Replication Administrators cannot remove replication agreements

Replication agreement deletion requires read access to DNA range
setting. The read access was accidently removed during PermissionV2
refactoring.

Add the read ACI back as a special SYSTEM permission.

https://fedorahosted.org/freeipa/ticket/4848

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update
index 619d14663..f46ab19f0 100644
--- a/install/updates/40-replication.update
+++ b/install/updates/40-replication.update
@@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Read DNA Range
+default:ipapermissiontype: SYSTEM
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'