From 78eaf8b944f1b8f177aedabeaaeaa72c1dc4091e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 14 Sep 2015 07:56:44 +0200 Subject: [PATCH] install: support KRA update https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik --- freeipa.spec.in | 1 - install/share/Makefile.am | 2 +- install/share/vault.ldif | 29 +++++++++++++++++++++++++++++ install/share/vault.update | 38 -------------------------------------- install/updates/40-vault.update | 23 +++++++++++++++++++++++ install/updates/Makefile.am | 1 + ipaplatform/base/paths.py | 1 - ipaserver/install/krainstance.py | 7 ++++++- 8 files changed, 60 insertions(+), 42 deletions(-) create mode 100644 install/share/vault.ldif delete mode 100644 install/share/vault.update create mode 100644 install/updates/40-vault.update diff --git a/freeipa.spec.in b/freeipa.spec.in index e9ba596fec1f8d179d4f834485e35a4814db898d..d8e24a5af47fbfca89ccb9c3d07dcfca5a8073d9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -746,7 +746,6 @@ fi %{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif -%{_usr}/share/ipa/*.update %{_usr}/share/ipa/*.template %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 80e959a751a0800c4d56c379a73b68a2f12570d7..d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -83,7 +83,7 @@ app_DATA = \ copy-schema-to-ca.py \ sasl-mapping-fallback.ldif \ schema-update.ldif \ - vault.update \ + vault.ldif \ kdcproxy.conf \ kdcproxy-enable.uldif \ kdcproxy-disable.uldif \ diff --git a/install/share/vault.ldif b/install/share/vault.ldif new file mode 100644 index 0000000000000000000000000000000000000000..06dd83c5c45bd3143b8374965b9a02d311afdb42 --- /dev/null +++ b/install/share/vault.ldif @@ -0,0 +1,29 @@ +dn: cn=kra,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: kra + +dn: cn=vaults,cn=kra,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaVaultContainer +cn: vaults + +dn: cn=services,cn=vaults,cn=kra,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaVaultContainer +cn: services + +dn: cn=shared,cn=vaults,cn=kra,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaVaultContainer +cn: shared + +dn: cn=users,cn=vaults,cn=kra,$SUFFIX +changetype: add +objectClass: top +objectClass: ipaVaultContainer +cn: users diff --git a/install/share/vault.update b/install/share/vault.update deleted file mode 100644 index 4f0023840b34c2d2bae4e362e34be1764c430ad1..0000000000000000000000000000000000000000 --- a/install/share/vault.update +++ /dev/null @@ -1,38 +0,0 @@ -dn: cn=kra,$SUFFIX -default: objectClass: top -default: objectClass: nsContainer -default: cn: kra - -dn: cn=vaults,cn=kra,$SUFFIX -default: objectClass: top -default: objectClass: ipaVaultContainer -default: cn: vaults -default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) -default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) -default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";) -default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";) -default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";) -default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";) -default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";) - -dn: cn=services,cn=vaults,cn=kra,$SUFFIX -default: objectClass: top -default: objectClass: ipaVaultContainer -default: cn: services - -dn: cn=shared,cn=vaults,cn=kra,$SUFFIX -default: objectClass: top -default: objectClass: ipaVaultContainer -default: cn: shared - -dn: cn=users,cn=vaults,cn=kra,$SUFFIX -default: objectClass: top -default: objectClass: ipaVaultContainer -default: cn: users diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update new file mode 100644 index 0000000000000000000000000000000000000000..3daea5b1988333d4d482463af0eec4163e4f0760 --- /dev/null +++ b/install/updates/40-vault.update @@ -0,0 +1,23 @@ +dn: cn=vaults,cn=kra,$SUFFIX +remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) +remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) +addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) +addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";) +addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";) diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1f4a91c9bb4222f99ad7a7ad16e376aeef7f525b..26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -34,6 +34,7 @@ app_DATA = \ 40-automember.update \ 40-certprofile.update \ 40-otp.update \ + 40-vault.update \ 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ff75e0d7a5a0250ce71e67b0302bbaab64c5e935..3930c93fcba06959dd34507ecc29f92e33637775 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -251,7 +251,6 @@ class BasePathNamespace(object): SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" - VAULT_UPDATE = "/usr/share/ipa/vault.update" PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 958fe6fb095e69f83342ce8299d1586b8bbacd47..48268b0be5331cced1aee6b7f3358333b65de6dd 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -124,6 +124,7 @@ class KRAInstance(DogtagInstance): self.step("configure HTTP to proxy connections", self.http_proxy) self.step("add vault container", self.__add_vault_container) + self.step("apply LDAP updates", self.__apply_updates) self.start_creation(runtime=126) @@ -313,13 +314,17 @@ class KRAInstance(DogtagInstance): conn.disconnect() def __add_vault_container(self): + self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix}) + self.ldap_disconnect() + + def __apply_updates(self): sub_dict = { 'SUFFIX': self.suffix, } ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=sub_dict) - ld.update([paths.VAULT_UPDATE]) + ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')]) @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): -- 2.4.3