summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/caacl.py
Commit message (Collapse)AuthorAgeFilesLines
* Add profiles and default CA ACL on migrationFraser Tweedale2015-11-241-0/+8
| | | | | | | | | | | | | | | | | | | | Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* caacl: fix incorrect construction of HbacRequest for hostsFraser Tweedale2015-07-081-3/+4
| | | | | | | | The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. Reviewed-By: David Kupka <dkupka@redhat.com>
* Enforce CA ACLs in cert-request commandFraser Tweedale2015-06-111-0/+76
| | | | | | | | | | | | | | | This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-111-0/+477
Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-31 15:39:57 +0000