diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update index 0070c308a..cbbf49a08 100644 --- a/install/updates/50-dogtag10-migration.update +++ b/install/updates/50-dogtag10-migration.update @@ -14,6 +14,9 @@ addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations -replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml +# new installation +replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml +# upgraded installation +replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dbcf5fbd2..9e842b33e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -435,10 +435,9 @@ class CAInstance(DogtagInstance): configure_lightweight_ca_acls) self.step("Ensure lightweight CAs container exists", ensure_lightweight_cas_container) - if self.clone and not promote: - self.step( - "Ensuring backward compatibility", - self.__dogtag10_migration) + self.step( + "Ensuring backward compatibility", + self.__dogtag10_migration) if promote: self.step("destroying installation admin user", self.teardown_admin) @@ -794,6 +793,11 @@ class CAInstance(DogtagInstance): self.basedn) conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + # add ipara user to Security Domain Administrators group + group_dn = DN(('cn', 'Security Domain Administrators'), + ('ou', 'groups'), self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 6bc63661e..662450f31 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1157,6 +1157,16 @@ def add_default_caacl(ca): sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) +def add_agent_to_security_domain_admins(): + user_dn = DN(('uid', "ipara"), ('ou', 'People'), ('o', 'ipaca')) + group_dn = DN(('cn', 'Security Domain Administrators'), ('ou', 'groups'), + ('o', 'ipaca')) + try: + api.Backend.ldap2.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + except ipalib.errors.AlreadyGroupMember: + pass + + def setup_pkinit(krb): logger.info("[Setup PKINIT]") @@ -1837,6 +1847,7 @@ def upgrade_configuration(): migrate_to_authselect() add_systemd_user_hbac() add_admin_root_alias() + add_agent_to_security_domain_admins() sssd_update() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index f2dc6e4ab..be2e4bb4e 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2117,3 +2117,23 @@ class ra_lightweight_ca(RestClient): def delete_ca(self, ca_id): self._ssldo('DELETE', ca_id) + + +@register() +class ra_securitydomain(RestClient): + """ + Security domain management backend plugin. + + Dogtag handles the creation of securitydomain entries + we need to clean them up when an IPA server is removed. + """ + path = 'securityDomain/hosts' + + def delete_domain(self, hostname, type): + """ + Delete a security domain + """ + self._ssldo( + 'DELETE', f'{type}%20{hostname}%20443', + headers={'Accept': 'application/json'} + ) diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index 5fa7a58bd..8fab5d1d6 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -756,6 +756,18 @@ class server_del(LDAPDelete): pkey, ignore_last_of_role=options.get('ignore_last_of_role', False) ) + if self.api.Command.ca_is_enabled()['result']: + try: + with self.api.Backend.ra_securitydomain as domain_api: + domain_api.delete_domain(pkey, 'KRA') + domain_api.delete_domain(pkey, 'CA') + except Exception as e: + self.add_message(messages.ServerRemovalWarning( + message=_( + "Failed to remove server from security domain: %s" % e + )) + ) + # remove the references to master's ldap/http principals self._remove_server_principal_references(pkey)