[Freeipa-devel] [PATCH] Add DRM to IPA

Ade Lee alee at redhat.com
Mon Apr 14 14:42:12 UTC 2014 

Attached a new patch to address some of the concerns below, specifically
I created a new base class DogtagInstance, in which much of the common
CA/KRA code is placed.  I'm sure we could go further in reducing
duplication, and I'm open to further suggestions and refinements.

I did not tackle the packaging and spec file dependencies, because I'd
like some clearer direction on how we want to proceed here.  In any
case, I think the splitting of the ipa packages into ca and possibly kra
packages should be a separate patch.

As before, with this patch you can:
- install a ca and drm using ipa-server-install
- install a ca and drm replica using
   ipa-replica-prepare <hostname>
   ipa-replica-install --setup-ca --setup-drm <replia file> 

You need to use a PKI build from the 10.2 (master) branch).  One such
build is given below:
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo

Thanks,
Ade

On Tue, 2014-04-08 at 09:52 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 04/07/2014 10:40 PM, Rob Crittenden wrote:
> >> Ade Lee wrote:
> >>>       This patch adds the capability of installing a Dogtag DRM
> >>>       to an IPA instance.  With this patch, when ipa-server-install
> >>>       is run, a Dogtag CA and a Dogtag DRM are created.  The DRM
> >>>       shares the same tomcat instance and DS instance as the Dogtag CA.
> >>>       Moreover, the same admin user/agent (and agent cert) can be used
> >>>       for both subsystems.  Certmonger is also confgured to monitor the
> >>>       new subsystem certificates.
> >>>
> >>>       It is also possible to clone the DRM.  When the IPA instance is
> >>>       cloned, if --enable-ca and --enable-drm are specified, the DRM
> >>>       is cloned as well.
> >>>
> >>>       Installing a DRM requires the user to have a Dogtag CA instance.
> >>>       We can look into possibly relaxing that requirement in a later patch.
> >>>
> >>>       I am still working on patches for a ipa-drm-install script, which
> >>>       would be used to add a DRM to an existing master (that includes
> >>>       a dogtag CA), or an existing clone.
> >>>
> >>>      Please review,
> >>>
> >>>      Thanks,
> >>>      Ade
> >>
> >> Yikes, I wonder if the changes to ipaserver/install/cainstance.py should be
> >> pushed ASAP.
> >
> > Oops, looks like a change that should go to IPA 3.3.x. What is the implication?
> >
> >> freeipa-spec.in needs a dependency on pki-kra.
> >
> > Let us stop here. Please see a following RFE I filed:
> > https://fedorahosted.org/freeipa/ticket/4058
> >
> > I would prefer it KRA files and specifics would be in a new subpackage like
> > freeipa-server-kra. Otherwise we will need to rework it again when we would be
> > splitting CA to freeipa-server-pki in 4.1.
> 
> Yes, that is a question I didn't ask: Is the DRM going to be configured 
> by default on all new installs?
> 
> > I would prefer to start the right modularization now as I do not think that
> > every FreeIPA server needs to run CA/KRA, i.e. it  does not need to have the
> > bits installed either.
> 
> I think the decision on a separate sub-package will be dependent upon 
> whether it is default or not, otherwise we can get away with 
> freeipa-server-ca and just lump everything in there.
> 
> > I am also quite worried about the duplication that the new drminstance.py
> > introduces. There is a lot of functions which do more or less the same thing
> > and have most of the handling code the same with only a very small and
> > predictable pki/kra change. For example __http_proxy function seems to be
> > exactly the same.
> >
> > It would be great to avoid this duplication and rather have some common ground
> > utilized by both PKI and KRA. Otherwise it will be very difficult to maintain
> > the new code.
> 
> I touched on some of that too, but some of this is just inevitable I 
> think which is why I didn't pound on it too hard. An abstraction would 
> be nice, but I'm not sure abstracting for two things, and only in the 
> installer, is worth the effort. I could be wrong.
> 
> rob
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 73390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140414/aca36bf6/attachment.bin>

More information about the Freeipa-devel mailing list