[Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

Wed Jul 13 16:34:42 UTC 2016

On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:
> On Tue, 12 Jul 2016, Fraser Tweedale wrote:
>> Attached patch is a doc change, addressing
>> https://fedorahosted.org/freeipa/ticket/6002.
>>
>> Thanks,
>> Fraser
> 
>> From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
>> From: Fraser Tweedale <ftweedal at redhat.com>
>> Date: Tue, 12 Jul 2016 15:11:11 +1000
>> Subject: [PATCH] caacl: expand plugin documentation
>>
>> Expand the 'caacl' plugin documentation to explain some common
>> confusions including the fact that CA ACLs apply to the target
>> subject principal (not necessarily the principal requesting the
>> cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
>>
>> Fixes: https://fedorahosted.org/freeipa/ticket/6002
>> ---
>> ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
>> 1 file changed, 28 insertions(+), 6 deletions(-)
>>
>> diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
>> index
>> 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
>> 100644
>> --- a/ipaserver/plugins/caacl.py
>> +++ b/ipaserver/plugins/caacl.py
>> @@ -23,14 +23,36 @@ if six.PY3:
>> __doc__ = _("""
>> Manage CA ACL rules.
>>
>> -This plugin is used to define rules governing which principals are
>> -permitted to have certificates issued using a given certificate
>> -profile.
>> +This plugin is used to define rules governing which CAs and profiles
>> +may be used to issue certificates to particular principals or groups
>> +of principals.
>>
>> -PROFILE ID SYNTAX:
>> +SUBJECT PRINCIPAL SCOPE:
>>
>> -A Profile ID is a string without spaces or punctuation starting with
>> a letter
>> -and followed by a sequence of letters, digits or underscore ("_").
>> +For a certificate request to be allowed, the principal(s) that are
>> +the subject of a certificate request (not necessarily the principal
>> +actually requesting the certificate) must be included in the scope
>> +of a CA ACL that also includes the target CA and profile.
>> +
>> +Users can be included by name, group or the "all users" category.
>> +Hosts can be included by name, hostgroup or the "all hosts"
>> +category.  Services can be included by service name or the "all
>> +services" category.  CA ACLs may be associated with a single type of
>> +principal, or multiple types.
>> +
>> +CERTIFICATE AUTHORITY SCOPE:
>> +
>> +A CA ACL can be associated with one or more CAs by name, or by the
>> +"all CAs" category.  For compatibility reasons, a CA ACL with no CA
>> +association implies an association with the 'ipa' CA (and only this
>> +CA).
>> +
>> +PROFILE SCOPE:
>> +
>> +A CA ACL can be associated with one or more profiles by Profile ID.
>> +The Profile ID is a string without spaces or punctuation starting
>> +with a letter and followed by a sequence of letters, digits or
>> +underscore ("_").
>>
>> EXAMPLES:
>>
> ACK. Reads well.
> 

Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d

-- 
Petr Vobornik