diff options
author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-05 19:32:12 +0000 |
---|---|---|
committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-05 19:32:12 +0000 |
commit | 3a2f83d50254ad4c14cd24af880fc4d7d7302d63 (patch) | |
tree | f9f49f43e3540152c425e114a254e10b59b106f8 /pki | |
parent | f84efdbaaa279f76557380d2ca73133bd16d37d2 (diff) | |
download | pki-3a2f83d50254ad4c14cd24af880fc4d7d7302d63.tar.gz pki-3a2f83d50254ad4c14cd24af880fc4d7d7302d63.tar.xz pki-3a2f83d50254ad4c14cd24af880fc4d7d7302d63.zip |
Bugzilla Bug 223346 - Two conflicting ACL list definitions in source repository
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1694 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
-rw-r--r-- | pki/base/ca/shared/acl/cms.acl | 45 | ||||
-rw-r--r-- | pki/base/kra/shared/acl/cms.acl | 45 | ||||
-rw-r--r-- | pki/base/ocsp/shared/acl/cms.acl | 45 | ||||
-rwxr-xr-x | pki/base/setup/pkicreate | 12 | ||||
-rw-r--r-- | pki/base/tks/shared/acl/cms.acl | 45 |
5 files changed, 0 insertions, 192 deletions
diff --git a/pki/base/ca/shared/acl/cms.acl b/pki/base/ca/shared/acl/cms.acl deleted file mode 100644 index e8c1ff691..000000000 --- a/pki/base/ca/shared/acl/cms.acl +++ /dev/null @@ -1,45 +0,0 @@ -resourceACLS -certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify -certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete -certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify -certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify -certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter -certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. -certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log -certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content -certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify -certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify -certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify -certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets -certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify -certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify -certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify -certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify -certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify -certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory -certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate -certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates -certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests -certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request -certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information -certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests -certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl -certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate -certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates -certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain -certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL -certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request -certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status -certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request -certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate -certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request -certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile -certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles -certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile -certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles -certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles -certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests -certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA -certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics -certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups diff --git a/pki/base/kra/shared/acl/cms.acl b/pki/base/kra/shared/acl/cms.acl deleted file mode 100644 index 7ed6410fb..000000000 --- a/pki/base/kra/shared/acl/cms.acl +++ /dev/null @@ -1,45 +0,0 @@ -resourceACLS -certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify -certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify -certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify -certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify -certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter -certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. -certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log -certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content -certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify -certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify -certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify -certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets -certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify -certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify -certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify -certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify -certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify -certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory -certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate -certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates -certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests -certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request -certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information -certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests -certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl -certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate -certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates -certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain -certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL -certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request -certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status -certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request -certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate -certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request -certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile -certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles -certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile -certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles -certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles -certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests -certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA -certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics -certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups diff --git a/pki/base/ocsp/shared/acl/cms.acl b/pki/base/ocsp/shared/acl/cms.acl deleted file mode 100644 index 7ed6410fb..000000000 --- a/pki/base/ocsp/shared/acl/cms.acl +++ /dev/null @@ -1,45 +0,0 @@ -resourceACLS -certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify -certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify -certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify -certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify -certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter -certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. -certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log -certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content -certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify -certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify -certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify -certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets -certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify -certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify -certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify -certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify -certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify -certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory -certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate -certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates -certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests -certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request -certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information -certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests -certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl -certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate -certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates -certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain -certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL -certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request -certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status -certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request -certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate -certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request -certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile -certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles -certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile -certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles -certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles -certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests -certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA -certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics -certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index c24b3eaf5..a46db3f6a 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -121,7 +121,6 @@ $suppress = $install_info_basename; ############################################################## # Base subsystem directory names -my $acl_base_subsystem_dir = "acl"; # CA, KRA, OCSP, TKS my $applets_base_subsystem_dir = "applets"; # TPS my $cgibin_base_subsystem_dir = "cgi-bin"; # TPS (Apache) my $conf_base_subsystem_dir = "conf"; # CA, KRA, OCSP, TKS, RA, TPS @@ -134,7 +133,6 @@ my $scripts_base_subsystem_dir = "scripts"; # RA, TPS my $webapps_base_subsystem_dir = "webapps"; # CA, KRA, OCSP, TKS # Base instance directory names -my $acl_base_instance_dir = "acl"; # CA, KRA, OCSP, TKS my $alias_base_instance_dir = "alias"; # CA, KRA, OCSP, TKS, RA, TPS my $bin_base_instance_dir = "bin"; # TPS my $cgibin_base_instance_dir = "cgi-bin"; # TPS (Apache) @@ -379,7 +377,6 @@ my $redirected_logs_path = undef; # Base subsystem directory paths my $pki_subsystem_path = undef; # CA, KRA, OCSP, TKS, RA, TPS -my $acl_subsystem_path = undef; # CA, KRA, OCSP, TKS my $applets_subsystem_path = undef; # TPS my $bin_subsystem_path = undef; # TPS my $cgibin_subsystem_path = undef; # TPS (Apache) @@ -396,7 +393,6 @@ my $ui_subsystem_path = undef; # CA, KRA, OCSP, TKS, RA, TPS # Base instance directory paths my $pki_instance_path = undef; # CA, KRA, OCSP, TKS, RA, TPS -my $acl_instance_path = undef; # CA, KRA, OCSP, TKS my $alias_instance_path = undef; # CA, KRA, OCSP, TKS, RA, TPS my $bin_instance_path = undef; # TPS my $cgibin_instance_path = undef; # TPS (Apache) @@ -1400,8 +1396,6 @@ sub initialize_subsystem_paths ## Initialize subsystem directory paths (CA, KRA, OCSP, TKS subsystems) - $acl_subsystem_path = $pki_subsystem_path - . "/" . $acl_base_subsystem_dir; $profiles_subsystem_path = $pki_subsystem_path . "/" . $profiles_base_subsystem_dir; $webapps_subsystem_path = $pki_subsystem_path @@ -1465,8 +1459,6 @@ sub initialize_instance_paths ## Initialize instance directory paths (CA, KRA, OCSP, TKS instances) $emails_instance_path = $pki_instance_path . "/" . $emails_base_instance_dir; - $acl_instance_path = $pki_instance_path - . "/" . $acl_base_instance_dir; $profiles_instance_path = $pki_instance_path . "/" . $profiles_base_instance_dir; $webapps_instance_path = $pki_instance_path @@ -2062,10 +2054,6 @@ sub process_pki_directories } } else { ## Populate instance directory paths (CA, KRA, OCSP, TKS instances) - return 0 if !copy_directory($acl_subsystem_path, $acl_instance_path, - $default_dir_permissions, $default_file_permissions, - $pki_user, $pki_group); - return 0 if !copy_directory($webapps_subsystem_path, $webapps_instance_path, $default_dir_permissions, $default_file_permissions, $pki_user, $pki_group); diff --git a/pki/base/tks/shared/acl/cms.acl b/pki/base/tks/shared/acl/cms.acl deleted file mode 100644 index 7ed6410fb..000000000 --- a/pki/base/tks/shared/acl/cms.acl +++ /dev/null @@ -1,45 +0,0 @@ -resourceACLS -certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify -certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify -certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify -certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify -certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter -certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. -certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log -certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content -certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify -certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify -certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify -certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets -certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify -certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify -certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify -certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify -certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify -certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory -certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate -certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates -certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests -certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request -certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information -certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests -certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl -certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate -certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates -certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain -certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL -certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request -certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status -certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request -certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate -certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request -certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile -certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles -certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile -certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles -certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles -certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests -certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA -certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics -certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups |