Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

2016-07-18 Thread Fraser Tweedale 
On Mon, Jul 18, 2016 at 09:55:21AM +0200, Martin Basti wrote:
> 
> 
> On 13.07.2016 18:34, Petr Vobornik wrote:
> > On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:
> > > On Tue, 12 Jul 2016, Fraser Tweedale wrote:
> > > > Attached patch is a doc change, addressing
> > > > https://fedorahosted.org/freeipa/ticket/6002.
> > > > 
> > > > Thanks,
> > > > Fraser
> > > >  From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
> > > > From: Fraser Tweedale 
> > > > Date: Tue, 12 Jul 2016 15:11:11 +1000
> > > > Subject: [PATCH] caacl: expand plugin documentation
> > > > 
> > > > Expand the 'caacl' plugin documentation to explain some common
> > > > confusions including the fact that CA ACLs apply to the target
> > > > subject principal (not necessarily the principal requesting the
> > > > cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
> > > > 
> > > > Fixes: https://fedorahosted.org/freeipa/ticket/6002
> > > > ---
> > > > ipaserver/plugins/caacl.py | 34 --
> > > > 1 file changed, 28 insertions(+), 6 deletions(-)
> > > > 
> > > > diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
> > > > index
> > > > 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
> > > > 100644
> > > > --- a/ipaserver/plugins/caacl.py
> > > > +++ b/ipaserver/plugins/caacl.py
> > > > @@ -23,14 +23,36 @@ if six.PY3:
> > > > __doc__ = _("""
> > > > Manage CA ACL rules.
> > > > 
> > > > -This plugin is used to define rules governing which principals are
> > > > -permitted to have certificates issued using a given certificate
> > > > -profile.
> > > > +This plugin is used to define rules governing which CAs and profiles
> > > > +may be used to issue certificates to particular principals or groups
> > > > +of principals.
> > > > 
> > > > -PROFILE ID SYNTAX:
> > > > +SUBJECT PRINCIPAL SCOPE:
> > > > 
> > > > -A Profile ID is a string without spaces or punctuation starting with
> > > > a letter
> > > > -and followed by a sequence of letters, digits or underscore ("_").
> > > > +For a certificate request to be allowed, the principal(s) that are
> > > > +the subject of a certificate request (not necessarily the principal
> > > > +actually requesting the certificate) must be included in the scope
> > > > +of a CA ACL that also includes the target CA and profile.
> > > > +
> > > > +Users can be included by name, group or the "all users" category.
> > > > +Hosts can be included by name, hostgroup or the "all hosts"
> > > > +category.  Services can be included by service name or the "all
> > > > +services" category.  CA ACLs may be associated with a single type of
> > > > +principal, or multiple types.
> > > > +
> > > > +CERTIFICATE AUTHORITY SCOPE:
> > > > +
> > > > +A CA ACL can be associated with one or more CAs by name, or by the
> > > > +"all CAs" category.  For compatibility reasons, a CA ACL with no CA
> > > > +association implies an association with the 'ipa' CA (and only this
> > > > +CA).
> > > > +
> > > > +PROFILE SCOPE:
> > > > +
> > > > +A CA ACL can be associated with one or more profiles by Profile ID.
> > > > +The Profile ID is a string without spaces or punctuation starting
> > > > +with a letter and followed by a sequence of letters, digits or
> > > > +underscore ("_").
> > > > 
> > > > EXAMPLES:
> > > > 
> > > ACK. Reads well.
> > > 
> > Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d
> > 
> Please note for future, that long string should be splitted, to make life of
> translators easier
> 
> http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings
> 
> Martin^2
>
I see; thanks for pointing this out Martin.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

2016-07-18 Thread Martin Basti 



On 13.07.2016 18:34, Petr Vobornik wrote:

On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:

On Tue, 12 Jul 2016, Fraser Tweedale wrote:

Attached patch is a doc change, addressing
https://fedorahosted.org/freeipa/ticket/6002.

Thanks,
Fraser
 From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 12 Jul 2016 15:11:11 +1000
Subject: [PATCH] caacl: expand plugin documentation

Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
---
ipaserver/plugins/caacl.py | 34 --
1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index
9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -23,14 +23,36 @@ if six.PY3:
__doc__ = _("""
Manage CA ACL rules.

-This plugin is used to define rules governing which principals are
-permitted to have certificates issued using a given certificate
-profile.
+This plugin is used to define rules governing which CAs and profiles
+may be used to issue certificates to particular principals or groups
+of principals.

-PROFILE ID SYNTAX:
+SUBJECT PRINCIPAL SCOPE:

-A Profile ID is a string without spaces or punctuation starting with
a letter
-and followed by a sequence of letters, digits or underscore ("_").
+For a certificate request to be allowed, the principal(s) that are
+the subject of a certificate request (not necessarily the principal
+actually requesting the certificate) must be included in the scope
+of a CA ACL that also includes the target CA and profile.
+
+Users can be included by name, group or the "all users" category.
+Hosts can be included by name, hostgroup or the "all hosts"
+category.  Services can be included by service name or the "all
+services" category.  CA ACLs may be associated with a single type of
+principal, or multiple types.
+
+CERTIFICATE AUTHORITY SCOPE:
+
+A CA ACL can be associated with one or more CAs by name, or by the
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
+association implies an association with the 'ipa' CA (and only this
+CA).
+
+PROFILE SCOPE:
+
+A CA ACL can be associated with one or more profiles by Profile ID.
+The Profile ID is a string without spaces or punctuation starting
+with a letter and followed by a sequence of letters, digits or
+underscore ("_").

EXAMPLES:


ACK. Reads well.


Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d

Please note for future, that long string should be splitted, to make 
life of translators easier


http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

2016-07-13 Thread Petr Vobornik 
On 07/12/2016 08:45 AM, Alexander Bokovoy wrote:
> On Tue, 12 Jul 2016, Fraser Tweedale wrote:
>> Attached patch is a doc change, addressing
>> https://fedorahosted.org/freeipa/ticket/6002.
>>
>> Thanks,
>> Fraser
> 
>> From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
>> From: Fraser Tweedale 
>> Date: Tue, 12 Jul 2016 15:11:11 +1000
>> Subject: [PATCH] caacl: expand plugin documentation
>>
>> Expand the 'caacl' plugin documentation to explain some common
>> confusions including the fact that CA ACLs apply to the target
>> subject principal (not necessarily the principal requesting the
>> cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
>>
>> Fixes: https://fedorahosted.org/freeipa/ticket/6002
>> ---
>> ipaserver/plugins/caacl.py | 34 --
>> 1 file changed, 28 insertions(+), 6 deletions(-)
>>
>> diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
>> index
>> 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
>> 100644
>> --- a/ipaserver/plugins/caacl.py
>> +++ b/ipaserver/plugins/caacl.py
>> @@ -23,14 +23,36 @@ if six.PY3:
>> __doc__ = _("""
>> Manage CA ACL rules.
>>
>> -This plugin is used to define rules governing which principals are
>> -permitted to have certificates issued using a given certificate
>> -profile.
>> +This plugin is used to define rules governing which CAs and profiles
>> +may be used to issue certificates to particular principals or groups
>> +of principals.
>>
>> -PROFILE ID SYNTAX:
>> +SUBJECT PRINCIPAL SCOPE:
>>
>> -A Profile ID is a string without spaces or punctuation starting with
>> a letter
>> -and followed by a sequence of letters, digits or underscore ("_").
>> +For a certificate request to be allowed, the principal(s) that are
>> +the subject of a certificate request (not necessarily the principal
>> +actually requesting the certificate) must be included in the scope
>> +of a CA ACL that also includes the target CA and profile.
>> +
>> +Users can be included by name, group or the "all users" category.
>> +Hosts can be included by name, hostgroup or the "all hosts"
>> +category.  Services can be included by service name or the "all
>> +services" category.  CA ACLs may be associated with a single type of
>> +principal, or multiple types.
>> +
>> +CERTIFICATE AUTHORITY SCOPE:
>> +
>> +A CA ACL can be associated with one or more CAs by name, or by the
>> +"all CAs" category.  For compatibility reasons, a CA ACL with no CA
>> +association implies an association with the 'ipa' CA (and only this
>> +CA).
>> +
>> +PROFILE SCOPE:
>> +
>> +A CA ACL can be associated with one or more profiles by Profile ID.
>> +The Profile ID is a string without spaces or punctuation starting
>> +with a letter and followed by a sequence of letters, digits or
>> +underscore ("_").
>>
>> EXAMPLES:
>>
> ACK. Reads well.
> 

Pushed to master: 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

2016-07-12 Thread Alexander Bokovoy 

On Tue, 12 Jul 2016, Fraser Tweedale wrote:

Attached patch is a doc change, addressing
https://fedorahosted.org/freeipa/ticket/6002.

Thanks,
Fraser



From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 12 Jul 2016 15:11:11 +1000
Subject: [PATCH] caacl: expand plugin documentation

Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
---
ipaserver/plugins/caacl.py | 34 --
1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 
9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -23,14 +23,36 @@ if six.PY3:
__doc__ = _("""
Manage CA ACL rules.

-This plugin is used to define rules governing which principals are
-permitted to have certificates issued using a given certificate
-profile.
+This plugin is used to define rules governing which CAs and profiles
+may be used to issue certificates to particular principals or groups
+of principals.

-PROFILE ID SYNTAX:
+SUBJECT PRINCIPAL SCOPE:

-A Profile ID is a string without spaces or punctuation starting with a letter
-and followed by a sequence of letters, digits or underscore ("_").
+For a certificate request to be allowed, the principal(s) that are
+the subject of a certificate request (not necessarily the principal
+actually requesting the certificate) must be included in the scope
+of a CA ACL that also includes the target CA and profile.
+
+Users can be included by name, group or the "all users" category.
+Hosts can be included by name, hostgroup or the "all hosts"
+category.  Services can be included by service name or the "all
+services" category.  CA ACLs may be associated with a single type of
+principal, or multiple types.
+
+CERTIFICATE AUTHORITY SCOPE:
+
+A CA ACL can be associated with one or more CAs by name, or by the
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
+association implies an association with the 'ipa' CA (and only this
+CA).
+
+PROFILE SCOPE:
+
+A CA ACL can be associated with one or more profiles by Profile ID.
+The Profile ID is a string without spaces or punctuation starting
+with a letter and followed by a sequence of letters, digits or
+underscore ("_").

EXAMPLES:


ACK. Reads well.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation

2016-07-11 Thread Fraser Tweedale 
Attached patch is a doc change, addressing
https://fedorahosted.org/freeipa/ticket/6002.

Thanks,
Fraser
From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 12 Jul 2016 15:11:11 +1000
Subject: [PATCH] caacl: expand plugin documentation

Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
---
 ipaserver/plugins/caacl.py | 34 --
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 
9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a
 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -23,14 +23,36 @@ if six.PY3:
 __doc__ = _("""
 Manage CA ACL rules.
 
-This plugin is used to define rules governing which principals are
-permitted to have certificates issued using a given certificate
-profile.
+This plugin is used to define rules governing which CAs and profiles
+may be used to issue certificates to particular principals or groups
+of principals.
 
-PROFILE ID SYNTAX:
+SUBJECT PRINCIPAL SCOPE:
 
-A Profile ID is a string without spaces or punctuation starting with a letter
-and followed by a sequence of letters, digits or underscore ("_").
+For a certificate request to be allowed, the principal(s) that are
+the subject of a certificate request (not necessarily the principal
+actually requesting the certificate) must be included in the scope
+of a CA ACL that also includes the target CA and profile.
+
+Users can be included by name, group or the "all users" category.
+Hosts can be included by name, hostgroup or the "all hosts"
+category.  Services can be included by service name or the "all
+services" category.  CA ACLs may be associated with a single type of
+principal, or multiple types.
+
+CERTIFICATE AUTHORITY SCOPE:
+
+A CA ACL can be associated with one or more CAs by name, or by the
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
+association implies an association with the 'ipa' CA (and only this
+CA).
+
+PROFILE SCOPE:
+
+A CA ACL can be associated with one or more profiles by Profile ID.
+The Profile ID is a string without spaces or punctuation starting
+with a letter and followed by a sequence of letters, digits or
+underscore ("_").
 
 EXAMPLES:
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code