[Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

Alexander Bokovoy abokovoy at redhat.com
Tue Jul 12 06:45:52 UTC 2016 

On Tue, 12 Jul 2016, Fraser Tweedale wrote:
>Attached patch is a doc change, addressing
>https://fedorahosted.org/freeipa/ticket/6002.
>
>Thanks,
>Fraser

>From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
>From: Fraser Tweedale <ftweedal at redhat.com>
>Date: Tue, 12 Jul 2016 15:11:11 +1000
>Subject: [PATCH] caacl: expand plugin documentation
>
>Expand the 'caacl' plugin documentation to explain some common
>confusions including the fact that CA ACLs apply to the target
>subject principal (not necessarily the principal requesting the
>cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
>
>Fixes: https://fedorahosted.org/freeipa/ticket/6002
>---
> ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
> 1 file changed, 28 insertions(+), 6 deletions(-)
>
>diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
>index 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a 100644
>--- a/ipaserver/plugins/caacl.py
>+++ b/ipaserver/plugins/caacl.py
>@@ -23,14 +23,36 @@ if six.PY3:
> __doc__ = _("""
> Manage CA ACL rules.
>
>-This plugin is used to define rules governing which principals are
>-permitted to have certificates issued using a given certificate
>-profile.
>+This plugin is used to define rules governing which CAs and profiles
>+may be used to issue certificates to particular principals or groups
>+of principals.
>
>-PROFILE ID SYNTAX:
>+SUBJECT PRINCIPAL SCOPE:
>
>-A Profile ID is a string without spaces or punctuation starting with a letter
>-and followed by a sequence of letters, digits or underscore ("_").
>+For a certificate request to be allowed, the principal(s) that are
>+the subject of a certificate request (not necessarily the principal
>+actually requesting the certificate) must be included in the scope
>+of a CA ACL that also includes the target CA and profile.
>+
>+Users can be included by name, group or the "all users" category.
>+Hosts can be included by name, hostgroup or the "all hosts"
>+category.  Services can be included by service name or the "all
>+services" category.  CA ACLs may be associated with a single type of
>+principal, or multiple types.
>+
>+CERTIFICATE AUTHORITY SCOPE:
>+
>+A CA ACL can be associated with one or more CAs by name, or by the
>+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
>+association implies an association with the 'ipa' CA (and only this
>+CA).
>+
>+PROFILE SCOPE:
>+
>+A CA ACL can be associated with one or more profiles by Profile ID.
>+The Profile ID is a string without spaces or punctuation starting
>+with a letter and followed by a sequence of letters, digits or
>+underscore ("_").
>
> EXAMPLES:
>
ACK. Reads well.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list