Hi everyone, CA ACLs (the forthcoming `caacl' plugin) will be used to declare which users/hosts/services can get certificates from which CAs and profiles. For v4.2, we will enforce the ACLs in the framework; the plan is to move ACL enforcement to Dogtag in a future release (https://fedorahosted.org/freeipa/ticket/5011).
I have written most of the caacl plugin and now I must update cert-request to enforce the ACLs. Using hbacrule as the guide, I had a look at pyhbac and it seems to be a reasonable fit for implementing this. In particular: - "targethost" and "service" correspond nicely to "(sub)CA" and "profile-id" for evaluation. - A certificate request can be for a user, host or service; these will be overloaded into the pyhbac "user" concept. But because we will always know who the requesting principal is, we will only ever need to deal with whatever of {user,host,service} the principal actually is, to be able to evaluate access. - The "srchost" concept will be unused (therefore fixed to HBAC_CATEGORY_ALL). Perhaps there could be some future use. So, please provide feedback if you think this is a great idea or a terrible idea :) Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code