403b09
From 39fdccd9216c7a58ba48ed2226a5588a4f19da51 Mon Sep 17 00:00:00 2001
403b09
From: Fraser Tweedale <ftweedal@redhat.com>
403b09
Date: Tue, 12 Jul 2016 15:11:11 +1000
403b09
Subject: [PATCH] caacl: expand plugin documentation
403b09
403b09
Expand the 'caacl' plugin documentation to explain some common
403b09
confusions including the fact that CA ACLs apply to the target
403b09
subject principal (not necessarily the principal requesting the
403b09
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
403b09
403b09
Fixes: https://fedorahosted.org/freeipa/ticket/6002
403b09
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
403b09
---
403b09
 ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
403b09
 1 file changed, 28 insertions(+), 6 deletions(-)
403b09
403b09
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
403b09
index 3f813a7efb9e554abcb8dd2946eea73065c93414..1461c4814727e5774219ac206bab3d078f2daa7d 100644
403b09
--- a/ipaserver/plugins/caacl.py
403b09
+++ b/ipaserver/plugins/caacl.py
403b09
@@ -23,14 +23,36 @@ if six.PY3:
403b09
 __doc__ = _("""
403b09
 Manage CA ACL rules.
403b09
 
403b09
-This plugin is used to define rules governing which principals are
403b09
-permitted to have certificates issued using a given certificate
403b09
-profile.
403b09
+This plugin is used to define rules governing which CAs and profiles
403b09
+may be used to issue certificates to particular principals or groups
403b09
+of principals.
403b09
 
403b09
-PROFILE ID SYNTAX:
403b09
+SUBJECT PRINCIPAL SCOPE:
403b09
 
403b09
-A Profile ID is a string without spaces or punctuation starting with a letter
403b09
-and followed by a sequence of letters, digits or underscore ("_").
403b09
+For a certificate request to be allowed, the principal(s) that are
403b09
+the subject of a certificate request (not necessarily the principal
403b09
+actually requesting the certificate) must be included in the scope
403b09
+of a CA ACL that also includes the target CA and profile.
403b09
+
403b09
+Users can be included by name, group or the "all users" category.
403b09
+Hosts can be included by name, hostgroup or the "all hosts"
403b09
+category.  Services can be included by service name or the "all
403b09
+services" category.  CA ACLs may be associated with a single type of
403b09
+principal, or multiple types.
403b09
+
403b09
+CERTIFICATE AUTHORITY SCOPE:
403b09
+
403b09
+A CA ACL can be associated with one or more CAs by name, or by the
403b09
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
403b09
+association implies an association with the 'ipa' CA (and only this
403b09
+CA).
403b09
+
403b09
+PROFILE SCOPE:
403b09
+
403b09
+A CA ACL can be associated with one or more profiles by Profile ID.
403b09
+The Profile ID is a string without spaces or punctuation starting
403b09
+with a letter and followed by a sequence of letters, digits or
403b09
+underscore ("_").
403b09
 
403b09
 EXAMPLES:
403b09
 
403b09
-- 
403b09
2.4.3
403b09