I noticed that the virtual operation cn=request certificate different host,cn=virtual operations,cn=etc and permission Request Certificates from a different host are defined but never used in an access check. Are they relics from old versions or available for future use?
cn=request certificate different host,cn=virtual operations,cn=etc
Request Certificates from a different host
Metadata Update from @pvoborni: - Issue set to the milestone: Future Releases
@ftweedal Could you have a look, please?
AFAIR it was a future-looking feature added eons ago. The idea was a separate virtual op to allow doing cert requests.
Looks like it was added here: 453a19f
So yeah I think it's available.
I think we can / should remove it. There is another ticket for extending CA ACLs to handle operator authorisation, e.g.: users in group webadmin can issue certs to hosts in hostgroups webservers1. It is https://pagure.io/freeipa/issue/6424.
webadmin
webservers1
This will subsume the above permission and support more fine-grained policies.
If we have a use case for the above permission, it is probably time to implement ticket 6462 instead.
Login to comment on this ticket.