Sākums Izpētīt Palīdzība
Pierakstīties
RONCC
/
Big-Data-HPC-Platform
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

HPCC-14823 LDAP OUs can be modified by any user

LDAP OU resources should only be accessed by members of the LDAP Administrators
group. Currently they are created with access to admins and authenticated users

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>
Russ Whitehead 9 gadi atpakaļ
vecāks
91295be1f6
revīzija
03f83d2422
4 mainītis faili ar 13 papildinājumiem un 13 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 1 1
      esp/services/ws_access/ws_accessService.cpp
  2. 8 8
      system/security/LdapSecurity/ldapconnection.cpp
  3. 2 2
      system/security/LdapSecurity/ldapsecurity.ipp
  4. 2 2
      system/security/shared/basesecurity.hpp

+ 1 - 1
esp/services/ws_access/ws_accessService.cpp
Parādīt failu 

@@ -1604,7 +1604,7 @@ bool Cws_accessEx::onResourceAdd(IEspContext &context, IEspResourceAddRequest &r
 
 
             ISecResource* r = rlist->addResource(namebuf.str());
 
             r->setDescription(req.getDescription());
 
-            secmgr->addResourcesEx(rtype, *usr, rlist, PT_DEFAULT, req.getBasedn());
 
+            secmgr->addResourcesEx(rtype, *usr, rlist, PT_ADMINISTRATORS_ONLY, req.getBasedn());
 
 
             if(str2type(req.getRtype()) == RT_FILE_SCOPE && newResources.ordinality())
 
             {

+ 8 - 8
system/security/LdapSecurity/ldapconnection.cpp
Parādīt failu 

@@ -1138,13 +1138,13 @@ public:
 
             {
 
             }
 
         }
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_ADMINISTRATORS_ONLY);
 
 
-        createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_ADMINISTRATORS_ONLY);
 
     }
 
 
     virtual LdapServerType getServerType()
 
@@ -1160,7 +1160,7 @@ public:
 
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
 
     {
 
         m_ldapconfig->setResourceBasedn(rbasedn, rtype);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_ADMINISTRATORS_ONLY);
 
     }
 
 
     void calcPWExpiry(CDateTime &dt, unsigned len, char * val)
 
@@ -3652,7 +3652,7 @@ public:
 
         
         ISecUser* user = NULL;
 
         CLdapSecResource resource(newname);
 
-        addResource(rtype, *user, &resource, PT_DEFAULT, basedn, sd.get(), false);
 
+        addResource(rtype, *user, &resource, PT_ADMINISTRATORS_ONLY, basedn, sd.get(), false);
 
     }
 
 
     void normalizeDn(const char* dn, StringBuffer& ndn)

+ 2 - 2
system/security/LdapSecurity/ldapsecurity.ipp
Parādīt failu 

@@ -363,8 +363,8 @@ public:
 
     virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources);
 
     virtual bool addResources(ISecUser& sec_user, ISecResourceList * resources);
 
     virtual int getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename);
 
-    virtual bool addResourcesEx(SecResourceType rtype, ISecUser &user, ISecResourceList* resources, SecPermissionType ptype = PT_DEFAULT, const char* basedn = NULL);
 
-    virtual bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_DEFAULT, const char* basedn = NULL);
 
+    virtual bool addResourcesEx(SecResourceType rtype, ISecUser &user, ISecResourceList* resources, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn = NULL);
 
+    virtual bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn = NULL);
 
     virtual bool updateResources(ISecUser& sec_user, ISecResourceList * resources){return false;}
 
     virtual bool addUser(ISecUser & user);
 
     virtual ISecUser * lookupUser(unsigned uid);

+ 2 - 2
system/security/shared/basesecurity.hpp
Parādīt failu 

@@ -184,11 +184,11 @@ public:
 
     {
 
         return true;
 
     }
 
-    bool addResourcesEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * resources, SecPermissionType ptype = PT_DEFAULT, const char* basedn=NULL)
 
+    bool addResourcesEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * resources, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn=NULL)
 
     {
 
         return addResources(sec_user, resources);
 
     }
 
-    bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_DEFAULT, const char* basedn=NULL)
 
+    bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn=NULL)
 
     {
 
         Owned<ISecResourceList> rlist;
 
         rlist.setown(createResourceList("resources"));