[Pki-devel] [PATCH] 93, 94 - changes for a common admin user

Endi Sukma Dewata edewata at redhat.com
Fri Nov 30 15:56:17 UTC 2012 

Some issues:

1. The pki_use_common_admin_user is set to true in [Common] but 
overwritten to false in [CA]:

   [Common]
   pki_use_common_admin_user=true

   [CA]
   pki_use_common_admin_user=false

If I understood correctly it's done this way to make sure that if we use 
a common admin user, only CA will generate the certificate file, but not 
the other subsystems:

   if not config.str2bool(master['pki_clone']) and \
       not config.str2bool(master['pki_use_common_admin_user']):

       ... create cert file ...

Having conflicting pki_use_common_admin_users in the same config file is 
confusing to users because we are actually using a common admin user for 
all subsystems including CA so the value should be "true". I think it 
would be better to check for CA explicitly in the code:

   [Common]
   pki_use_common_admin_user=true

   if not config.str2bool(master['pki_clone']):
       if not config.str2bool(master['pki_use_common_admin_user']) or
           master['pki_subsystem'] == 'CA':

           ... create cert file ...

2. The location of the admin cert was changed from pki_client_dir to 
pki_database_path. I think we should keep it in pki_client_dir because 
the certificate belongs to the admin, not the instance, so it should be 
in the admin's home directory. As long as the other subsystems are 
created by the same admin the code should be able to read the cert from 
the admin's home directory.

So the following parameters should point to the admin's home directory:
- pki_client_admin_cert_p12
- pki_admin_cert_file

3. The default pki_admin_nickname is too long:

   PKI Administrator's example.com Security Domain ID

It can be simplified without losing information:

   PKI Administrator of example.com

4. The common cert files are called ca_admin.*. I think we should remove 
the "ca_" to reflect that the cert works on all subsystems.

-- 
Endi S. Dewata


On 11/29/2012 4:09 PM, Ade Lee wrote:
> Please review.
>
> Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list