Hi Fraser,
I have some rather inane comments. I guess Jan cholasta will do a more
thorough review of your design. See below:
On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
Hi comrades,
I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design. The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.
There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects. The design is at:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
first of all, you link a internal document from publicly available
design page. you should prepare a publicly visible version of the
Dogtag-side design and link that.
It would also be nice to have a high-level graphical representation of
the proposed CSR processing workflow. I think you can re-use the one
that is in the Dogtag part, omit the Dogtag internals and add
IPA-specific parts.
Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).
Is the DL bump really necessary? Are you sure we really can not just
update the profile configuration and let older Dogtag installation
handle it gracefully? IIRC we have done some profile inclusion work in
4.2 development and on and never really bothered about older Dogtag
understanding them.
Anyway I guess we can call `certprofile-import' to load
ExternalProcessConstraint-enabled profile upon setting domain level to
2, we just have to know where on the FS it is located.
Of course, any other general or specific feedback is welcome.
Thanks,
Fraser
So if I understand correctly there will be no change in CA ACL
management interface and only the code which evaluates them will be
factored out into 'ipa-pki-validate-cert-request' command? Also,
wouldn't it simpler if the CA ACL evaluation was delegated to a separate
API command instead? ExternalProcessConstraint would then only ask IPA
JSON api and process the response.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
