diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-01-28 02:41:10 -0500 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2015-09-26 14:11:51 +1000 |
commit | 2a9f56d02b4a284cda6f8b61b250e1494f19a83e (patch) | |
tree | 9b12125932ed41a5dbe06f8dafb66656e78c7ad8 /base/ca/shared | |
parent | a5a50e95a691587e22335018538b4f578dfee6d1 (diff) | |
download | pki-2a9f56d02b4a284cda6f8b61b250e1494f19a83e.tar.gz pki-2a9f56d02b4a284cda6f8b61b250e1494f19a83e.tar.xz pki-2a9f56d02b4a284cda6f8b61b250e1494f19a83e.zip |
Lightweight CAs: initial support
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
Diffstat (limited to 'base/ca/shared')
-rw-r--r-- | base/ca/shared/conf/acl.ldif | 2 | ||||
-rw-r--r-- | base/ca/shared/conf/acl.properties | 4 | ||||
-rw-r--r-- | base/ca/shared/conf/auth-method.properties | 1 | ||||
-rw-r--r-- | base/ca/shared/conf/db.ldif | 5 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 10 |
5 files changed, 22 insertions, 0 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index 0da10939f..54c9f1d5c 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -57,3 +57,5 @@ resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Man resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations resourceACLS: certServer.ca.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations +resourceACLS: certServer.ca.authorities:list,read:allow (list,read) user="anybody":Anybody may list and read lightweight authorities +resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties index d14d1832c..f0b5b9f65 100644 --- a/base/ca/shared/conf/acl.properties +++ b/base/ca/shared/conf/acl.properties @@ -21,3 +21,7 @@ securityDomain.installToken = certServer.securitydomain.domainxml,read selftests.read = certServer.ca.selftests,read selftests.execute = certServer.ca.selftests,execute users = certServer.ca.users,execute +authorities.create = certServer.ca.authorities,create +authorities.list = certServer.ca.authorities,list +authorities.modify = certServer.ca.authorities,modify +authorities.read = certServer.ca.authorities,read diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties index a213534ad..8d67690af 100644 --- a/base/ca/shared/conf/auth-method.properties +++ b/base/ca/shared/conf/auth-method.properties @@ -8,6 +8,7 @@ default = * account = certUserDBAuthMgr,passwdUserDBAuthMgr +authorities = certUserDBAuthMgr certs = certUserDBAuthMgr certrequests = certUserDBAuthMgr groups = certUserDBAuthMgr diff --git a/base/ca/shared/conf/db.ldif b/base/ca/shared/conf/db.ldif index 8a2e0b072..704b8d11b 100644 --- a/base/ca/shared/conf/db.ldif +++ b/base/ca/shared/conf/db.ldif @@ -164,3 +164,8 @@ dn: ou=certificateProfiles,ou=ca,{rootSuffix} objectClass: top objectClass: organizationalUnit ou: certificateProfiles + +dn: ou=authorities,ou=ca,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: authorities diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index bba40e203..628eea2a2 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2417,6 +2417,16 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Authority Services</web-resource-name> + <url-pattern>/rest/authorities/*</url-pattern> + </web-resource-collection> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Security Domain Services</web-resource-name> <url-pattern>/rest/securityDomain/installToken</url-pattern> </web-resource-collection> |