;

      implicit values that match any of them should be removed

    • add: list of values to be added, after any removals

Merge_targetfilter

If true, the extratargetfilter is copied into ipapermtargetfilter.

primary_key = None
rdn_attribute = ''
reject_system(entry)[source]

Raise if permission entry has unknown flags, or is a SYSTEM perm

relationships = {'member': ('Member', '', 'no_'), 'memberindirect': ('Indirect Member', None, 'no_indirect_'), 'membermanager': ('Group membership managed by', 'membermanager_', 'not_membermanager_'), 'memberof': ('Member Of', 'in_', 'not_in_'), 'memberofindirect': ('Indirect Member Of', None, 'not_in_indirect_')}
remove_aci(permission_entry)[source]

Remove the ACI corresponding to the given permission entry

Returns

tuple: - entry - removed ACI string, or None if none existed previously

search_attributes = []
search_attributes_config = None
search_display_attributes = []
summary = 'Permission object.'
takes_params = (Str('cn', cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), pattern=u'^[-_ a-zA-Z0-9.:/]+$', pattern_errmsg=u'May only contain letters, numbers, -, _, ., :, /, and space', primary_key=True), StrEnum('ipapermright*', cli_metavar=u"['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", cli_name='right', doc=Gettext('Rights to grant (read, search, compare, write, add, delete, all)', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Granted rights', domain='ipa', localedir=None), values=[u'read', u'search', u'compare', u'write', u'add', u'delete', u'all']), Str('attrs*', doc=Gettext('All attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission', u'virtual_attribute'], label=Gettext('Effective attributes', domain='ipa', localedir=None)), Str('ipapermincludedattr*', cli_name='includedattrs', doc=Gettext('User-specified attributes to which the permission applies', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Included attributes', domain='ipa', localedir=None)), Str('ipapermexcludedattr*', cli_name='excludedattrs', doc=Gettext('User-specified attributes to which the permission explicitly does not apply', domain='ipa', localedir=None), flags=[u'no_create', u'allow_mod_for_managed_permission'], label=Gettext('Excluded attributes', domain='ipa', localedir=None)), Str('ipapermdefaultattr*', cli_name='defaultattrs', doc=Gettext('Attributes to which the permission applies by default', domain='ipa', localedir=None), flags=[u'no_create', u'no_update'], label=Gettext('Default attributes', domain='ipa', localedir=None)), StrEnum('ipapermbindruletype', autofill=True, cli_metavar=u"['permission', 'all', 'anonymous', 'self']", cli_name='bindtype', default=u'permission', doc=Gettext('Bind rule type', domain='ipa', localedir=None), flags=[u'allow_mod_for_managed_permission'], label=Gettext('Bind rule type', domain='ipa', localedir=None), values=[u'permission', u'all', u'anonymous', u'self']), DNOrURL('ipapermlocation?', cli_name='subtree', doc=Gettext('Subtree to apply permissions to', domain='ipa', localedir=None), flags=[u'ask_create'], label=Gettext('Subtree', domain='ipa', localedir=None), normalizer=<lambda>), Str('extratargetfilter*', prevalidate_filter, cli_name='filter', doc=Gettext('Extra target filter', domain='ipa', localedir=None), flags=[u'virtual_attribute'], label=Gettext('Extra target filter', domain='ipa', localedir=None)), Str('ipapermtargetfilter*', prevalidate_filter, cli_name='rawfilter', doc=Gettext('All target filters, including those implied by type and memberof', domain='ipa', localedir=None), label=Gettext('Raw target filter', domain='ipa', localedir=None)), DNParam('ipapermtarget?', cli_name='target', doc=Gettext('Optional DN to apply the permission to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN', domain='ipa', localedir=None)), DNParam('ipapermtargetto?', cli_name='targetto', doc=Gettext('Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Target DN subtree', domain='ipa', localedir=None)), DNParam('ipapermtargetfrom?', cli_name='targetfrom', doc=Gettext('Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)', domain='ipa', localedir=None), label=Gettext('Origin DN subtree', domain='ipa', localedir=None)), Str('memberof*', doc=Gettext('Target members of a group (sets memberOf targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Member of group', domain='ipa', localedir=None)), Str('targetgroup?', doc=Gettext('User group to apply permissions to (sets target)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Target group', domain='ipa', localedir=None)), Str('type?', validate_type, doc=Gettext('Type of IPA object (sets subtree and objectClass targetfilter)', domain='ipa', localedir=None), flags=[u'ask_create', u'virtual_attribute'], label=Gettext('Type', domain='ipa', localedir=None)), Str('permissions*', doc=Gettext('Deprecated; use ipapermright', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('filter*', doc=Gettext('Deprecated; use extratargetfilter', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('subtree*', doc=Gettext('Deprecated; use ipapermlocation', domain='ipa', localedir=None), flags=[u'no_option', u'virtual_attribute']), Str('ipapermissiontype+', flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Permission flags', domain='ipa', localedir=None)), Str('aci', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('ACI', domain='ipa', localedir=None)))
update_aci(permission_entry, old_name=None)[source]

Update the ACI corresponding to the given permission entry

Returns

tuple: - entry - removed ACI string, or None if none existed previously

upgrade_permission(entry, target_entry=None, output_only=False, cached_acientry=None)[source]

Upgrade the given permission entry to V2, in-place

The entry is only upgraded if it is a plain old-style permission, that is, it has no flags set.

Parameters
  • target_entry – If given, target_entry is filled from information taken from the ACI corresponding to entry. If None, entry itself is filled

  • output_only – If true, the flags & objectclass are not updated to V2. Used for the -find and -show commands.

  • cached_acientry – Optional pre-retreived entry that contains the existing ACI. If it is None or its DN does not match the location DN, cached_acientry is ignored and the entry is retreived from LDAP.

uuid_attribute = ''
validate_permission(entry)[source]
version = '1'