freeipa

Clone
Source Code
GIT

5ab24dd ca-del: require CA to already be disabled

3 files Authored by ftweedal 3 years ago, Committed by rcritten 3 years ago,
raw patch tree parent
3 files changed. 32 lines added. 4 lines removed.
ipaserver/plugins/ca.py
file modified
+6 -1
ipatests/test_xmlrpc/test_ca_plugin.py
file modified
+14 -1
ipatests/test_xmlrpc/tracker/ca_plugin.py
file modified
+12 -2 
    ca-del: require CA to already be disabled
    
    Currently ca-del disables the target CA before deleting it.
    Conceptually, this involves two separate permissions: modify and
    delete.  A user with delete permission does not necessarily have
    modify permission.
    
    As we head toward enforcing IPA permissions in Dogtag, it is
    necessary to decouple disablement from deletion, otherwise the
    disable operation shall fail if the user does not have modify
    permission.  Although it introduces an additional step for
    administrators, the process is consistent, required permissions map
    1:1 to the operations, and the error messages make it clear what
    needs to happen (i.e. disable first).
    
    Part of: https://fedorahosted.org/freeipa/ticket/5011
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+6 -1
file modified
+14 -1
file modified
+12 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.