When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.

Add an update file to do the database update. Content is based on
recommendation from PKI team:
   * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9

This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
   * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
   * https://fedorahosted.org/pki/ticket/906 (checking database version)

https://fedorahosted.org/freeipa/ticket/4243

-- 
Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 4921d8af9814e36efeca79cbee1e3f03dcc9e915 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 13 Mar 2014 08:25:11 +0100
Subject: [PATCH] Update Dogtag 9 database during replica installation

When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.

Add an update file to do the database update. Content is based on
recommendation from PKI team:
   * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9

This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
   * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
   * https://fedorahosted.org/pki/ticket/906 (checking database version)

https://fedorahosted.org/freeipa/ticket/4243
---
 install/updates/50-dogtag10-migration.update | 18 ++++++++++++++++++
 install/updates/Makefile.am                  |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 install/updates/50-dogtag10-migration.update

diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
new file mode 100644
index 0000000000000000000000000000000000000000..d718923544f0cb00f61b7b56940695e3891c4780
--- /dev/null
+++ b/install/updates/50-dogtag10-migration.update
@@ -0,0 +1,18 @@
+# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
+# based replica is being installed from a Dogtag 9 based replica,
+# the database will miss ACLs added in Dogtag 10 resulting in limited
+# functionality.
+#
+# This update file can be removed when Dogtag database upgrades are done
+# in PKI component. Upstream tickets:
+#    * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
+#    * https://fedorahosted.org/pki/ticket/906 (checking database version)
+
+dn: cn=aclResources,o=ipaca
+addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
+addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
+addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
+addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
+addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
+replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
+replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 40c3b3c8916faa267254a29d0f458ca53201950c..fb73c410dbcd1978c3a5deeb184dc10cdba866ae 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -36,6 +36,7 @@ app_DATA =				\
 	40-otp.update			\
 	45-roles.update			\
 	50-7_bit_check.update	        \
+	50-dogtag10-migration.update	\
 	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to