[GitHub] ningyougang commented on a change in pull request #2517: Support client certificate verify on server side

Sun, 20 Aug 2017 20:05:50 -0700 

ningyougang commented on a change in pull request #2517: Support client 
certificate verify on server side
URL: 
https://github.com/apache/incubator-openwhisk/pull/2517#discussion_r134138730
 
 

 ##########
 File path: ansible/roles/nginx/files/genssl.sh
 ##########
 @@ -56,7 +56,7 @@ else
     openssl req -new \
     -key "$SCRIPTDIR/openwhisk-client-key.pem" \
     -passin pass:$PASSWORD \
-    -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=guest" \
+    -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=whisk.system" \
 
 Review comment:
   * Why make this change. 
   answer: the `guest` user has no permission on do the action : `$WSK_CLI -i 
--apihost "$APIHOST" package update $AUTH  --shared no "$NAMESPACE/apimgmt"`,so 
i should change the `guest` to `whisk.system`.
   * Is it to install catalog?
   answer: i added the below configuration to `ansible/group_vars/all`
   ```
   #The catalog_cert_file and catalog_key_file is used to authenticate the 
openwhisk service when nginx ssl configuration is opened.
   catalog_cert_file: "{{ openwhisk_home 
}}/ansible/roles/nginx/files/openwhisk-client-cert.pem"
   catalog_key_file: "{{ openwhisk_home 
}}/ansible/roles/nginx/files/openwhisk-client-key.pem"
   ```
   I just follow the below style in `ansible/group_vars/all` which will be used 
in `installRouiteMgmt.sh`
   ```
   # The catalog_auth_key is used to determine the secret key to authenticate 
the openwhisk service.
   # The value for this variable can be set to either the secret key itself or 
the file, which
   # saves the secret key.
   # By default, we take the key from {{ openwhisk_home 
}}/ansible/files/auth.whisk.system.
   catalog_auth_key: "{{ openwhisk_home }}/ansible/files/auth.whisk.system"
   ```
   So it is used to install standard actions by pass client certificate when 
use client ceriticate to auth.
   
   * Do we need to generate two?
   generate `CN=whisk.system` is enough.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to