Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
On 10/09/2009 06:48 AM, Jenny Galipeau wrote: Rob Crittenden wrote: Jenny Galipeau wrote: John Dennis wrote: On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? yes Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. Well, looking at errors.py it looks like it should be an ExecutionError in the 4000-4999 range. How about adding UnableToCompleteCertificateOperation as a generic error for any certificate operation we can't run to completion, It would also be nice to reference the log, as in "Please see mylog.log for details." Well, this is a pretty common, generic problem. We don't want to give too many specifics to a client. The assumption is that they'll go bug their administrator. Ah yes ... forgot it was the client! We could add the "See your system administrator" but that is truly annoying when you're the administrator trying to debug the problem. I myself have shouted any number of time "But I *am* the %...@!@ system administrator" when presented with similar messages on other systems. :-) hehe ... I guess it is most likely that an admin will be running the ipa join command - true? Some places may have lower-level helpdesk folks go around to install and join systems. These helpdesk techs would not have privileged access to the IPA system usually. What we'll have to do is document somewhere that tracebacks can be found in the Apache error log. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
Rob Crittenden wrote: Jenny Galipeau wrote: John Dennis wrote: On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? yes Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. Well, looking at errors.py it looks like it should be an ExecutionError in the 4000-4999 range. How about adding UnableToCompleteCertificateOperation as a generic error for any certificate operation we can't run to completion, It would also be nice to reference the log, as in "Please see mylog.log for details." Well, this is a pretty common, generic problem. We don't want to give too many specifics to a client. The assumption is that they'll go bug their administrator. Ah yes ... forgot it was the client! We could add the "See your system administrator" but that is truly annoying when you're the administrator trying to debug the problem. I myself have shouted any number of time "But I *am* the %...@!@ system administrator" when presented with similar messages on other systems. :-) hehe ... I guess it is most likely that an admin will be running the ipa join command - true? What we'll have to do is document somewhere that tracebacks can be found in the Apache error log. rob -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
Jenny Galipeau wrote: John Dennis wrote: On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? yes Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. Well, looking at errors.py it looks like it should be an ExecutionError in the 4000-4999 range. How about adding UnableToCompleteCertificateOperation as a generic error for any certificate operation we can't run to completion, It would also be nice to reference the log, as in "Please see mylog.log for details." Well, this is a pretty common, generic problem. We don't want to give too many specifics to a client. The assumption is that they'll go bug their administrator. We could add the "See your system administrator" but that is truly annoying when you're the administrator trying to debug the problem. I myself have shouted any number of time "But I *am* the %...@!@ system administrator" when presented with similar messages on other systems. What we'll have to do is document somewhere that tracebacks can be found in the Apache error log. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
John Dennis wrote: On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? yes Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. Well, looking at errors.py it looks like it should be an ExecutionError in the 4000-4999 range. How about adding UnableToCompleteCertificateOperation as a generic error for any certificate operation we can't run to completion, It would also be nice to reference the log, as in "Please see mylog.log for details." then do a log.error message with the specific failure. The errno associated with UnableToCompleteCertificateOperation can be returned whenever we hit some unexpected error related to certificate operations, it will be generic enough to cover a range of cases without exposing the reason for the fault and the server log file will contain the detail. How does that sound? -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
On 10/08/2009 05:22 PM, Rob Crittenden wrote: John Dennis wrote: Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? yes Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. Well, looking at errors.py it looks like it should be an ExecutionError in the 4000-4999 range. How about adding UnableToCompleteCertificateOperation as a generic error for any certificate operation we can't run to completion, then do a log.error message with the specific failure. The errno associated with UnableToCompleteCertificateOperation can be returned whenever we hit some unexpected error related to certificate operations, it will be generic enough to cover a range of cases without exposing the reason for the fault and the server log file will contain the detail. How does that sound? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
John Dennis wrote: On 10/08/2009 05:11 PM, Rob Crittenden wrote: I missed this file when I did the last CA patch :-( This sets the cert_t context on some files needed for the selfsign plugin to work. It needs to let httpd write the serial number file and open the NSS database. Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? I'm assuming you mean around the certs.next_serial() call? Not really sure. This is really a "server blew up" sort of error, I'm not sure what the best thing to return to the client is in this case. I think something that says "the server is hosed, you can't fix it from there" sort of error would be nice. AFAIK we don't currently define such a beastie. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
On 10/08/2009 05:11 PM, Rob Crittenden wrote: I missed this file when I did the last CA patch :-( This sets the cert_t context on some files needed for the selfsign plugin to work. It needs to let httpd write the serial number file and open the NSS database. Thanks Rob. BTW, I was going to add a try/except block around that code in selfsign and return a non-zero status if it fails. Do we have predefined status codes I should be using? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel