[Freeipa-devel] design review: Certificate Profiles
Jan Cholasta
jcholast at redhat.com
Fri Apr 17 08:03:45 UTC 2015
Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a):
> On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote:
>> On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
>>> Hi everyone,
>>>
>>> Please review my Certificate Profiles design proposal:
>>> http://www.freeipa.org/page/V4/Certificate_Profiles
>>>
>>> Let me know what is unclear, what needs expansion, and what is plain
>>> wrong :)
>>>
>>> The schema for storing multiple certificates for a principal is
>>> still being discussed but I expect it will be agreed soon, and I
>>> will add it to the document.
>>>
>>> I am revising the sub-CAs design proposal and it will soon be
>>> published for review as well.
>>>
>>> Cheers,
>>> Fraser
>>>
>> Hi Fraser,
>> I've read the design page and even though I know only a little about Dogtag
>> it makes sense to me.
>>
>> Just a few notes:
>>
>> 3.4 Retrieve profile - There was XML format twice (probably
>> copy-paste-forget to modify :-) I changed it, feel free to revert the change
>> if it was intentional.
>>
>> 3.5 Delete profile - IMO the profile should be deleted when user requests
>> that. If the profile must be disabled before deleted do it as a part of
>> deletion.
>>
>> 3.6 Enable/disable profile - When user request enabling/disabling of already
>> enabled/disabled profile there is no need to return an error. User wants it
>> to be enabled/disabled and it is, job done.
Actually not, we raise AlreadyActive/AlreadyInactive in this case (see
e.g. selinuxusermap-enable).
>>
>> 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay
>> consistent with rest of FreeIPA commands.
>>
> David, thanks for your input. 'certprofile-import' was chosen after
> discussion with Honza, based on the fact the profile already exists
> (as a file) and is being imported into the system. Jan, do you
> still agree with '-import'? What do other people think?
Yes, it should be -import. -add is reserved for the case when the
properties of the profile are specified directly in command arguments,
but in -import they are read from the supplied file.
>
> Cheers,
> Fraser
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list