[SSSD] [sssd PR#198][edited] secrets: support https in proxy provider

Wed, 15 Mar 2017 07:28:32 -0700 

   URL: https://github.com/SSSD/sssd/pull/198
Author: pbrezina
 Title: #198: secrets: support https in proxy provider
Action: edited

 Changed field: body
Original value:
"""
I had to switch to libcurl as a client in order to communicate properly over 
HTTPS protocol.
I added several new options that are necessary to initialize SSL (which 
certificates should
be used and whether to check hostname in server's certificate or not).

* Example SSSD configuration:
```
[secrets]
debug_level = 0x3ff0

[secrets/users/10001]
provider = proxy
proxy_url = https://custodia.pb:10443/secrets
auth_type = header
auth_header_name = REMOTE_USER
auth_header_value = mysecretkey
cacert = /home/pbrezina/Downloads/cer/custodia-ca.pem
cert = /home/pbrezina/Downloads/cer/custodia-client.pem
key = /home/pbrezina/Downloads/cer/custodia-client.key
verify_host = false
```

* Example custodia configuration (just modify default configuration, keeping 
the rest options intact):
```
[global]
server_version = "Secret/0.0.7"
debug = True
server_url = https://0.0.0.0:10443
tls_certfile = tests/ca/custodia-server.pem
tls_keyfile = tests/ca/custodia-server.key
tls_cafile = tests/ca/custodia-ca.pem
tls_verify_client = true
umask = 027

[auth:header]
handler = SimpleHeaderAuth
header = REMOTE_USER
value = mysecretkey

[authz:paths]
handler = SimplePathAuthz
paths = /.
```

* Download certificates and key to your client and you can use it like this
```shell
curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" 
--unix-socket /var/run/secrets.socket -X POST 
http://localhost/secrets/mysecretkey/

curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" 
--unix-socket /var/run/secrets.socket -X PUT 
http://localhost/secrets/mysecretkey/foo 
-d'{"type":"simple","value":"foosecret"}'

curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" 
--unix-socket /var/run/secrets.socket -X POST 
http://localhost/secrets/mysecretkey/foo

curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" 
--unix-socket /var/run/secrets.socket -X DELETE 
http://localhost/secrets/mysecretkey/foo

curl -v -H "Content-Type: application/json" -H "REMOTE_USER: mysecretkey" 
--unix-socket /var/run/secrets.socket -X DELETE 
http://localhost/secrets/mysecretkey/
```
"""


_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to