From 35af0d6d66e623012755acca44bd77186067d156 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 30 Apr 2015 23:50:41 -0400
Subject: Add ACL to allow CA agent to modify profiles

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/server/upgrade.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'ipaserver/install/server/upgrade.py')

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 9d1fd92b7..0ea6bd7b4 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -289,6 +289,16 @@ def setup_firefox_extension(fstore):
     http.setup_firefox_extension(realm, domain)
 
 
+def ca_configure_profiles_acl(ca):
+    root_logger.info('[Authorizing RA Agent to modify profiles]')
+
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    return cainstance.configure_profiles_acl()
+
+
 def upgrade_ipa_profile(ca, domain, fqdn):
     """
     Update the IPA Profile provided by dogtag
@@ -1370,6 +1380,7 @@ def upgrade_configuration():
         upgrade_ipa_profile(ca, api.env.domain, fqdn),
         certificate_renewal_update(ca),
         ca_enable_pkix(ca),
+        ca_configure_profiles_acl(ca),
     ])
 
     if ca_restart:
-- 
cgit