mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
db69855646
PKI has its own internal knowledge of servers and services in its securitydomain. This has not been cleaned up in the past but is becoming more of an issue as PKI now relies on its securitydomain for more things, and it has a healthcheck that reports inconsistencies. Removing entries is straightforward using the PKI REST API. In order to operate on the API access is needed. There was an unused Security Domain Administrators group that I've added to the resourceACLS we created for managing the securitydomain. The ipara user is added as a member of this group. The REST API binds to the CA using the IPA RA certificate. Related commits areb3c2197b7e
andba4df6449a
. These resourceACLS were originally created as a backwards compatibility mechanism for dogtag v9 and later only created when a replica was installed purportedly to save a restart. I don't see any reason to not have these defined. They are apparently needed due to the PKI database upgrade issues. In any case if the purpose was to suppress these ACLS it failed because as soon as a replica with a CA was installed they were as well, and we need this ACL in order to manage the securitydomain. https://pagure.io/freeipa/issue/8930 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
23 lines
3.6 KiB
Plaintext
23 lines
3.6 KiB
Plaintext
# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
|
|
# based replica is being installed from a Dogtag 9 based replica,
|
|
# the database will miss ACLs added in Dogtag 10 resulting in limited
|
|
# functionality.
|
|
#
|
|
# This update file can be removed when Dogtag database upgrades are done
|
|
# in PKI component. Upstream tickets:
|
|
# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
|
|
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
|
|
|
|
dn: cn=aclResources,o=ipaca
|
|
addifexist:resourceACLS:certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
|
|
addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
|
|
addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
|
|
addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
|
|
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
|
|
# new installation
|
|
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
|
|
# upgraded installation
|
|
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
|
|
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
|
|
addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
|