Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-09 Thread Nathan Kinder

On 10/09/2009 06:48 AM, Jenny Galipeau wrote:

Rob Crittenden wrote:

Jenny Galipeau wrote:

John Dennis wrote:

On 10/08/2009 05:22 PM, Rob Crittenden wrote:

John Dennis wrote:

Thanks Rob. BTW, I was going to add a try/except block around that
code in selfsign and return a non-zero status if it fails. Do we 
have

predefined status codes I should be using?



I'm assuming you mean around the certs.next_serial() call?


yes


Not really sure. This is really a "server blew up" sort of error, I'm
not sure what the best thing to return to the client is in this 
case. I

think something that says "the server is hosed, you can't fix it from
there" sort of error would be nice. AFAIK we don't currently 
define such

a beastie.


Well, looking at errors.py it looks like it should be an 
ExecutionError in the 4000-4999 range. How about adding 
UnableToCompleteCertificateOperation as a generic error for any 
certificate operation we can't run to completion,
It would also be nice to reference the log, as in "Please see 
mylog.log for details."


Well, this is a pretty common, generic problem. We don't want to give 
too many specifics to a client. The assumption is that they'll go bug 
their administrator.

Ah yes ... forgot it was the client!


We could add the "See your system administrator" but that is truly 
annoying when you're the administrator trying to debug the problem. I 
myself have shouted any number of time "But I *am* the %...@!@ system 
administrator" when presented with similar messages on other systems.
:-) hehe ... I guess it is most likely that an admin will be running 
the ipa join command - true?
Some places may have lower-level helpdesk folks go around to install and 
join systems.  These helpdesk techs would not have privileged access to 
the IPA system usually.


What we'll have to do is document somewhere that tracebacks can be 
found in the Apache error log.


rob





___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-09 Thread Jenny Galipeau

Rob Crittenden wrote:

Jenny Galipeau wrote:

John Dennis wrote:

On 10/08/2009 05:22 PM, Rob Crittenden wrote:

John Dennis wrote:

Thanks Rob. BTW, I was going to add a try/except block around that
code in selfsign and return a non-zero status if it fails. Do we have
predefined status codes I should be using?



I'm assuming you mean around the certs.next_serial() call?


yes


Not really sure. This is really a "server blew up" sort of error, I'm
not sure what the best thing to return to the client is in this 
case. I

think something that says "the server is hosed, you can't fix it from
there" sort of error would be nice. AFAIK we don't currently define 
such

a beastie.


Well, looking at errors.py it looks like it should be an 
ExecutionError in the 4000-4999 range. How about adding 
UnableToCompleteCertificateOperation as a generic error for any 
certificate operation we can't run to completion,
It would also be nice to reference the log, as in "Please see 
mylog.log for details."


Well, this is a pretty common, generic problem. We don't want to give 
too many specifics to a client. The assumption is that they'll go bug 
their administrator.

Ah yes ... forgot it was the client!


We could add the "See your system administrator" but that is truly 
annoying when you're the administrator trying to debug the problem. 
I myself have shouted any number of time "But I *am* the %...@!@ system 
administrator" when presented with similar messages on other systems.
:-) hehe ... I guess it is most likely that an admin will be running the 
ipa join command - true?


What we'll have to do is document somewhere that tracebacks can be 
found in the Apache error log.


rob



--
Jenny Galipeau 
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-09 Thread Rob Crittenden

Jenny Galipeau wrote:

John Dennis wrote:

On 10/08/2009 05:22 PM, Rob Crittenden wrote:

John Dennis wrote:

Thanks Rob. BTW, I was going to add a try/except block around that
code in selfsign and return a non-zero status if it fails. Do we have
predefined status codes I should be using?



I'm assuming you mean around the certs.next_serial() call?


yes


Not really sure. This is really a "server blew up" sort of error, I'm
not sure what the best thing to return to the client is in this case. I
think something that says "the server is hosed, you can't fix it from
there" sort of error would be nice. AFAIK we don't currently define such
a beastie.


Well, looking at errors.py it looks like it should be an 
ExecutionError in the 4000-4999 range. How about adding 
UnableToCompleteCertificateOperation as a generic error for any 
certificate operation we can't run to completion,
It would also be nice to reference the log, as in "Please see mylog.log 
for details."


Well, this is a pretty common, generic problem. We don't want to give 
too many specifics to a client. The assumption is that they'll go bug 
their administrator.


We could add the "See your system administrator" but that is truly 
annoying when you're the administrator trying to debug the problem. I 
myself have shouted any number of time "But I *am* the %...@!@ system 
administrator" when presented with similar messages on other systems.


What we'll have to do is document somewhere that tracebacks can be found 
in the Apache error log.


rob


smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-09 Thread Jenny Galipeau

John Dennis wrote:

On 10/08/2009 05:22 PM, Rob Crittenden wrote:

John Dennis wrote:

Thanks Rob. BTW, I was going to add a try/except block around that
code in selfsign and return a non-zero status if it fails. Do we have
predefined status codes I should be using?



I'm assuming you mean around the certs.next_serial() call?


yes


Not really sure. This is really a "server blew up" sort of error, I'm
not sure what the best thing to return to the client is in this case. I
think something that says "the server is hosed, you can't fix it from
there" sort of error would be nice. AFAIK we don't currently define such
a beastie.


Well, looking at errors.py it looks like it should be an 
ExecutionError in the 4000-4999 range. How about adding 
UnableToCompleteCertificateOperation as a generic error for any 
certificate operation we can't run to completion,
It would also be nice to reference the log, as in "Please see mylog.log 
for details."
then do a log.error message with the specific failure. The errno 
associated with UnableToCompleteCertificateOperation can be returned 
whenever we hit some unexpected error related to certificate 
operations, it will be generic enough to cover a range of cases 
without exposing the reason for the fault and the server log file will 
contain the detail. How does that sound?



--
Jenny Galipeau 
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-08 Thread John Dennis

On 10/08/2009 05:22 PM, Rob Crittenden wrote:

John Dennis wrote:

Thanks Rob. BTW, I was going to add a try/except block around that
code in selfsign and return a non-zero status if it fails. Do we have
predefined status codes I should be using?



I'm assuming you mean around the certs.next_serial() call?


yes


Not really sure. This is really a "server blew up" sort of error, I'm
not sure what the best thing to return to the client is in this case. I
think something that says "the server is hosed, you can't fix it from
there" sort of error would be nice. AFAIK we don't currently define such
a beastie.


Well, looking at errors.py it looks like it should be an ExecutionError 
in the 4000-4999 range. How about adding 
UnableToCompleteCertificateOperation as a generic error for any 
certificate operation we can't run to completion, then do a log.error 
message with the specific failure. The errno associated with 
UnableToCompleteCertificateOperation can be returned whenever we hit 
some unexpected error related to certificate operations, it will be 
generic enough to cover a range of cases without exposing the reason for 
the fault and the server log file will contain the detail. How does that 
sound?

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-08 Thread Rob Crittenden

John Dennis wrote:

On 10/08/2009 05:11 PM, Rob Crittenden wrote:

I missed this file when I did the last CA patch :-(

This sets the cert_t context on some files needed for the selfsign
plugin to work. It needs to let httpd write the serial number file and
open the NSS database.


Thanks Rob. BTW, I was going to add a try/except block around that code 
in selfsign and return a non-zero status if it fails. Do we have 
predefined status codes I should be using?




I'm assuming you mean around the certs.next_serial() call?

Not really sure. This is really a "server blew up" sort of error, I'm 
not sure what the best thing to return to the client is in this case. I 
think something that says "the server is hosed, you can't fix it from 
there" sort of error would be nice. AFAIK we don't currently define such 
a beastie.


rob


smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin

2009-10-08 Thread John Dennis

On 10/08/2009 05:11 PM, Rob Crittenden wrote:

I missed this file when I did the last CA patch :-(

This sets the cert_t context on some files needed for the selfsign
plugin to work. It needs to let httpd write the serial number file and
open the NSS database.


Thanks Rob. BTW, I was going to add a try/except block around that code 
in selfsign and return a non-zero status if it fails. Do we have 
predefined status codes I should be using?


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel