Authorise CA Agent to manage lightweight CAs

Add Dogtag ACLs that authorise the CA Agent certificate to manage lightweight CAs. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2016-04-21 15:09:18 +1000
committer: Jan Cholasta <jcholast@redhat.com> 2016-06-09 09:04:27 +0200
commit: 903a90fb4e7dc7eaddc1cc4f11083dad5c16db9b (patch)
tree: 9a41a182d0a840ea459d4de5070a668cef0c086a /ipaserver/install/server
parent: b0d9a4728f0dc78e2bbde344beac17ae50b847a9 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1a1090f0c..cd2ad2e11 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -286,6 +286,16 @@ def ca_configure_profiles_acl(ca):
     return cainstance.configure_profiles_acl()
 
 
+def ca_configure_lightweight_ca_acls(ca):
+    root_logger.info('[Authorizing RA Agent to manage lightweight CAs]')
+
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    return cainstance.configure_lightweight_ca_acls()
+
+
 def ca_enable_ldap_profile_subsystem(ca):
     root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]')
     if not ca.is_configured():
@@ -1677,6 +1687,7 @@ def upgrade_configuration():
         certificate_renewal_update(ca, ds, http),
         ca_enable_pkix(ca),
         ca_configure_profiles_acl(ca),
+        ca_configure_lightweight_ca_acls(ca),
     ])
 
     if ca_restart:
author	Fraser Tweedale <ftweedal@redhat.com>	2016-04-21 15:09:18 +1000
committer	Jan Cholasta <jcholast@redhat.com>	2016-06-09 09:04:27 +0200
commit	903a90fb4e7dc7eaddc1cc4f11083dad5c16db9b (patch)
tree	9a41a182d0a840ea459d4de5070a668cef0c086a /ipaserver/install/server
parent	b0d9a4728f0dc78e2bbde344beac17ae50b847a9 (diff)