Hi Cho,
the "Conditon::Aproved" module is wiring the input as "AND" so as you
already observed this does not fit your needs. You have to create two
conditons, e.g. "is_approved_by_sa" and "is_approved_by_ra" and then use
the nested "LazyOR" condition to merge them together.
If you need a more sophistiacted Mult-Role / Multi-Tenant setup you
might consider getting an EE license, there is a nice set of modules for
such cases :D
Oliver
On 19.08.24 23:22, Cho Chan wrote:
Hello list,
I am trying to create a custom role (like 'SA Operator') to be used
only for signing/revoking/searching certificates.
My steps are:
1. Create a custom role in
'/etc/openxpki/config.d/realm/testca/roles.yaml'
2. Create proper connector, handler and stack for the custom role
3. Create '/etc/openxpki/config.d/realm/testca/uicontrol/SA Operator'
directory with configs for needed menus/actions
4. Add the role to the 'acl' object in the needed workflows in
'/etc/openxpki/config.d/realm/testca/workflow/def'
- certificate_signing_request_v2.yaml
- certificate_revocation_request_v2.yaml
- metadata workflows
- etc.
For now I am able to login with a user mapped to the custom 'SA
Operator' role. I can see all the defined menus, I can search for
certificates, I can see workflows, I can check CSR(s), but I am having
problems when the user has to approve/reject a certificate.
My tests are:
1. A user mapped to 'User' role uploads a CSR -> workflow goes to PENDING
2. A user mapped to 'SA Operator' role goes to My Tasks and see the
PENDING task/workflow
- when it opens the task -> only the recheck status button is visible
After some troubleshooting I found out that I have to add the custom
role in
'/etc/openxpki/config.d/realm/testca/workflow/global/condition/is_operator.yaml'.
After that the user is able to see also the buttons for
approve/reject, edit custom metadata, etc.
- when the user click on the Approve button -> nothing happens
in the logs I am seeing:
2024/08/19 15:10:07 openxpki.application.INFO
<http://openxpki.application.INFO> Unsigned approval for workflow 6911
by user XXXXXXXXX, role SA Operator
[pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]
2024/08/19 15:10:07 openxpki.audit.approval.INFO
<http://openxpki.audit.approval.INFO> operator approval
givenHASH(0x55d238cbe028)
[pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]
I did a little digging in 'certificate_signing_request_v2.yaml'
workflow and found out
CHECK_APPROVALS:
autorun: 1
action:
- notify_approval > APPROVED ? is_approved
- global_noop > NOTIFY_CSR_PENDING ? !is_approved
condition:
# If you want a 4-eyes approval, just add a second "RA Operator"
# e.g. "role: RA Operator, RA Operator" - you should add also
# add current approval count to the output in the relevant states
is_approved:
class: OpenXPKI::Server::Workflow::Condition::Approved
param:
role: RA Operator
When I change the role to be 'SA Operator' -> user is able to approve
the request, but then a user mapped to 'RA Operator' role is not able
to approve the request.
Is there a way how I can make it work for users mapped to 'RA
Operator' OR 'SA Operator' roles?
Regards,
Cho
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
