Replace "replica admins read access" ACI with a permission

Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>

3 files changed, 66 insertions, 5 deletions

diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index f4e96139f..8c0bc8ec3 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,10 +1,5 @@
 # Replica administration
 
-dn: cn=config
-changetype: modify
-add: aci
-aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index d9dcad2e5..f31c20177 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -46,3 +46,8 @@ add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sa
 add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 # Read-only
 add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+
+# Removal of obsolete ACIs
+dn: cn=config
+# Replaced by 'System: Read Replication Agreements'
+remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index bffd9bbf4..92e5d963b 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -155,6 +155,67 @@ NONOBJECT_PERMISSIONS = {
             'ipantdomainguid', 'ipantfallbackprimarygroup',
         },
     },
+    'System: Read Replication Agreements': {
+        'ipapermlocation': DN('cn=config'),
+        'ipapermtargetfilter': {
+            '(|'
+                '(objectclass=nsds5Replica)'
+                '(objectclass=nsds5replicationagreement)'
+                '(objectclass=nsDSWindowsReplicationAgreement)'
+                '(objectClass=nsMappingTree)'
+            ')'
+        },
+        'ipapermbindruletype': 'permission',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass',
+            # nsds5Replica
+            'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv',
+            'nsds5replicaabortcleanruv', 'nsds5replicatype',
+            'nsds5replicabinddn', 'nsstate', 'nsds5replicaname',
+            'nsds5flags', 'nsds5task', 'nsds5replicareferral',
+            'nsds5replicaautoreferral', 'nsds5replicapurgedelay',
+            'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount',
+            'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout',
+            'nsds5replicabackoffmin', 'nsds5replicabackoffmax',
+            # nsds5replicationagreement
+            'nsds5replicacleanruvnotified', 'nsds5replicahost',
+            'nsds5replicaport', 'nsds5replicatransportinfo',
+            'nsds5replicabinddn', 'nsds5replicacredentials',
+            'nsds5replicabindmethod', 'nsds5replicaroot',
+            'nsds5replicatedattributelist',
+            'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule',
+            'nsds5beginreplicarefresh', 'description', 'nsds50ruv',
+            'nsruvreplicalastmodified', 'nsds5replicatimeout',
+            'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend',
+            'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus',
+            'nsds5replicaupdateinprogress', 'nsds5replicalastinitend',
+            'nsds5replicaenabled', 'nsds5replicalastinitstart',
+            'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
+            'nsds5replicabusywaittime', 'nsds5replicastripattrs',
+            'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout',
+            # nsDSWindowsReplicationAgreement
+            'nsds5replicahost', 'nsds5replicaport',
+            'nsds5replicatransportinfo', 'nsds5replicabinddn',
+            'nsds5replicacredentials', 'nsds5replicabindmethod',
+            'nsds5replicaroot', 'nsds5replicatedattributelist',
+            'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh',
+            'description', 'nsds50ruv', 'nsruvreplicalastmodified',
+            'nsds5replicatimeout', 'nsds5replicachangessentsincestartup',
+            'nsds5replicalastupdateend', 'nsds5replicalastupdatestart',
+            'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress',
+            'nsds5replicalastinitend', 'nsds5replicalastinitstart',
+            'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
+            'nsds5replicabusywaittime', 'nsds5replicasessionpausetime',
+            'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree',
+            'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled',
+            'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval',
+            'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled',
+            'winsyncdirectoryfilter', 'winsyncwindowsfilter',
+            'winsyncsubtreepair',
+        },
+        'default_privileges': {'Replication Administrators'},
+    }
 }