[Freeipa-devel] [PATCH] 0044-0045 Add profiles and default CA ACL on migration
Fraser Tweedale
ftweedal at redhat.com
Mon Nov 23 05:54:23 UTC 2015
Hi all,
The attached patches fix #5459[1]: Default CA ACL rule is not
created during ipa-replica-install.
These patches apply on branch ipa-4-2. There is a (trivial)
conflict in imports when applying to master.
I strongly recommend review / testing of these patches with patches
0042-0043[2] due to the prevalence of the other issue.
[1] https://fedorahosted.org/freeipa/ticket/5459
[2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html
Thanks,
Fraser
-------------- next part --------------
From 8c3f2ce4a985e873277b7e84a8b95acca80c0348 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 23 Nov 2015 12:09:32 +1100
Subject: [PATCH 44/45] Do not erroneously reinit NSS in Dogtag interface
The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already
been initialised with the given dbdir.
Part of: https://fedorahosted.org/freeipa/ticket/5459
---
ipapython/dogtag.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 3f0d08154d21a3072e344c311c3e70e414d9dee4..75c34db697ec5f7b1aac771de8517937fa09fbdd 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, nickname,
"""
def connection_factory(host, port):
- conn = nsslib.NSSConnection(host, port, dbdir=secdir,
+ no_init = secdir == nsslib.current_dbdir
+ conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
conn.set_debuglevel(0)
--
2.4.3
-------------- next part --------------
From 2a05260345627e5b636596a715333a20b5631cd1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 23 Nov 2015 14:50:45 +1100
Subject: [PATCH 45/45] Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
---
install/updates/50-dogtag10-migration.update | 1 +
ipalib/plugins/caacl.py | 7 +++++++
ipaserver/install/server/replicainstall.py | 8 ++++++++
ipaserver/install/server/upgrade.py | 28 ++++++++++++++++------------
4 files changed, 32 insertions(+), 12 deletions(-)
diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644
--- a/install/updates/50-dogtag10-migration.update
+++ b/install/updates/50-dogtag10-migration.update
@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
+addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..77bad38cd7e9f3cf10b7476acc7ac16fc6494bdf 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -307,6 +307,13 @@ class caacl_del(LDAPDelete):
msg_summary = _('Deleted CA ACL "%(value)s"')
+ def pre_callback(self, ldap, dn, *keys, **options):
+ if keys[0] == 'hosts_services_caIPAserviceCert':
+ raise errors.ValidationError(name='name',
+ error=_("Cannot delete the default CA ACL; disable it instead"))
+
+ return dn
+
@register()
class caacl_mod(LDAPUpdate):
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index c1edd3e48d36c8ad62c6a72e988604b59c574c0c..a4eded759cc566ba6747b23e04428c0c16d11007 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -27,6 +27,7 @@ from ipaserver.install import (
bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance, memcacheinstance, ntpinstance,
otpdinstance, service)
+from ipaserver.install.server.upgrade import _add_default_caacl
from ipaserver.install.installutils import create_replica_config
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
@@ -615,6 +616,13 @@ def install(installer):
dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
+ # must add profiles after Dogtag restart to ensure that
+ # resourceACLS are current
+ service.print_msg("Synchronizing certificate profiles")
+ cainstance.migrate_profiles_to_ldap()
+ cainstance.import_included_profiles()
+ _add_default_caacl()
+
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
dns.install(False, True, options)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c8f744c392c7b859459bda63c1f397226553d4ba..bd56fd070e41f9450c48f7f3b9a095de1a665c60 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1321,22 +1321,26 @@ def add_default_caacl(ca):
return
if ca.is_configured():
- if not api.Backend.ldap2.isconnected():
- try:
- api.Backend.ldap2.connect(autobind=True)
- except ipalib.errors.PublicError as e:
- root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
- return
-
- if not api.Command.caacl_find()['result']:
- api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
- hostcategory=u'all', servicecategory=u'all')
- api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
- certprofile=(u'caIPAserviceCert',))
+ _add_default_caacl()
sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
+def _add_default_caacl():
+ if not api.Backend.ldap2.isconnected():
+ try:
+ api.Backend.ldap2.connect(autobind=True)
+ except ipalib.errors.PublicError as e:
+ root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
+ return
+
+ if not api.Command.caacl_find()['result']:
+ api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
+ hostcategory=u'all', servicecategory=u'all')
+ api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+ certprofile=(u'caIPAserviceCert',))
+
+
def upgrade_configuration():
"""
Execute configuration upgrade of the IPA services
--
2.4.3
More information about the Freeipa-devel
mailing list