[OPENDJ-6039] AM Config Store Profile doesn't have enough access in ProductionMode when upgrading AM. Created: 28/Feb/19  Updated: 03/Mar/20  Resolved: 04/Mar/19

Status: Done
Project: OpenDJ
Component/s: setup
Affects Version/s: 6.5.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Ludovic Poitou Assignee: Ludovic Poitou
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
Backport
is backported by OPENDJ-6065 Backport OPENDJ-6039: AM Config Store... Done
Regression
caused OPENAM-14333 am-config profile is unable to upgrad... Closed
Story Points: 0.5

 Description   

When DS is installed as an AM Configuration Store with Production Mode active, AM is not able to run an upgrade. See OPENAM-14333.

During upgrade, AM tries to read the SubSchemaSubentry operational attribute to access the schema, but there is no ACI that grants access to operational attributes.

A simple fix would be to allow the AM config Admin to read, update all operational attributes, in effect, in the profile base-entries.ldif file, replacing:

aci: (targetattr="*")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)

With:

aci: (targetattr="*||+")(version 3.0;acl "Allow CRUDQ operations";
 allow (search, read, write, add, delete)
 (userdn = "ldap:///uid=am-config,ou=admins,&{AM_CONFIG_BASE_DN}");)


 Comments   
Comment by Chris Ridd [ 28/Feb/19 ]

The change to the ACI will need to be noted in the AM release notes as a pre-upgrade step.

Comment by carole forel [ 06/Mar/19 ]

Lightly verified by checking:

  • Config store: admin can read operational attributes.
  • Identity store: admin can read, write aci, and do proxied operations.

still needs validation on am side.

Generated at Sun Sep 27 20:20:51 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.