The KRA's acl.ldif contains duplicate ACL definitions for certServer.kra.keys:
resourceACLS: certServer.kra.keys:list:allow (list) group="Data Recovery Manager Agents":Only data recovery manager agents list keys resourceACLS: certServer.kra.keys:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key operations
When these ACL's are loaded into memory, the earlier ACL will be overwritten by the later ACL, so the "list" operation may not work properly.
For now the acl.ldif should be fixed by merging the ACL's as follows:
resourceACLS: certServer.kra.keys:list,execute:allow (list) group="Data Recovery Manager Agents";allow (execute) group="Data Recovery Manager Agents":Only data recovery manager agents list keys. Agents may execute key operations.
In the future (see ticket #400) the code might be changed to detect ACL duplicates and do the appropriate action (e.g. show an error or merge the ACL's automatically).
commit:
f400f3bc35f83a60fb386b734dec9fc66309bd71
Metadata Update from @edewata: - Issue assigned to kaskahn - Issue set to the milestone: 10.0.0-0.X.rc1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/975
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.