On 4.7.2016 09:06, Fraser Tweedale wrote:
On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote:
#6002: Default CA can be used without an ACL
Comment (by ftweedal):
This is expected behaviour; if a CA ACL does not reference any CAs,
and does not have cacat=all, then it is assumed to refer to the
default CA. This is for backwards compatibility with existing
CA ACLs, which do not reference any CAs but did (and still do)
allow access to IPA CA.
Leaving open for discussion about whether to break compatibility
for a more consistent behaviour.
Didn't get any feedback in the ticket yet so raising on list for
visibility. If people agree with current behaviour I can add a
clarification to caacl plugin help text and close out this ticket.
(Sorry for the late reply, I was on vacation the last 2 weeks.)
I would very much prefer if this was consistent with (literally) every
other member list+category attribute, that is, no member and no category
means the rule never matches.
While documenting this as an exception to the above rule is the easy way
out, IMHO adhering to the rule is even better - anyone who touched HBAC
or sudo in IPA would immediately know their way around CA ACLs without
having to read the documentation at all, which is a win, because people
don't generally read documentation until something goes wrong. The
current behavior might surprise them, even if documented properly (it
sure surprised me at first :-).
BTW I think this can be done without breaking compatibility, e.g. by
using a new objectclass to distinguish between "old" (CA is always
implicitly the top-level CA) and "new" (CAs are specified using the
member and category attributes) CA ACLs.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code