[Freeipa-devel] [PATCH] 290 set cert_t context on some files for selfsign plugin
Nathan Kinder
nkinder at redhat.com
Fri Oct 9 14:26:51 UTC 2009
On 10/09/2009 06:48 AM, Jenny Galipeau wrote:
> Rob Crittenden wrote:
>> Jenny Galipeau wrote:
>>> John Dennis wrote:
>>>> On 10/08/2009 05:22 PM, Rob Crittenden wrote:
>>>>> John Dennis wrote:
>>>>>> Thanks Rob. BTW, I was going to add a try/except block around that
>>>>>> code in selfsign and return a non-zero status if it fails. Do we
>>>>>> have
>>>>>> predefined status codes I should be using?
>>>>>>
>>>>>
>>>>> I'm assuming you mean around the certs.next_serial() call?
>>>>
>>>> yes
>>>>
>>>>> Not really sure. This is really a "server blew up" sort of error, I'm
>>>>> not sure what the best thing to return to the client is in this
>>>>> case. I
>>>>> think something that says "the server is hosed, you can't fix it from
>>>>> there" sort of error would be nice. AFAIK we don't currently
>>>>> define such
>>>>> a beastie.
>>>>
>>>> Well, looking at errors.py it looks like it should be an
>>>> ExecutionError in the 4000-4999 range. How about adding
>>>> UnableToCompleteCertificateOperation as a generic error for any
>>>> certificate operation we can't run to completion,
>>> It would also be nice to reference the log, as in "Please see
>>> mylog.log for details."
>>
>> Well, this is a pretty common, generic problem. We don't want to give
>> too many specifics to a client. The assumption is that they'll go bug
>> their administrator.
> Ah yes ... forgot it was the client!
>>
>> We could add the "See your system administrator" but that is truly
>> annoying when you're the administrator trying to debug the problem. I
>> myself have shouted any number of time "But I *am* the %#$@!@ system
>> administrator" when presented with similar messages on other systems.
> :-) hehe ... I guess it is most likely that an admin will be running
> the ipa join command - true?
Some places may have lower-level helpdesk folks go around to install and
join systems. These helpdesk techs would not have privileged access to
the IPA system usually.
>>
>> What we'll have to do is document somewhere that tracebacks can be
>> found in the Apache error log.
>>
>> rob
>
>
More information about the Freeipa-devel
mailing list