On 07/12/2016 08:45 AM, Alexander Bokovoy wrote: > On Tue, 12 Jul 2016, Fraser Tweedale wrote: >> Attached patch is a doc change, addressing >> https://fedorahosted.org/freeipa/ticket/6002. >> >> Thanks, >> Fraser > >> From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001 >> From: Fraser Tweedale <ftwee...@redhat.com> >> Date: Tue, 12 Jul 2016 15:11:11 +1000 >> Subject: [PATCH] caacl: expand plugin documentation >> >> Expand the 'caacl' plugin documentation to explain some common >> confusions including the fact that CA ACLs apply to the target >> subject principal (not necessarily the principal requesting the >> cert), and the fact that CA-less CA ACL implies the 'ipa' CA. >> >> Fixes: https://fedorahosted.org/freeipa/ticket/6002 >> --- >> ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------ >> 1 file changed, 28 insertions(+), 6 deletions(-) >> >> diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py >> index >> 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a >> 100644 >> --- a/ipaserver/plugins/caacl.py >> +++ b/ipaserver/plugins/caacl.py >> @@ -23,14 +23,36 @@ if six.PY3: >> __doc__ = _(""" >> Manage CA ACL rules. >> >> -This plugin is used to define rules governing which principals are >> -permitted to have certificates issued using a given certificate >> -profile. >> +This plugin is used to define rules governing which CAs and profiles >> +may be used to issue certificates to particular principals or groups >> +of principals. >> >> -PROFILE ID SYNTAX: >> +SUBJECT PRINCIPAL SCOPE: >> >> -A Profile ID is a string without spaces or punctuation starting with >> a letter >> -and followed by a sequence of letters, digits or underscore ("_"). >> +For a certificate request to be allowed, the principal(s) that are >> +the subject of a certificate request (not necessarily the principal >> +actually requesting the certificate) must be included in the scope >> +of a CA ACL that also includes the target CA and profile. >> + >> +Users can be included by name, group or the "all users" category. >> +Hosts can be included by name, hostgroup or the "all hosts" >> +category. Services can be included by service name or the "all >> +services" category. CA ACLs may be associated with a single type of >> +principal, or multiple types. >> + >> +CERTIFICATE AUTHORITY SCOPE: >> + >> +A CA ACL can be associated with one or more CAs by name, or by the >> +"all CAs" category. For compatibility reasons, a CA ACL with no CA >> +association implies an association with the 'ipa' CA (and only this >> +CA). >> + >> +PROFILE SCOPE: >> + >> +A CA ACL can be associated with one or more profiles by Profile ID. >> +The Profile ID is a string without spaces or punctuation starting >> +with a letter and followed by a sequence of letters, digits or >> +underscore ("_"). >> >> EXAMPLES: >> > ACK. Reads well. >
Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code