[Freeipa-devel] [PATCH] - Add DRM to IPA
Rob Crittenden
rcritten at redhat.com
Wed Aug 20 19:35:33 UTC 2014
Ade Lee wrote:
> On Thu, 2014-08-14 at 14:29 +0200, Petr Viktorin wrote:
>> On 08/14/2014 10:53 AM, Martin Kosek wrote:
>>> On 08/13/2014 09:54 PM, Ade Lee wrote:
>>>> In Dogtag, we have decided to revert the name of the DRM to the old name KRA.
>>>> DRM was really only used in docs/marketing, whereas KRA is all over the code.
>>>> Soon, the code and the marketing/docs will match.
>>>>
>>>> The following patch changes all references to the DRM to KRA.
>>>> so for example, you need to run ipa-kra-install etc.
>>>>
>>>> Please apply this on top of the previous patch. I'll go ahead and squash them
>>>> before commit.
>>>>
>>>> Thanks,
>>>> Ade
>>>
>>> Ah, thanks for unifying that one. I changed DRM component in FreeIPA Trac to
>>> KRA and assigned respective tickets to that. Let us use the KRA term for the
>>> Vault then.
>>>
>>> Martin
>>>
>>
>> ipa_drm_install.py: No newline at end of file
>> ipa_drm_install.DRMInstaller.FAIL_MESSAGE: the command is
>> ipa-drm-install (with hyphens)
>>
> fixed
>>
>> The error I got previously was when running ipa-kra-install on a replica
>> that didn't have CA yet. It would be nice to provide a better message
>> for this case.
>>
> agreed. the problem here was that the check to see whether a ca was
> already installed locally was not working as expected.
>
> I have since added a new check - which should fail if a CA is not
> installed locally.
>
>>
>> On a replica with KRA, I get:
>> $ sudo ipa-kra-install --uninstall
>> Usage: ipa-kra-install [options] [replica_file]
>>
>> ipa-kra-install: error: Cannot uninstall. There is no KRA
>> installed on this system.
>>
>
> Not sure what happened there. With the latest code, that does not
> appear to happen for me. Let me know if it recurs.
>
>> I tested the kra plugin with this Python script:
>>
>> from ipalib import api
>> api.bootstrap(context='server', kra_host='localhost')
>> api.finalize()
>> api.Backend.kra.store_secret('test', 'tkey')
>>
>> which gives me:
>>
>> Traceback (most recent call last):
>> File "<stdin>", line 1, in <module>
>> File "ipaserver/plugins/dogtag.py", line 2012, in store_secret
>> self._setup()
>> File "ipaserver/plugins/dogtag.py", line 1965, in _setup
>> connection = PKIConnection('https', self.kra_host,
>> self.kra_port, 'kra')
>> File "/usr/lib/python2.7/site-packages/pki/client.py", line 36,
>> in __init__
>> self.hostname + ':' + self.port + '/' + \
>> TypeError: coercing to Unicode: need string or buffer, int found
>>
>>
>> Apparently, PKIConnection requires the port to be a string, but we pass
>> an int. I'd consider this an issue in pki.
>>
> Agreed. I will open a ticket to fix it in pki. For now though, I have
> cast to str().
>
>>
>> The kra_host='localhost' option to api.bootstrap is necessary because
>> kra_host is not added to default.conf on install. How is this planned to
>> work when the plugin is done?
>>
> I followed what was done for ca_host, but did not set the required
> default in constants.py. Thats fixed, so this should work now.
>
> After discussion with Endi, I also removed some functions in dogtag.py
> (the plugin) which basically just wrapped calls to the keyclient. There
> is no need to do this wrapping and it is much more flexible for IPA code
> to call the keyclient directly. Accordingly, I have added a method to
> get the keyclient. Your test code would look like this now:
>
> from ipalib import api
> from pki.key import KeyClient
> api.bootstrap(context='server')
> api.finalize()
> keyclient = api.Backend.kra.get_keyclient()
> keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
>
> I added a couple of directives in the proxy file to allow it to progress
> further and it now fails in trying to do the archive_key due to
> authentication issues.
>
> It was never the intention of this patch to get the plugin completely
> working though. That was the goal of a follow on patch being written by
> Endi. This patch is already pretty long and touches a lot of code. I
> propose we let Endi fix the above issue.
>
> I have squashed the drm-> kra changes and created just a single patch,
> which is attached. This is the only patch needed.
>
> I'm also starting a new COPR build, just to be sure we all have the most
> up-to-date dogtag build.
It doesn't look like the --no-host-dns option is used anywhere.
I'm kinda with Petr, I don't know that an uninstall option is needed.
On a single master install I successfully did a kra install, uninstall,
re-install, so maybe the issue that Petr saw was related to cloning.
There is no man page for ipa-kra-install
Functionally the KRA itself seems to be working ok.
rob
More information about the Freeipa-devel
mailing list