On 4.7.2016 09:06, Fraser Tweedale wrote:
On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote:
#6002: Default CA can be used without an ACL

Comment (by ftweedal):

 This is expected behaviour; if a CA ACL does not reference any CAs,
 and does not have cacat=all, then it is assumed to refer to the
 default CA.  This is for backwards compatibility with existing
 CA ACLs, which do not reference any CAs but did (and still do)
 allow access to IPA CA.

 Leaving open for discussion about whether to break compatibility
 for a more consistent behaviour.

Didn't get any feedback in the ticket yet so raising on list for
visibility.  If people agree with current behaviour I can add a
clarification to caacl plugin help text and close out this ticket.

(Sorry for the late reply, I was on vacation the last 2 weeks.)

I would very much prefer if this was consistent with (literally) every other member list+category attribute, that is, no member and no category means the rule never matches.

While documenting this as an exception to the above rule is the easy way out, IMHO adhering to the rule is even better - anyone who touched HBAC or sudo in IPA would immediately know their way around CA ACLs without having to read the documentation at all, which is a win, because people don't generally read documentation until something goes wrong. The current behavior might surprise them, even if documented properly (it sure surprised me at first :-).

BTW I think this can be done without breaking compatibility, e.g. by using a new objectclass to distinguish between "old" (CA is always implicitly the top-level CA) and "new" (CAs are specified using the member and category attributes) CA ACLs.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to