[Freeipa-devel] [freeipa PR#299][opened] Remove "Request Certificate with SubjectAltName" permission
frasertweedale
freeipa-github-notification at redhat.com
Fri Dec 2 06:48:21 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/299
Author: frasertweedale
Title: #299: Remove "Request Certificate with SubjectAltName" permission
Action: opened
PR body:
"""
Fixes: https://fedorahosted.org/freeipa/ticket/6526
*Note: the ticket hasn't been triaged or even agreed to. But here is the code
^_^*
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/299/head:pr299
git checkout pr299
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pr-299.patch
Type: text/x-diff
Size: 3049 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161202/729f345e/attachment.bin>
More information about the Freeipa-devel
mailing list