Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ca-del: require CA to already be disabled #415

Conversation

frasertweedale
Copy link
Contributor

Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete. A user with delete permission does not necessarily have
modify permission.

As we move toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation would fail if the user does not have modify
permission. Although it introduces an additional step for
administrators, the process is consistent, required permissions are
clear, and errors are human-friendly.

Part of: https://fedorahosted.org/freeipa/ticket/5011

freeipa-devel discussion: https://www.redhat.com/archives/freeipa-devel/2017-January/msg00435.html

@apophys
Copy link
Contributor

apophys commented Jan 31, 2017

Could you please extend the tests with the invalid order of the commands on a ca entry?

@apophys apophys self-assigned this Jan 31, 2017
Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete.  A user with delete permission does not necessarily have
modify permission.

As we move toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation would fail if the user does not have modify
permission.  Although it introduces an additional step for
administrators, the process is consistent, required permissions are
clear, and errors are human-friendly.

Part of: https://fedorahosted.org/freeipa/ticket/5011
@frasertweedale frasertweedale force-pushed the feature/5011-ca-del-disable-first branch from 8ce4a54 to ebfbdbf Compare February 1, 2017 01:17
@frasertweedale
Copy link
Contributor Author

@apophys done; PR updated.

@frasertweedale
Copy link
Contributor Author

Shelving this PR for now. It might get resurrected later. Discussion:
https://www.redhat.com/archives/freeipa-devel/2017-February/msg00150.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants