18 files changed, 73 insertions, 26 deletions

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index c1b10d035..f0330c544 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 22 - DO NOT REMOVE THIS LINE
+# VERSION 23 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi
 
 # Configure mod_wsgi handler for /ipa
 WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
- display-name=%{GROUP} socket-timeout=2147483647
+ user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
@@ -70,6 +70,7 @@ WSGIScriptReloading Off
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
   GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
index 2e4c1367b..a1955d6b7 100644
--- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -30,7 +30,7 @@
            send_member="Get"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="com.redhat.idm.trust"
            send_path="/"
            send_interface="com.redhat.idm.trust"
diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
index b2cbf746f..577611f01 100644
--- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -10,7 +10,7 @@
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
index 3f806966b..012e3cbe3 100644
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="org.freeipa.server">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freeipa.server">
         <method name="conncheck">
diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
index bc2e8d191..630a4e6cd 100644
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="com.redhat.idm.trust">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freedesktop.DBus.Introspectable">
         <allow min_uid="0" max_uid="0"/>
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index cb5775de6..fbb158a68 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -6,3 +6,11 @@
   allow_protocol_transition = true
   cred_usage = both
   euid = $HTTPD_USER
+
+[service/ipa-api]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_constrained_delegation = true
+  cred_usage = initiate
+  euid = $IPAAPI_USER
diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles
index 3037787da..573139bf2 100644
--- a/install/share/ipa.conf.tmpfiles
+++ b/install/share/ipa.conf.tmpfiles
@@ -1,2 +1,2 @@
-d /var/run/ipa 0700 root root
-d /var/run/ipa/ccaches 0700 apache apache
+d /var/run/ipa 0711 root root
+d /var/run/ipa/ccaches 0770 ipaapi ipaapi
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c67340751..fa2062458 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -279,3 +279,7 @@ PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
 
 # Kerberos Anonymous principal name
 ANON_USER = 'WELLKNOWN/ANONYMOUS'
+
+# IPA API Framework user
+IPAAPI_USER = 'ipaapi'
+IPAAPI_GROUP = 'ipaapi'
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b8cd5ca5e..8db9e61f5 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -203,6 +203,7 @@ class BasePathNamespace(object):
     DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
     GETSEBOOL = "/usr/sbin/getsebool"
     GROUPADD = "/usr/sbin/groupadd"
+    USERMOD = "/usr/sbin/usermod"
     HTTPD = "/usr/sbin/httpd"
     IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
     IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 49b87613f..5806e7504 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -181,7 +181,9 @@ class BaseTaskNamespace(object):
 
         raise NotImplementedError()
 
-    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
+    def create_system_user(self, name, group, homedir, shell,
+                           uid=None, gid=None, comment=None,
+                           create_homedir=False, groups=None):
         """Create a system user with a corresponding group"""
         try:
             grp.getgrnam(group)
@@ -218,6 +220,8 @@ class BaseTaskNamespace(object):
                 args += ['-m']
             else:
                 args += ['-M']
+            if groups is not None:
+                args += ['-G', groups.join(',')]
             try:
                 ipautil.run(args)
                 log.debug('Done adding user')
@@ -261,3 +265,12 @@ class BaseTaskNamespace(object):
 
     def is_fips_enabled(self):
         return False
+
+    def add_user_to_group(self, user, group):
+        log.debug('Adding user %s to group %s', user, group)
+        args = [paths.USERMOD, '-a', '-G', group, user]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding user to group')
+        except ipautil.CalledProcessError as e:
+            log.debug('Failed to add user to group: %s', e)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index c9b1c49aa..5bddd1469 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -51,6 +51,8 @@ from ipaplatform.paths import paths
 from ipaplatform.redhat.authconfig import RedHatAuthConfig
 from ipaplatform.base.tasks import BaseTaskNamespace
 
+from ipalib.constants import IPAAPI_USER
+
 _ffi = FFI()
 _ffi.cdef("""
 int rpmvercmp (const char *a, const char *b);
@@ -411,7 +413,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
         return True
 
-    def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
+    def create_system_user(self, name, group, homedir, shell,
+                           uid=None, gid=None, comment=None,
+                           create_homedir=False, groups=None):
         """
         Create a system user with a corresponding group
 
@@ -431,8 +435,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             if comment is None:
                 comment = 'DS System User'
 
-        super(RedHatTaskNamespace, self).create_system_user(name, group,
-            homedir, shell, uid, gid, comment, create_homedir)
+        super(RedHatTaskNamespace, self).create_system_user(
+            name, group, homedir, shell, uid, gid, comment, create_homedir,
+            groups)
 
     def parse_ipa_version(self, version):
         """
@@ -467,7 +472,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             dict(
                 HTTP_KEYTAB=paths.HTTP_KEYTAB,
                 HTTP_CCACHE=paths.HTTP_CCACHE,
-                HTTPD_USER=constants.HTTPD_USER
+                HTTPD_USER=constants.HTTPD_USER,
+                IPAAPI_USER=IPAAPI_USER,
             )
         )
 
@@ -520,7 +526,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
     def create_tmpfiles_dirs(self):
         parent = os.path.dirname(paths.IPA_CCACHES)
-        pent = pwd.getpwnam(constants.HTTPD_USER)
+        pent = pwd.getpwnam(IPAAPI_USER)
         self._create_tmpfiles_dir(parent, 0o711, 0, 0)
         self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770,
                                   pent.pw_uid, pent.pw_gid)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 32772db21..968f4b292 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -31,6 +31,7 @@ import pki.system
 
 from ipalib import api, errors
 
+from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
 from ipaplatform import services
 from ipaplatform.constants import constants
@@ -44,8 +45,6 @@ from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr
 
-HTTPD_USER = constants.HTTPD_USER
-
 
 def get_security_domain():
     """
@@ -87,7 +86,7 @@ def export_kra_agent_pem():
             "--client-cert", filename]
     ipautil.run(args)
 
-    pent = pwd.getpwnam(HTTPD_USER)
+    pent = pwd.getpwnam(IPAAPI_USER)
     os.chown(filename, 0, pent.pw_gid)
     os.chmod(filename, 0o440)
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index f08bb68d1..3ca2300b8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -30,6 +30,7 @@ import locale
 
 import six
 
+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger
 from ipaserver.install import service
 from ipaserver.install import certs
@@ -317,8 +318,7 @@ class HTTPInstance(service.Service):
         nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
         nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True)
         nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
-        nssdb.create_db(user=constants.HTTPD_USER, group=constants.HTTPD_GROUP,
-                        mode=0o751, backup=True)
+        nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
 
     def request_anon_keytab(self):
         parent = os.path.dirname(paths.ANON_KEYTAB)
@@ -326,7 +326,7 @@ class HTTPInstance(service.Service):
             os.makedirs(parent, 0o755)
         self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER)
 
-        pent = pwd.getpwnam(self.service_user)
+        pent = pwd.getpwnam(IPAAPI_USER)
         os.chmod(parent, 0o700)
         os.chown(parent, pent.pw_uid, pent.pw_gid)
         os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e7005..ef6a399ad 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -44,6 +44,7 @@ import six
 from six.moves.configparser import SafeConfigParser, NoOptionError
 # pylint: enable=import-error
 
+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import sysrestore
 from ipalib.install.kinit import kinit_password
 import ipaplatform
@@ -55,6 +56,7 @@ from ipalib import api, errors, x509
 from ipapython.dn import DN
 from ipaserver.install import certs, service, sysupgrade
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 
@@ -1513,3 +1515,14 @@ def default_subject_base(realm_name):
 
 def default_ca_subject_dn(subject_base):
     return DN(('CN', 'Certificate Authority'), subject_base)
+
+
+def create_ipaapi_user():
+    """Create IPA API user/group if it doesn't exist yet."""
+    tasks.create_system_user(
+        name=IPAAPI_USER,
+        group=IPAAPI_GROUP,
+        homedir=paths.VAR_LIB,
+        shell=paths.NOLOGIN
+    )
+    tasks.add_user_to_group(constants.HTTPD_USER, IPAAPI_GROUP)
diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index 3d1ce9506..d7d28fd7d 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -7,8 +7,8 @@ import os
 
 from ipalib import Registry
 from ipalib import Updater
+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger
-from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython import certdb
 
@@ -37,9 +37,7 @@ class update_ra_cert_store(Updater):
                 return False, []
         else:
             # Create the DB
-            newdb.create_db(user=constants.HTTPD_USER,
-                            group=constants.HTTPD_GROUP,
-                            mode=0o751, backup=True)
+            newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
 
         # Import cert chain (ignore errors, as certs may already be imported)
         certlist = olddb.list_certs()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 666e2a536..0b3ea4786 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -38,7 +38,7 @@ from ipaserver.install import (
 from ipaserver.install.installutils import (
     IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
     is_ipa_configured, load_pkcs12, read_password, verify_fqdn,
-    update_hosts_file)
+    update_hosts_file, create_ipaapi_user)
 
 if six.PY3:
     unicode = str
@@ -710,6 +710,7 @@ def install(installer):
         update_hosts_file(ip_addresses, host_name, fstore)
 
     # Make sure tmpfiles dir exist before installing components
+    create_ipaapi_user()
     tasks.create_tmpfiles_dirs()
 
     # create NSS Databases
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f0b04523c..018cebcd9 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -40,7 +40,8 @@ from ipaserver.install import (
     installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import (
-    create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
+    create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured,
+    create_ipaapi_user)
 from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
 import SSSDConfig
@@ -1305,6 +1306,7 @@ def install(installer):
     ccache = os.environ['KRB5CCNAME']
 
     # Make sure tmpfiles dir exist before installing components
+    create_ipaapi_user()
     tasks.create_tmpfiles_dirs()
 
     if promote:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f116e856a..509f19647 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1807,6 +1807,7 @@ def upgrade_check(options):
 
 def upgrade():
     # Do this early so that any code depending on these dirs will not fail
+    installutils.create_ipaapi_user()
     tasks.create_tmpfiles_dirs()
     tasks.configure_tmpfiles()