2 files changed, 21 insertions, 22 deletions

diff --git a/ACI.txt b/ACI.txt
index 36e785d72..1e6bec0ec 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -272,8 +272,6 @@ dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
-dn: dc=ipa,dc=example
-aci: (targetattr = "creatorsname || modifiersname")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Creator and Modifier Operational Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
@@ -282,7 +280,5 @@ dn: cn=config
 aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
-dn: dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || entryusn || modifytimestamp")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Timestamp and USN Operational Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Remove Certificate Store Entry";allow (delete) groupdn = "ldap:///cn=System: Remove Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 71da562a3..df49d5d32 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -79,6 +79,8 @@ The template dictionary can have the following keys:
     in the future.
 
 No other keys are allowed in the template
+
+The plugin also deletes permissions specified in OBSOLETE_PERMISSIONS.
 """
 
 from ipalib import api, errors
@@ -95,25 +97,15 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
 
 register = Registry()
 
+OBSOLETE_PERMISSIONS = {
+    # These permissions will be removed on upgrade, if they exist.
+    # Any modifications the user might have made to them are not taken
+    # into account. This should be used sparingly.
+    'System: Read Timestamp and USN Operational Attributes',
+    'System: Read Creator and Modifier Operational Attributes',
+}
+
 NONOBJECT_PERMISSIONS = {
-    'System: Read Timestamp and USN Operational Attributes': {
-        'ipapermlocation': api.env.basedn,
-        'ipapermtargetfilter': {'(objectclass=*)'},
-        'ipapermbindruletype': 'anonymous',
-        'ipapermright': {'read', 'search', 'compare'},
-        'ipapermdefaultattr': {
-            'createtimestamp', 'modifytimestamp', 'entryusn',
-        },
-    },
-    'System: Read Creator and Modifier Operational Attributes': {
-        'ipapermlocation': api.env.basedn,
-        'ipapermtargetfilter': {'(objectclass=*)'},
-        'ipapermbindruletype': 'all',
-        'ipapermright': {'read', 'search', 'compare'},
-        'ipapermdefaultattr': {
-            'creatorsname', 'modifiersname',
-        },
-    },
     'System: Read IPA Masters': {
         'replaces_global_anonymous_aci': True,
         'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
@@ -407,6 +399,17 @@ class update_managed_permissions(PostUpdate):
         if anonymous_read_aci:
             self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
 
+        for obsolete_name in OBSOLETE_PERMISSIONS:
+            self.log.debug('Deleting obsolete permission %s', obsolete_name)
+            try:
+                self.api.Command[permission_del](unicode(obsolete_name),
+                                                 force=True,
+                                                 version=u'2.101')
+            except errors.NotFound:
+                self.log.debug('Obsolete permission not found')
+            else:
+                self.log.info('Obsolete permission deleted: %s', obsolete_name)
+
         return False, False, ()
 
     def update_permission(self, ldap, obj, name, template, anonymous_read_aci):