[Freeipa-devel] [PATCH] Password vault

Jan Cholasta jcholast at redhat.com
Wed Jun 3 13:36:11 UTC 2015 

Dne 3.6.2015 v 15:20 Simo Sorce napsal(a):
> On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote:
>> On 06/02/2015 08:34 PM, Simo Sorce wrote:
>>> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
>>>> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
>>>>> On 5/28/2015 12:46 AM, Jan Cholasta wrote:
>>>>>>> On a related note, since KRA is optional, can we move the vaults
>>>>>>> container to cn=kra,cn=vaults? This is the convetion used by the other
>>>>>>> optional components (DNS and recently CA).
>>>>>>
>>>>>> I mean cn=vaults,cn=kra of course.
>>>>>
>>>>> If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
>>>>> the IPA framework will work with it.
>>>>>
>>>>> If you are talking about adding a new cn=kra,<IPA suffix> entry on top
>>>>> of cn=vaults, what is the purpose of this entry? Is the entry going to
>>>>> be created/deleted automatically when the KRA is installed/removed? Is
>>>>> it going to be used for something else other than vaults?
>>>>
>>>> I'm talking about cn=kra,<IPA suffix>. It should be created only when
>>>> KRA is installed, although I think this can be done later after the
>>>> release, moving vaults to cn=kra should be good enough for now. It's
>>>> going to be used for everything KRA-specific.
>>>>
>>>>>
>>>>> There are a lot of questions that need to be answered before we can make
>>>>> this change.
>>>>
>>>> This is about sticking to a convention, which everyone should do, and
>>>> everyone except KRA already does.
>>>>
>>>> I'm sorry I didn't realize this earlier, but the change must be done now.
>>>>
>>>>> We probably should revisit this issue after the core vault
>>>>> functionality is added.
>>>>>
>>>>
>>>> We can't revisit it later because after release we are stuck with
>>>> whatever is there forever.
>>>>
>>>> See attachment for a patch which implements the change.
>>>>
>>>
>>> Shouldn't we s/kra/vault/ ?
>>> After all the feature is called Vault, not KRA.
>>
>> I thought we are naming it by the name of the optional subsystem, not the
>> feature itself. If for example, another feature from KRA is used, it would
>> still live in cn=kra, no?
>
> For services so far we have CA, not dogtag, and LDAP, not 389ds, also
> KDC not krb5kdc and kpasswd not kadmind, etc... we normally named
> everything after the function. Now kra is probably a somewhat generic
> term, but I have not been able to find what it means exactly in 5
> minutes, and it is quite obscure as a name. OTOH cn=Vault would make it
> really clear what's in it. I do not have a very strong opinion but a
> generic and clear name is important for the DIT.

There is also ipa-kra-install and I guess 
cn=KRA,cn=<fqdn>,cn=masters,cn=ipa,cn=etc. If we rename it, it should be 
renamed everywhere, and I'm not sure if that's worth it.

Also "vault" is too generic, it should be "password vault", but that's 
too long, so IMO "KRA" is better, as it's short and descriptive.

Are vaults the only feature KRA provides? If there are more possible 
features provided by KRA, it's another reason to keep it "KRA".

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list