[Pki-devel] [PATCH] 93, 94 - changes for a common admin user

Ade Lee alee at redhat.com
Mon Dec 3 14:13:39 UTC 2012 

Changes made as discussed.  Pushed to master.

On Fri, 2012-11-30 at 17:01 -0500, Ade Lee wrote:
> On Fri, 2012-11-30 at 09:56 -0600, Endi Sukma Dewata wrote:
> > Some issues:
> > 
> > 1. The pki_use_common_admin_user is set to true in [Common] but 
> > overwritten to false in [CA]:
> > 
> >    [Common]
> >    pki_use_common_admin_user=true
> > 
> >    [CA]
> >    pki_use_common_admin_user=false
> > 
> > If I understood correctly it's done this way to make sure that if we use 
> > a common admin user, only CA will generate the certificate file, but not 
> > the other subsystems:
> > 
> >    if not config.str2bool(master['pki_clone']) and \
> >        not config.str2bool(master['pki_use_common_admin_user']):
> > 
> >        ... create cert file ...
> > 
> > Having conflicting pki_use_common_admin_users in the same config file is 
> > confusing to users because we are actually using a common admin user for 
> > all subsystems including CA so the value should be "true". I think it 
> > would be better to check for CA explicitly in the code:
> > 
> >    [Common]
> >    pki_use_common_admin_user=true
> > 
> >    if not config.str2bool(master['pki_clone']):
> >        if not config.str2bool(master['pki_use_common_admin_user']) or
> >            master['pki_subsystem'] == 'CA':
> > 
> >            ... create cert file ...
> > 
> 
> The thing is - someone might install a subordinate CA and want to use
> this mechanism to import an admin cert.  So we dont really want to
> exclude this simply because its a CA.  Maybe we can change the name of
> the directive to import_admin_cert = true/false ?  This makes it clearer
> what we are doing.  Sound reasonable?
> 
> > 2. The location of the admin cert was changed from pki_client_dir to 
> > pki_database_path. I think we should keep it in pki_client_dir because 
> > the certificate belongs to the admin, not the instance, so it should be 
> > in the admin's home directory. As long as the other subsystems are 
> > created by the same admin the code should be able to read the cert from 
> > the admin's home directory.
> > 
> > So the following parameters should point to the admin's home directory:
> > - pki_client_admin_cert_p12
> > - pki_admin_cert_file
> > 
> I agree with you that the cert belongs to the admin and not the
> instance.  The problem is that we purge the client database by default.
> And we should purge it once we have generated the p12 file, because it
> includes the nss database and password files and so on. I suppose we
> could be a little smarter about exactly what it is that we purge.
> 
> > 3. The default pki_admin_nickname is too long:
> > 
> >    PKI Administrator's example.com Security Domain ID
> > 
> > It can be simplified without losing information:
> > 
> >    PKI Administrator of example.com
> 
> OK - will change.
> > 
> > 4. The common cert files are called ca_admin.*. I think we should remove 
> > the "ca_" to reflect that the cert works on all subsystems.
> > 
> Well along the lines of my response to above, if we change the name of
> the directive to import_admin_cert - then its clearer that we are
> importing a cert that was generated during the CA install for the admin
> user on all subsystems.
> 
> In that case, using ca_admin is probably OK.
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list