freeipa

IntenseWebs/freeipa

Fork 0

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-29 10:21:18 -06:00

Commit Graph

Author	SHA1	Message	Date
Fraser Tweedale	947af1a037	Enforce CA ACLs in cert-request command This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>	2015-06-11 10:50:31 +00:00
Fraser Tweedale	bc0c606885	Add CA ACL plugin Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>	2015-06-11 10:50:31 +00:00

Author

SHA1

Message

Date

Fraser Tweedale

947af1a037

Enforce CA ACLs in cert-request command

This commit adds CA ACL enforcement to the cert-request command and
uses the pyhbac machinery.

It is planned to implement ACL enforcement in Dogtag in a future
release, and remove certificate issuance privileges and CA ACL
enforcement responsibility from the framework.  See
https://fedorahosted.org/freeipa/ticket/5011 for more information.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>

2015-06-11 10:50:31 +00:00

Fraser Tweedale

bc0c606885

Add CA ACL plugin

Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>

2015-06-11 10:50:31 +00:00

2 Commits