[Freeipa-devel] [PATCHES] (and RFC) Introduce ipa-custodia

Simo Sorce simo at redhat.com
Mon Jun 8 18:35:19 UTC 2015 

These patches use git submodule to temporarily drag in the custodia and
jwcrypto python projects needed as a foundation to build the
ipa-custodia service.
This service is used for key distribution between freeipa masters. 
The keys that can be transferred are hardwired in the ipakeys module and
currently only the CA key can be transferred.
This patchset implements the last part of [1] (keys service) but a full
client is not provided with this code as radical changes to the replica
installer are needed in order to be able to use this service.

The ipa-custodia service is made automatically available upon install
and upgrade. Access to the service is mediated via Apache using a
proxy-pass directive that can be reached only after successful GSSAPI
authentication. The ipa-custodia service itself can be accessed
exclusively by the Apache user and requires that the GSS_NAME Header is
set for key recovery purposes. Setting the header in an on itself does
not grant any access to the keys. Access is granted only if
corresponding keys for the requesting princiapl are found in
cn=custodia,cn=ipa,cn=ets subtree and the signature on the request (a
JWT object) can be verified.

Once the first patch is applied developers will have to start dealing
with submodules. However unless you are developing on the submodule part
of the tree all you really need to do is to run git submodule update
--remote when a submodule is updated via a patch in master (rarely).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-525-1-Temporarily-add-Custodia-and-Jwcrypto-submodules.patch
Type: text/x-patch
Size: 2748 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150608/f40f9312/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-526-1-IPA-Custodia-Daemon.patch
Type: text/x-patch
Size: 20453 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150608/f40f9312/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-527-1-Install-ipa-custodia-with-the-rest-of-ipa.patch
Type: text/x-patch
Size: 14113 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150608/f40f9312/attachment-0002.bin>

More information about the Freeipa-devel mailing list