[Freeipa-devel] [PATCHES 0001-0005] Profile management commands
Fraser Tweedale
ftweedal at redhat.com
Wed May 13 09:41:53 UTC 2015
Hi Jan, thanks for review. Comments inline.
On Wed, May 13, 2015 at 10:06:04AM +0200, Jan Cholasta wrote:
> Hi,
>
> Dne 5.5.2015 v 10:38 Martin Basti napsal(a):
> >On 05/05/15 08:29, Fraser Tweedale wrote:
> >>On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote:
> >>>On 04/05/15 15:36, Fraser Tweedale wrote:
> >>>>Hello,
> >>>>
> >>>>Please review the first cut of the 'certprofile' command and other
> >>>>changes associated with the Certificate Profiles feature[1].
> >>>>
> >>>>Custom profiles can't be used yet because 'cert-request' has not
> >>>>been updated, but you can manage the profiles (find, show, import,
> >>>>modify, delete). There's a bit more work to do on profile
> >>>>management and a lot more to do for using profiles and sub-CAs. I
> >>>>am tracking my progress on etherpad[2] so if you are reviewing check
> >>>>there for the TODO list and some commentary.
> >>>>
> >>>>If you want to test: for f21, please use Dogtag from my copr[2].
> >>>>For f22 the required version is in updates-testing (or my copr).
> >>>>
> >>>>In summary: this is not the whole feature, just the first functional
> >>>>part. Since it is my first experience developing in the IPA
> >>>>framework I want to get patches out so you can point out all the
> >>>>things I did wrong or overlooked, and I can fix them. Don't hold
> >>>>back :)
> >>>>
> >>>>[1] http://www.freeipa.org/page/V4/Certificate_Profiles
> >>>>[2] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> >>>>[3] http://copr.fedoraproject.org/coprs/ftweedal/freeipa/
> >>>>
> >>>>
> >>>Thank you for patches, I have no idea what kind of dogtag magic is
> >>>happening
> >>>there, but I have a few comments related to IPA:
> >>>
> >>Thanks for reviewing, Martin. Comments inline.
> >You are welcome, comments inline.
> >Martin^2
> >>
> >>>Upgrade:
> >>>
> >>>1)
> >>>
> >>>+ config.set("CA", "pki_profiles_in_ldap", "True")
> >>>
> >>>IMO this will work only for new installations. For upgrade you may
> >>>need to
> >>>add this to ipa-upgradeconfig
> >>>
> >>OK.
> >>
> >>>2)
> >>>+dn: cn=certprofiles,cn=etc,$SUFFIX
> >>>+changetype: add
> >>>+objectClass: nsContainer
> >>>+objectClass: top
> >>>+cn: certprofiles
> >>>
> >>>IMO this will work only for new installations. For upgrade you may
> >>>need to
> >>>add it into update file as well, with the 'default' keyword
> >>>
> >>I don't understand about the 'default' keyword - can you expain this
> >>some more?
> >In an upgrade file:
> >
> >dn: cn=certprofiles,cn=etc,$SUFFIX
> >default:objectClass: nsContainer
> >default:objectClass: top
> >default:cn: certprofiles
>
> Maybe we should do what DNS does and have a container for CA specific stuff
> in the suffix: cn=ca,$SUFFIX.
>
> The container would be created only if CA is installed.
>
> Certificate profile container would then be cn=certprofiles,cn=ca,$SUFFIX.
>
> >>>3)
> >>>Your patch 0004 will work on new installations only. You may need to add
> >>>that new step into ipa-upgradeconfig.
> >>>
> >>>Must be that step there during installation?
> >>>If not you can create just one update file, which will be applied at
> >>>the end
> >>>of installation and during upgrade.
> >>>
> >>This change must be made to the Dogtag directory (not IPA) - can an
> >>update file be used to do that? If not, is ipa-upgradeconfig the
> >>best place to make this change?
> >If it is change in LDAP, you can use updatefile:
> >
> >dn: cn=aclResources,$SUFFIX
> >add:resourceACLS: certServer.profile.configuration:read,modify:allow
> >(read,modify) group="Certificate Manager Agents":Certificate Manager
> >agents may modify (create/update/delete) and read profiles
> >
> >Please temporarily use my patch freeipa-mbasti-231-4, (which will be
> >pushed soon) to avoid issues with CSV
>
> Note that this update should be done only if CA is installed.
>
> >>>Other issues:
> >>>1)
> >>>I do not see modifications in API.txt file
> >>>
> >>>2)
> >>>We use new shorter license header
> >>>#
> >>># Copyright (C) 2015 FreeIPA Contributors see COPYING for license
> >>>#
> >>>
> >>>3)
> >>>+from ipalib.plugins.baseldap import \
> >>>+ LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate,
> >>>LDAPRetrieve
> >>>
> >>>please use 'import ( modules, .. )' instead of '\'
> >>>
> >>>4)
> >>>+ if method == 'POST' \
> >>>+ and 'content-type' not in (str(k).lower() for k in
> >>>headers.viewkeys()):
> >>>
> >>>again, please use if ( ... ): instead \
> >>>
> >>>5)
> >>>+import ipalib.errors as errors
> >>>in dogtag.py
> >>>
> >>>Can you use from ipalib import errors, instead?
> >>>
> >>>6)
> >>>+ def __exit__(self, exc_type, exc_value, traceback):
> >>>+ """Log out of the REST API"""
> >>>+ # TODO logout
> >>>+ self.cookie = None
> >>>
> >>>This is forgotten, or will be this fixed later?
> >>>
> >>>7)
> >>>+ if not explanation: print resp_body # NOCOMMIT
> >>>
> >>These are all fixed for the next patchset.
> >>
> >>Thanks!
> >>Fraser
> >>
>
> 8) You can do:
>
> Str('cn',
> primary_key=True,
> cli_name='id',
> label=_('Profile ID'),
> doc=_('Profile ID for referring to this profile'),
> pattern='^[a-zA-Z]\w*$',
> pattern_errmsg=_('invalid Profile ID'),
> ),
>
That is nice, I did not see this!
> instead of:
>
> profile_id_pattern = re.compile('^[a-zA-Z]\w*$')
>
> def validate_profile_id(ugettext, value):
> """Ensure profile ID matches form required by CA."""
> if profile_id_pattern.match(value) is None:
> return _('invalid Profile ID')
> else:
> return None
>
> ...
>
> Str('cn', validate_profile_id,
> primary_key=True,
> cli_name='id',
> label=_('Profile ID'),
> doc=_('Profile ID for referring to this profile'),
> ),
>
> 9) Please don't invent new attributes (ipaCertProfileSummary) when you can
> use existing ones (description).
>
OK.
>
> 10) All the commands should call ipalib.plugins.cert.ca_enabled_check().
>
OK.
>
> 11) I think the File parameter of certprofile_import should be called just
> 'file'.
>
OK.
>
> 12) IMO the profile backend should be merged in to the ra backend. I don't
> see a need to have these two separate.
>
I wasn't sure, so I wrote them separately. I don't mind to make it
part of ra, but because the code is working and having it separate
makes it slightly easier to work on while developing these features,
I will do this refactor later.
Thanks,
Fraser
>
> Honza
>
> --
> Jan Cholasta
More information about the Freeipa-devel
mailing list