univention.admin.authorization package

Authorization for UDM access.

class univention.admin.authorization.Authorization

Bases: object

Check authorization via access control lists

global_enabled = False

engine = None

get_privileged_connection()

classmethod enable(get_privileged_connection)

Enables ACL checking globally if the running service supports it

classmethod inject_ldap_connection(user_connection, metadata=None)

Extends the user connection to get admin powers and store metadata per connection

classmethod get_authz_connection(lo)

property lo

classmethod clear_caches()

is_receive_allowed(obj, raise_exception=True)

filter_object_properties(obj)

filter_search_results_dn(lo, results)

filter_search_results_attrs(lo, results)

filter_search_results(lo, results)

is_create_allowed(obj, raise_exception=True)

is_modify_allowed(obj, raise_exception=True)

is_rename_allowed(obj, raise_exception=True)

is_move_allowed(obj, dest, raise_exception=True)

is_remove_allowed(obj, raise_exception=True)

object_exists(obj)

is_report_create_allowed(lo, module, report_type, raise_exception=True)

Submodules

univention.admin.authorization.config module

A domain specific language (DSL) for UDM access rules inspired by LDAP ACLs realized with extended BNF grammar and a LALR (Look-Ahead Left <- Right) Parser.

univention.admin.authorization.config.UDM_DSL_GRAMMAR = '\nstart: statement+\n\nstatement: condition | access_block\n\ncondition: "condition" QUOTED_STRING condition_line param_line?\n\ncondition_line: "condition=" QUOTED_STRING\nparam_line: "parameters" kvpair+\n\naccess_block: "access" by_line+ to_line*\n\nBY_KEY: "role" | "description"\nby_line: "by" by_kvpair+\nby_kvpair: NAME "=" value -> by_kvpair\n\nTO_KEY: "objecttype" | "if" | "position" | "name" | "description"\nto_line: "to" to_kvlistpair+ grant_line*\nto_kvlistpair: NAME "=" valuelist -> to_kvlistpair\n\nGRANT_KEY: "actions" | "properties" | "permission" | "values"\ngrant_line: "grant" grant_kvlistpair+\ngrant_kvlistpair: NAME "=" valuelist -> grant_kvlistpair\n\nkvpair: NAME "=" value\nvalue: QUOTED_STRING | NAME\n\nvaluelist: QUOTED_STRING | list | NAME\n\nlist: "[" [QUOTED_STRING ("," QUOTED_STRING)*] "]"\n\nNAME: /[a-zA-Z_][\\w\\/\\-.,\\/]*/\n%import common.ESCAPED_STRING -> QUOTED_STRING\n%import common.WS\n%ignore WS\n%ignore /#.*/  // Kommentare\n'

by_kvpair: BY_KEY “=” value -> by_kvpair to_kvlistpair: TO_KEY “=” valuelist -> to_kvlistpair grant_kvlistpair: GRANT_KEY “=” valuelist -> grant_kvlistpair

exception univention.admin.authorization.config.DSLSyntaxError

Bases: SyntaxError

class univention.admin.authorization.config.UDMAuthorizationConfig(filename, *, strict=False)

Bases: object

UDM specific DSL

parse()

compose()

to_yaml()