[Freeipa-devel] using pyhbac for CA ACLs
Fraser Tweedale
ftweedal at redhat.com
Mon May 25 07:35:59 UTC 2015
Hi everyone,
CA ACLs (the forthcoming `caacl' plugin) will be used to declare
which users/hosts/services can get certificates from which CAs and
profiles. For v4.2, we will enforce the ACLs in the framework; the
plan is to move ACL enforcement to Dogtag in a future release
(https://fedorahosted.org/freeipa/ticket/5011).
I have written most of the caacl plugin and now I must update
cert-request to enforce the ACLs. Using hbacrule as the guide, I
had a look at pyhbac and it seems to be a reasonable fit for
implementing this. In particular:
- "targethost" and "service" correspond nicely to "(sub)CA" and
"profile-id" for evaluation.
- A certificate request can be for a user, host or service; these
will be overloaded into the pyhbac "user" concept. But because we
will always know who the requesting principal is, we will only
ever need to deal with whatever of {user,host,service} the
principal actually is, to be able to evaluate access.
- The "srchost" concept will be unused (therefore fixed to
HBAC_CATEGORY_ALL). Perhaps there could be some future use.
So, please provide feedback if you think this is a great idea or a
terrible idea :)
Thanks,
Fraser
More information about the Freeipa-devel
mailing list