[Freeipa-devel] [PATCH] Password vault
Endi Sukma Dewata
edewata at redhat.com
Thu May 14 03:01:41 UTC 2015
On 5/13/2015 4:09 AM, Jan Cholasta wrote:
> Dne 12.5.2015 v 12:52 Endi Sukma Dewata napsal(a):
>> Please take a look at the attached patch (#353-9). It obsoletes all
>> previous patches. See comments below.
>>
>> On 4/20/2015 1:12 AM, Jan Cholasta wrote:
>>>> I'm planning to merge the vault and vault container object and use the
>>>> vault type attribute to distinguish between the two. See more
>>>> discussion
>>>> about that below.
>>>
>>> OK.
>>
>> The vault container plugin has been removed instead of merged (see
>> explanation below). Internally the vaults are still stored in built-in
>> containers in the DS, but there won't be an interface to manage them.
>> The following containers are available for use: private, shared, and
>> services, but they are flat, not hierarchical.
>
> To speed up the review, I have amended your patch with code and coding
> style fixes (attached), please review my changes.
>
> Question: Services in IPA are identified by Kerberos principal. Why are
> service vaults identified by hostname alone?
The service vaults are actually identified by the hostname and service
name assuming the principal is in this format: <name>/<host>@<realm>.
The vault is stored in cn=<name>, cn=<host>, cn=services, cn=vaults,
<suffix>. When accessing a vault service you are supposed to specify the
name and the host (except for vault-find which will return all services
in the same host):
$ ipa vault-find --host <host>
$ ipa vault-add <name> --host <host>
Are there other service principal formats that we need to support? Do we
need to support services of different realms?
Some comments about your changes:
1. The following code in get_dn() is causing problems for vault-find.
dn = super(vault, self).get_dn(*keys, **options)
rdn = dn[0]
container_dn = DN(*dn[1:])
The super.get_dn() will return cn=vaults, <suffix>, so the rdn will
become cn=vaults and container_dn will become <suffix>. When combined
with the subcontainer (private/shared/service) it will produce an
invalid DN.
2. Not sure if it'related to #1, the vault-find is failing.
$ ipa vault-find
ipa: ERROR: an internal error has occurred
The error_log shows TypeError: 'NoneType' object is not iterable
3. The --shared option in vault-find is now requiring an argument even
though it's a Flag.
$ ipa vault-find --shared
Usage: ipa [global-options] vault-find [CRITERIA] [options]
ipa: error: --shared option requires an argument
4. The following code in get_dn() is incorrect:
principal = getattr(context, 'principal')
(name, realm) = split_principal(principal)
name = name.split('/')
if len(name) == 1:
container_dn = DN(('cn', 'users'), container_dn)
else:
container_dn = DN(('cn', 'services'), container_dn)
container_dn = DN(('cn', name[-1]), container_dn)
A service does not have a private container like users (cn=<username>,
cn=users, cn=vaults). The entry cn=<name>, cn=<host>, cn=services,
cn=vaults is a service vault, not a container. The service vault is used
by the admin to provide a secret for a service.
I'm not sure what the behavior should be if a service is executing a
vault command that uses a private container such as:
$ ipa vault-add test
Maybe it should just generate an error.
5. In create_container() why do you need to reconstruct the container_dn
on each invocation even though the value is fixed?
container_dn = DN(self.container_dn, self.api.env.basedn)
6. The loop in create_container() is incorrect. Suppose we're creating a
container cn=A, cn=B, <suffix> and the parent container cn=B, <suffix>
doesn't exist yet. The first add_entry() invocation will fail as
expected, but instead of adding the parent entry the whole method will fail.
while dn.endswith(container_dn):
entry = self.backend.make_entry(
dn,
objectclass=['nsContainer'],
cn=[dn[0]['cn']],
)
try:
self.backend.add_entry(entry)
except errors.DuplicateEntry:
break
dn = DN(*dn[1:])
7. The host and shared parameters are no longer available in vault-show
and vault-del commands. The unit tests are failing because of that. Why
do these commands not automatically inherit all parameters from the class?
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list