On Wed, 2014-01-22 at 16:05 +0100, Jan Cholasta wrote: > On 22.1.2014 15:34, Simo Sorce wrote: > > On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote: > >> On 21.1.2014 17:12, Simo Sorce wrote: > >>> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote: > >>>> + request = None > >>>> + try: > >>>> + request = pkcs10.load_certificate_request(csr) > >>>> + subject = pkcs10.get_subject(request) > >>>> + subjectaltname = pkcs10.get_subjectaltname(request) > >>> > >>> Will this make the request fail if there is no subjectaltname ? > >> > >> No. > > > > Good. > > > >>> Later in the patch you seem to be changing from needing managedby_host > >>> to needing write access to an entry, I am not sure I understand why that > >>> was changed. not saying it is necessarily wrong, but why the original > >>> check is not right anymore ? > >> > >> The original check is wrong, see > >> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>. > >> > >> The check in my patch allows SAN only if the requesting host has write > >> access to all of the SAN services. I'm not entirely sure if this is > >> right, but even if it is not, I think we should still check for write > >> access to the SAN services, so that access control can be (partially) > >> handled by ACIs. > > > > Right, I remembered that comment, but it just says to check the right > > object's managed-by, here instead you changed it to check if you can > > write the usercertificate. > > > > I guess it is the same *if* there is an ACI that gives write permission > > when the host is in the managed-by attribute, is that the reasoning ? > > Exactly. The ACIs that allow this by default are named "Hosts can manage > service Certificates and kerberos keys" and "Hosts can manage other host > Certificates and kerberos keys". > > I think the check can be extended to users as well, so that requesting > certificate with SAN is allowed only to users which have write access to > the SAN services.
Sounds good to me then, thanks for explaining. The patches also look good, but I would like someone to give them a try for a formal ack. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel