2
# Rob Crittenden <rcritten@redhat.com>
3
# Pavel Zuna <pzuna@redhat.com>
5
# Copyright (C) 2009 Red Hat
6
# see file 'COPYING' for use and warranty information
8
# This program is free software; you can redistribute it and/or modify
9
# it under the terms of the GNU General Public License as published by
10
# the Free Software Foundation, either version 3 of the License, or
11
# (at your option) any later version.
13
# This program is distributed in the hope that it will be useful,
14
# but WITHOUT ANY WARRANTY; without even the implied warranty of
15
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
# GNU General Public License for more details.
18
# You should have received a copy of the GNU General Public License
19
# along with this program. If not, see <http://www.gnu.org/licenses/>.
21
from ipalib.plugins.baseldap import *
22
from ipalib import api, Str, _, ngettext
23
from ipalib import Command
24
from ipalib.plugins import privilege
29
A role is used for fine-grained delegation. A permission grants the ability
30
to perform given low-level tasks (add a user, modify a group, etc.). A
31
privilege combines one or more permissions into a higher-level abstraction
32
such as useradmin. A useradmin would be able to add, delete and modify users.
34
Privileges are assigned to Roles.
36
Users, groups, hosts and hostgroups may be members of a Role.
38
Roles can not contain other roles.
43
ipa role-add --desc="Junior-level admin" junioradmin
45
Add some privileges to this role:
46
ipa role-add-privilege --privileges=addusers junioradmin
47
ipa role-add-privilege --privileges=change_password junioradmin
48
ipa role-add-privilege --privileges=add_user_to_default_group juioradmin
50
Add a group of users to this role:
51
ipa group-add --desc="User admins" useradmins
52
ipa role-add-member --groups=useradmins junioradmin
54
Display information about a role:
55
ipa role-show junioradmin
57
The result of this is that any users in the group 'useradmins' can
58
add users, reset passwords or add a user to the default IPA user group.
61
class role(LDAPObject):
65
container_dn = api.env.container_rolegroup
66
object_name = _('role')
67
object_name_plural = _('roles')
68
object_class = ['groupofnames', 'nestedgroup']
69
default_attributes = ['cn', 'description', 'member', 'memberof',
70
'memberindirect', 'memberofindirect',
73
'member': ['user', 'group', 'host', 'hostgroup'],
74
'memberof': ['privilege'],
77
'member': ['privilege'],
82
label_singular = _('Role')
92
label=_('Description'),
93
doc=_('A description of this role-group'),
100
class role_add(LDAPCreate):
101
__doc__ = _('Add a new role.')
103
msg_summary = _('Added role "%(value)s"')
105
api.register(role_add)
108
class role_del(LDAPDelete):
109
__doc__ = _('Delete a role.')
111
msg_summary = _('Deleted role "%(value)s"')
113
api.register(role_del)
116
class role_mod(LDAPUpdate):
117
__doc__ = _('Modify a role.')
119
msg_summary = _('Modified role "%(value)s"')
121
api.register(role_mod)
124
class role_find(LDAPSearch):
125
__doc__ = _('Search for roles.')
127
msg_summary = ngettext(
128
'%(count)d role matched', '%(count)d roles matched', 0
131
api.register(role_find)
134
class role_show(LDAPRetrieve):
135
__doc__ = _('Display information about a role.')
137
api.register(role_show)
140
class role_add_member(LDAPAddMember):
141
__doc__ = _('Add members to a role.')
143
api.register(role_add_member)
146
class role_remove_member(LDAPRemoveMember):
147
__doc__ = _('Remove members from a role.')
149
api.register(role_remove_member)
152
class role_add_privilege(LDAPAddReverseMember):
153
__doc__ = _('Add privileges to a role.')
155
show_command = 'role_show'
156
member_command = 'privilege_add_member'
157
reverse_attr = 'privilege'
161
output.Entry('result'),
162
output.Output('failed',
164
doc=_('Members that could not be added'),
166
output.Output('completed',
168
doc=_('Number of privileges added'),
172
api.register(role_add_privilege)
175
class role_remove_privilege(LDAPRemoveReverseMember):
176
__doc__ = _('Remove privileges from a role.')
178
show_command = 'role_show'
179
member_command = 'privilege_remove_member'
180
reverse_attr = 'privilege'
184
output.Entry('result'),
185
output.Output('failed',
187
doc=_('Members that could not be added'),
189
output.Output('completed',
191
doc=_('Number of privileges removed'),
195
api.register(role_remove_privilege)