#8060 CA revocation ACLs
Opened 5 years ago by ftweedal. Modified 5 years ago

Clone of https://bugzilla.redhat.com/show_bug.cgi?id=1730372.

Description of problem:
I'd like the ability to let an ipa usergroup manage certificates in a subdomain they own.  

I'm aware of caacls and profiles.  Best I can tell, that doesn't meet my revocation needs and I'm meeting the issuing needs in other ways.

We are doing things like the following.  It is giving teams the ability to manage their own certs without us having to add extra profiles or sub-cas.  

[dminnich@dminnichlt ~]$ ipa permission-show ARBAC_testgroup_hosts
  Permission name: ARBAC_testgroup_hosts
  Granted rights: all
  Effective attributes: description, fqdn, ipaSshPubKey, ipaallowedtoperform;read_keys, ipaallowedtoperform;write_keys, krbPwdPolicyReference, krbTicketFlags, krbcanonicalname, krbprincipalauthind,
                        krbprincipalname, l, macaddress, managedby, nshardwareplatform, nshostlocation, nsosversion, objectClass, userPassword, usercertificate, userclass
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=ipa,dc=redhat,dc=com
  Extra target filter: (&(objectClass=ipahost)(|(fqdn=*.rbactest1a.example.com)(fqdn=*.rbactest1b.example.com)))
  Permission flags: SYSTEM, V2
  Granted to Privilege: ARBAC_testgroup
  Indirect Member of roles: ARBAC_testgroup


[dminnich@dminnichlt ~]$ ipa permission-show ARBAC_testgroup_dnszone_rbactest1a.example.com
  Permission name: ARBAC_testgroup_dnszone_rbactest1a.example.com
  Granted rights: all
  Effective attributes: a6record, aaaarecord, afsdbrecord, arecord, certrecord, cnamerecord, dNSTTL, dNSdefaultTTL, dlvrecord, dnamerecord, dsrecord, idnsAllowDynUpdate, idnsAllowSyncPTR, idnsUpdatePolicy,
                        idnsallowquery, idnsallowtransfer, idnsforwarders, idnsforwardpolicy, idnssecinlinesigning, idnssoaexpire, idnssoaminimum, idnssoamname, idnssoarefresh, idnssoaretry, idnssoarname,
                        idnssoaserial, idnszoneactive, kxrecord, locrecord, mxrecord, nSEC3PARAMRecord, naptrrecord, nsrecord, ptrrecord, srvrecord, sshfprecord, tlsarecord, txtrecord, urirecord
  Bind rule type: permission
  Subtree: idnsname=rbactest1a.example.com.,cn=dns,dc=ipa,dc=redhat,dc=com
  Extra target filter: (|(objectClass=idnsrecord)(objectClass=idnszone))
  Permission flags: SYSTEM, V2
  Granted to Privilege: ARBAC_testgroup
  Indirect Member of roles: ARBAC_testgroup


Basically, this allows people in ARBAC_tesgroup to create a new host in the rbactest1a.example.com  subdomain they own.  Then once they enroll the host they can auth using its /etc/krb5.keytab to get a cert for its hostname.  They can also use that /etc/krb5.keytab to revoke a cert for that host.  

For ease of automation and in case the server is deleted from rhev/aws/whatever and not in IPA, it would be nice if a service account in the ARBAC_tesgroup could issue and revoke certs for only rbactest1a.example.com directly.  Instead of having to use the host auth and without having to grant wider sweeping "Revoke Certificate" permissions to the group. 

Note this is similar to the requirement for operator authorisation in CA ACLs (https://pagure.io/freeipa/issue/6424).


Metadata Update from @ftweedal:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1730372

5 years ago

Metadata Update from @pcech:
- Issue tagged with: Falcon

5 years ago

Log in to comment on this ticket.

Metadata