On 9.6.2016 08:31, Fraser Tweedale wrote:
On Thu, Jun 09, 2016 at 07:49:51AM +0200, Jan Cholasta wrote:
On 9.6.2016 06:07, Fraser Tweedale wrote:
Updated patches 0053-6 and 0054-6 attached. Comments inline.
On Wed, Jun 08, 2016 at 10:31:07AM +0200, Jan Cholasta wrote:
The target of the "Dogtag service principals can search Custodia keys" ACI
matches keys in the top-level Custodia container, but not in the Dogtag
container. Is this intentional?
ACI applies to all entries under the 'cn=custodia' tree, not only
the entries directly under it.
You are right:
Mea culpa, I thought the target matching behavior was simpler than this.
Anyway, could the ACI be tightened to allow access only to the Dogtag
Dogtag does need access to the host Custodia keys.
I see, the ACI is OK then.
I'm not sure how
to tighten the ACI to prevent access to "deeper" levels. In any
case they're all public keys and it's read only access, so I don't
think it's an issue.
It seems the `servicename`+`host` and `principal` arguments of set_key() are
carrying the same information, could you remove one of them?
OK, just `principal` now.
1) Please use ipalib.config to read IPA configuration in
from ipalib.config import Env
env = Env(in_server=True)
hostname = env.host
realm = env.realm
I have implemented this; it was necessary to also call
Right. I wrote the above snippet off the top of my head, hence the omission.
2) I'm curious why you changed the key name from "ca/$NAME" to
"ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped?
The payload of the `ca_wrapped` Custodia store is a
PKIArchiveOptions object wrapped by the main CA's private key.
(This payload is then encrypted by Custodia, as all Custodia
See my patch 0056  for implementation details.
Wow, I totally missed patch 0055 and 0056!
No worries; easily done because I sent more emails with fewer,
largely independent patches.
3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would
expect a minimum required version bump in the spec file.
Indeed; I added this in latest patches.
Thanks. ACK if the ACI in patch 52 does not need tightening.
Thanks for reviewing!
Pushed to master: b0d9a4728f0dc78e2bbde344beac17ae50b847a9
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code