Kerberos Realm
Resource Administration subfunctions for Kerberos Realm Administration.
This may not be the only step to manage a Kerberos Realm in your environment. You may also have to refresh the REALM class to enact these changes. Please consult RACF documentation and manuals for an understanding of the REALM class.
ResourceAdmin.add_kerberos_realm()
def add_kerberos_realm(self, kerberos_realm_name: str, traits: dict = {}) -> Union[dict, bytes]:
📄 Description
Only a subset of available Segments and Traits are considered Stable. See Segments and Traits for more details.
Define a new Kerberos Realm profile in the REALM class.
📥 Parameters
-
kerberos_realm_name
The name of the Kerberos Realm profile being defined to the REALM class. -
traits
A dictionary of traits/attributes that should be given to the resource on creation. See Traits to see what all of the valid Resource Traits are.
📤 Returns
Union[dict, bytes]
Returns a Security Result dictionary or Security Request XML bytes if theResourceAdmin.generate_requests_onlyclass attribute is set toTrue.
❌ Raises
SecurityRequestError
RaisesSecurityRequestErrorwhen the SAF Return Code of a Security Result is equal to4.DownstreamFatalError
RaisesDownstreamFatalErrorwhen the SAF Return Code of a Security Result is greater than4.AddOperationError
RaisesAddOperationErrorwhen the general resource profile cannot be added because it already exists.SegmentTraitError
RaisesSegmentTraitErrorwhen the dictionary of traits/attributes provided contains one or more unknown traits.
💻 Example
Python REPL
from pyracf import ResourceAdmin
resource_admin = ResourceAdmin()
resource_admin.add_kerberos_realm("TSTREALM")
{'securityResult': {'resource': {'name': 'TSTREALM', 'class': 'REALM', 'operation': 'set', 'requestId': 'ResourceRequest', 'commands': [{'safReturnCode': 0, 'returnCode': 0, 'reasonCode': 0, 'image': 'RDEFINE REALM (TSTREALM) ', 'messages': ['ICH10006I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE ADDITION(S) UNTIL A SETROPTS REFRESH IS ISSUED.']}]}, 'returnCode': 0, 'reasonCode': 0, 'runningUserid': 'testuser'}}
Security Result Dictionary as JSON
{
"securityResult":{
"resource":{
"name":"TSTREALM",
"class":"REALM",
"operation":"set",
"requestId":"ResourceRequest",
"commands":[
{
"safReturnCode":0,
"returnCode":0,
"reasonCode":0,
"image":"RDEFINE REALM (TSTREALM) ",
"messages":[
"ICH10006I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE ADDITION(S) UNTIL A SETROPTS REFRESH IS ISSUED."
]
}
]
},
"returnCode":0,
"reasonCode":0
}
}
ResourceAdmin.alter_kerberos_realm()
def alter_kerberos_realm(self, kerberos_realm_name: str, traits: dict = {}) -> Union[dict, bytes]:
📄 Description
Only a subset of available Segments and Traits are considered Stable. See Segments and Traits for more details.
Alter operations in pyracf require READ access to
IRR.IRRSMO00.PRECHECKin theXFACILITclass This function will not produce output unless the user running the command has this access.
Alter an existing Kerberos Realm profile in the REALM class.
📥 Parameters
-
kerberos_realm_name
The name of the Kerberos Realm profile being defined to the REALM class. -
traits
A dictionary of traits/attributes that should be given to the resource. See Traits to see what all of the valid Resource Traits are.
📤 Returns
Union[dict, bytes]
Returns a Security Result dictionary or Security Request XML bytes if theResourceAdmin.generate_requests_onlyclass attribute is set toTrue.
❌ Raises
SecurityRequestError
RaisesSecurityRequestErrorwhen the SAF Return Code of a Security Result is equal to4.DownstreamFatalError
RaisesDownstreamFatalErrorwhen the SAF Return Code of a Security Result is greater than4.AlterOperationError
RaisesAlterOperationErrorwhen the z/OS userid supplied cannot be altered because it does NOT exist.SegmentTraitError
RaisesSegmentTraitErrorwhen the dictionary of traits/attributes provided contains one or more unknown traits.
💻 Example
Python REPL
from pyracf import ResourceAdmin
resource_admin = ResourceAdmin()
resource_admin.alter_kerberos_realm("TSTREALM", traits={"kerb:encryption_algorithms": "AES128"})
{'securityResult': {'resource': {'name': 'TSTREALM', 'class': 'REALM', 'operation': 'set', 'requestId': 'ResourceRequest', 'info': ['Definition exists. Add command skipped due to precheck option'], 'commands': [{'safReturnCode': 0, 'returnCode': 0, 'reasonCode': 0, 'image': 'RALTER REALM (TSTREALM) KERB (ENCRYPT (AES128))', 'messages': ['ICH11009I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE UPDATE(S) UNTIL A SETROPTS REFRESH IS ISSUED.']}]}, 'returnCode': 0, 'reasonCode': 0, 'runningUserid': 'testuser'}}
Security Result Dictionary as JSON
{
"securityResult":{
"resource":{
"name":"TSTREALM",
"class":"REALM",
"operation":"set",
"requestId":"ResourceRequest",
"info":[
"Definition exists. Add command skipped due to precheck option"
],
"commands":[
{
"safReturnCode":0,
"returnCode":0,
"reasonCode":0,
"image":"RALTER REALM (TSTREALM) KERB (ENCRYPT (AES128))",
"messages":[
"ICH11009I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE UPDATE(S) UNTIL A SETROPTS REFRESH IS ISSUED."
]
}
]
},
"returnCode":0,
"reasonCode":0
}
}
ResourceAdmin.extract_kerberos_realm()
def extract_kerberos_realm(self, kerberos_realm_name: str) -> Union[dict, bytes]:
📄 Description
Extract an existing Kerberos Realm profile in the REALM class.
📥 Parameters
kerberos_realm_name
The name of the Kerberos Realm profile being defined to the REALM class.
📤 Returns
Union[dict, bytes]
Returns a Trait dictionary of the values of the traits extracted from the KERB segment of the Resource Profile or Security Request XML bytes if theResourceAdmin.generate_requests_onlyclass attribute is set toTrue.
❌ Raises
SecurityRequestError
RaisesSecurityRequestErrorwhen the SAF Return Code of a Security Result is equal to4.DownstreamFatalError
RaisesDownstreamFatalErrorwhen the SAF Return Code of a Security Result is greater than4.
💻 Example
Python REPL
from pyracf import ResourceAdmin
resource_admin = ResourceAdmin()
resource_admin.extract_kerberos_realm("TSTTSKEL")
{'user': None, 'group': None, 'trusted': 'yes', 'privileged': None, 'trace': None}
Trait Dictionary as JSON
{
"user": null,
"group": null,
"trusted": "yes",
"privileged": null,
"trace": null
}
ResourceAdmin.delete_kerberos_realm()
def delete_kerberos_realm(self, kerberos_realm_name: str) -> Union[dict, bytes]:
📄 Description
Delete an existing Kerberos Realm profile in the REALM class.
📥 Parameters
kerberos_realm_name
The name of the Kerberos Realm profile being defined to the REALM class.
📤 Returns
Union[dict, bytes]
Returns a Security Result dictionary or Security Request XML bytes if theResourceAdmin.generate_requests_onlyclass attribute is set toTrue.
❌ Raises
SecurityRequestError
RaisesSecurityRequestErrorwhen the SAF Return Code of a Security Result is equal to4.DownstreamFatalError
RaisesDownstreamFatalErrorwhen the SAF Return Code of a Security Result is greater than4.
💻 Example
Python REPL
from pyracf import ResourceAdmin
resource_admin = ResourceAdmin()
resource_admin.delete_kerberos_realm("TSTREALM")
{'securityResult': {'resource': {'name': 'TSTREALM', 'class': 'REALM', 'operation': 'del', 'requestId': 'ResourceRequest', 'commands': [{'safReturnCode': 0, 'returnCode': 0, 'reasonCode': 0, 'image': 'RDELETE REALM (TSTREALM) ', 'messages': ['ICH12002I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE DELETION(S) UNTIL A SETROPTS REFRESH IS ISSUED.']}]}, 'returnCode': 0, 'reasonCode': 0, 'runningUserid': 'testuser'}}
Security Result Dictionary as JSON
{
"securityResult":{
"resource":{
"name":"TSTREALM",
"class":"REALM",
"operation":"del",
"requestId":"ResourceRequest",
"commands":[
{
"safReturnCode":0,
"returnCode":0,
"reasonCode":0,
"image":"RDELETE REALM (TSTREALM) ",
"messages":[
"ICH12002I RACLISTED PROFILES FOR REALM WILL NOT REFLECT THE DELETION(S) UNTIL A SETROPTS REFRESH IS ISSUED."
]
}
]
},
"returnCode":0,
"reasonCode":0
}
}