Página inicial Explorar Ajuda
Entrar
RONCC
/
Big-Data-HPC-Platform
Observar 1
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

HPCC-14823 LDAP OUs can be modified by any user

LDAP OU resources should only be accessed by members of the LDAP Administrators
group. Currently they are created with access to admins and authenticated users

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>
Russ Whitehead 9 anos atrás
pai
91295be1f6
commit
03f83d2422
4 arquivos alterados com 13 adições e 13 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 1 1
      esp/services/ws_access/ws_accessService.cpp
  2. 8 8
      system/security/LdapSecurity/ldapconnection.cpp
  3. 2 2
      system/security/LdapSecurity/ldapsecurity.ipp
  4. 2 2
      system/security/shared/basesecurity.hpp

+ 1 - 1
esp/services/ws_access/ws_accessService.cpp
Ver arquivo 

@@ -1604,7 +1604,7 @@ bool Cws_accessEx::onResourceAdd(IEspContext &context, IEspResourceAddRequest &r
 
 
             ISecResource* r = rlist->addResource(namebuf.str());
 
             r->setDescription(req.getDescription());
 
-            secmgr->addResourcesEx(rtype, *usr, rlist, PT_DEFAULT, req.getBasedn());
 
+            secmgr->addResourcesEx(rtype, *usr, rlist, PT_ADMINISTRATORS_ONLY, req.getBasedn());
 
 
             if(str2type(req.getRtype()) == RT_FILE_SCOPE && newResources.ordinality())
 
             {

+ 8 - 8
system/security/LdapSecurity/ldapconnection.cpp
Ver arquivo 

@@ -1138,13 +1138,13 @@ public:
 
             {
 
             }
 
         }
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_ADMINISTRATORS_ONLY);
 
 
-        createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_DEFAULT);
 
-        createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_ADMINISTRATORS_ONLY);
 
+        createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_ADMINISTRATORS_ONLY);
 
     }
 
 
     virtual LdapServerType getServerType()
 
@@ -1160,7 +1160,7 @@ public:
 
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
 
     {
 
         m_ldapconfig->setResourceBasedn(rbasedn, rtype);
 
-        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_DEFAULT);
 
+        createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_ADMINISTRATORS_ONLY);
 
     }
 
 
     void calcPWExpiry(CDateTime &dt, unsigned len, char * val)
 
@@ -3652,7 +3652,7 @@ public:
 
         
         ISecUser* user = NULL;
 
         CLdapSecResource resource(newname);
 
-        addResource(rtype, *user, &resource, PT_DEFAULT, basedn, sd.get(), false);
 
+        addResource(rtype, *user, &resource, PT_ADMINISTRATORS_ONLY, basedn, sd.get(), false);
 
     }
 
 
     void normalizeDn(const char* dn, StringBuffer& ndn)

+ 2 - 2
system/security/LdapSecurity/ldapsecurity.ipp
Ver arquivo 

@@ -363,8 +363,8 @@ public:
 
     virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources);
 
     virtual bool addResources(ISecUser& sec_user, ISecResourceList * resources);
 
     virtual int getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename);
 
-    virtual bool addResourcesEx(SecResourceType rtype, ISecUser &user, ISecResourceList* resources, SecPermissionType ptype = PT_DEFAULT, const char* basedn = NULL);
 
-    virtual bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_DEFAULT, const char* basedn = NULL);
 
+    virtual bool addResourcesEx(SecResourceType rtype, ISecUser &user, ISecResourceList* resources, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn = NULL);
 
+    virtual bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn = NULL);
 
     virtual bool updateResources(ISecUser& sec_user, ISecResourceList * resources){return false;}
 
     virtual bool addUser(ISecUser & user);
 
     virtual ISecUser * lookupUser(unsigned uid);

+ 2 - 2
system/security/shared/basesecurity.hpp
Ver arquivo 

@@ -184,11 +184,11 @@ public:
 
     {
 
         return true;
 
     }
 
-    bool addResourcesEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * resources, SecPermissionType ptype = PT_DEFAULT, const char* basedn=NULL)
 
+    bool addResourcesEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * resources, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn=NULL)
 
     {
 
         return addResources(sec_user, resources);
 
     }
 
-    bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_DEFAULT, const char* basedn=NULL)
 
+    bool addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype = PT_ADMINISTRATORS_ONLY, const char* basedn=NULL)
 
     {
 
         Owned<ISecResourceList> rlist;
 
         rlist.setown(createResourceList("resources"));