[Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation
Martin Basti
mbasti at redhat.com
Mon Jul 18 07:55:21 UTC 2016
On 13.07.2016 18:34, Petr Vobornik wrote:
> On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:
>> On Tue, 12 Jul 2016, Fraser Tweedale wrote:
>>> Attached patch is a doc change, addressing
>>> https://fedorahosted.org/freeipa/ticket/6002.
>>>
>>> Thanks,
>>> Fraser
>>> From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
>>> From: Fraser Tweedale <ftweedal at redhat.com>
>>> Date: Tue, 12 Jul 2016 15:11:11 +1000
>>> Subject: [PATCH] caacl: expand plugin documentation
>>>
>>> Expand the 'caacl' plugin documentation to explain some common
>>> confusions including the fact that CA ACLs apply to the target
>>> subject principal (not necessarily the principal requesting the
>>> cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
>>>
>>> Fixes: https://fedorahosted.org/freeipa/ticket/6002
>>> ---
>>> ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
>>> 1 file changed, 28 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
>>> index
>>> 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
>>> 100644
>>> --- a/ipaserver/plugins/caacl.py
>>> +++ b/ipaserver/plugins/caacl.py
>>> @@ -23,14 +23,36 @@ if six.PY3:
>>> __doc__ = _("""
>>> Manage CA ACL rules.
>>>
>>> -This plugin is used to define rules governing which principals are
>>> -permitted to have certificates issued using a given certificate
>>> -profile.
>>> +This plugin is used to define rules governing which CAs and profiles
>>> +may be used to issue certificates to particular principals or groups
>>> +of principals.
>>>
>>> -PROFILE ID SYNTAX:
>>> +SUBJECT PRINCIPAL SCOPE:
>>>
>>> -A Profile ID is a string without spaces or punctuation starting with
>>> a letter
>>> -and followed by a sequence of letters, digits or underscore ("_").
>>> +For a certificate request to be allowed, the principal(s) that are
>>> +the subject of a certificate request (not necessarily the principal
>>> +actually requesting the certificate) must be included in the scope
>>> +of a CA ACL that also includes the target CA and profile.
>>> +
>>> +Users can be included by name, group or the "all users" category.
>>> +Hosts can be included by name, hostgroup or the "all hosts"
>>> +category. Services can be included by service name or the "all
>>> +services" category. CA ACLs may be associated with a single type of
>>> +principal, or multiple types.
>>> +
>>> +CERTIFICATE AUTHORITY SCOPE:
>>> +
>>> +A CA ACL can be associated with one or more CAs by name, or by the
>>> +"all CAs" category. For compatibility reasons, a CA ACL with no CA
>>> +association implies an association with the 'ipa' CA (and only this
>>> +CA).
>>> +
>>> +PROFILE SCOPE:
>>> +
>>> +A CA ACL can be associated with one or more profiles by Profile ID.
>>> +The Profile ID is a string without spaces or punctuation starting
>>> +with a letter and followed by a sequence of letters, digits or
>>> +underscore ("_").
>>>
>>> EXAMPLES:
>>>
>> ACK. Reads well.
>>
> Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d
>
Please note for future, that long string should be splitted, to make
life of translators easier
http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings
Martin^2
More information about the Freeipa-devel
mailing list