[Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation
Fraser Tweedale
ftweedal at redhat.com
Tue Jul 19 00:49:17 UTC 2016
On Mon, Jul 18, 2016 at 09:55:21AM +0200, Martin Basti wrote:
>
>
> On 13.07.2016 18:34, Petr Vobornik wrote:
> > On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:
> > > On Tue, 12 Jul 2016, Fraser Tweedale wrote:
> > > > Attached patch is a doc change, addressing
> > > > https://fedorahosted.org/freeipa/ticket/6002.
> > > >
> > > > Thanks,
> > > > Fraser
> > > > From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
> > > > From: Fraser Tweedale <ftweedal at redhat.com>
> > > > Date: Tue, 12 Jul 2016 15:11:11 +1000
> > > > Subject: [PATCH] caacl: expand plugin documentation
> > > >
> > > > Expand the 'caacl' plugin documentation to explain some common
> > > > confusions including the fact that CA ACLs apply to the target
> > > > subject principal (not necessarily the principal requesting the
> > > > cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
> > > >
> > > > Fixes: https://fedorahosted.org/freeipa/ticket/6002
> > > > ---
> > > > ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
> > > > 1 file changed, 28 insertions(+), 6 deletions(-)
> > > >
> > > > diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
> > > > index
> > > > 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
> > > > 100644
> > > > --- a/ipaserver/plugins/caacl.py
> > > > +++ b/ipaserver/plugins/caacl.py
> > > > @@ -23,14 +23,36 @@ if six.PY3:
> > > > __doc__ = _("""
> > > > Manage CA ACL rules.
> > > >
> > > > -This plugin is used to define rules governing which principals are
> > > > -permitted to have certificates issued using a given certificate
> > > > -profile.
> > > > +This plugin is used to define rules governing which CAs and profiles
> > > > +may be used to issue certificates to particular principals or groups
> > > > +of principals.
> > > >
> > > > -PROFILE ID SYNTAX:
> > > > +SUBJECT PRINCIPAL SCOPE:
> > > >
> > > > -A Profile ID is a string without spaces or punctuation starting with
> > > > a letter
> > > > -and followed by a sequence of letters, digits or underscore ("_").
> > > > +For a certificate request to be allowed, the principal(s) that are
> > > > +the subject of a certificate request (not necessarily the principal
> > > > +actually requesting the certificate) must be included in the scope
> > > > +of a CA ACL that also includes the target CA and profile.
> > > > +
> > > > +Users can be included by name, group or the "all users" category.
> > > > +Hosts can be included by name, hostgroup or the "all hosts"
> > > > +category. Services can be included by service name or the "all
> > > > +services" category. CA ACLs may be associated with a single type of
> > > > +principal, or multiple types.
> > > > +
> > > > +CERTIFICATE AUTHORITY SCOPE:
> > > > +
> > > > +A CA ACL can be associated with one or more CAs by name, or by the
> > > > +"all CAs" category. For compatibility reasons, a CA ACL with no CA
> > > > +association implies an association with the 'ipa' CA (and only this
> > > > +CA).
> > > > +
> > > > +PROFILE SCOPE:
> > > > +
> > > > +A CA ACL can be associated with one or more profiles by Profile ID.
> > > > +The Profile ID is a string without spaces or punctuation starting
> > > > +with a letter and followed by a sequence of letters, digits or
> > > > +underscore ("_").
> > > >
> > > > EXAMPLES:
> > > >
> > > ACK. Reads well.
> > >
> > Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d
> >
> Please note for future, that long string should be splitted, to make life of
> translators easier
>
> http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings
>
> Martin^2
>
I see; thanks for pointing this out Martin.
More information about the Freeipa-devel
mailing list