[Pki-devel] replication of new/modified profiles
Dmitri Pal
dpal at redhat.com
Mon Jun 30 20:30:02 UTC 2014
On 06/30/2014 03:28 PM, Endi Sukma Dewata wrote:
> Hi, I have some comments about the design:
> http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
>
> I think all system/default profiles should remain file-based and all
> custom profiles should be LDAP-based. It will make a clean separation:
> system profiles are owned by us (Dogtag developers), custom profiles
> are owned by the admin.
>
> The system profiles will be read-only. This way we will be able to
> update the system profiles without writing any upgrade scripts because
> the files will be updated automatically by RPM. Just one requirement,
> all server instances must be upgraded to the same version.
>
> If the admin wants to change a system profile, they can clone it into
> a custom profile and make the changes there. The custom profiles
> cannot have the same names as the system profiles, so there's won't be
> any conflict/confusion, and no need to support a "restore" command. In
> general we won't need to write upgrade scripts for custom profiles
> except if we change the LDAP schema.
>
> About the schema itself, I suppose we want to have something that
> resembles the actual Profile data structure (see ProfileData Java
> class). There should be an LDAP attribute for each single-valued Java
> attribute (e.g. name, description, enabled, visible). This way the
> profile is more manageable and can be queried based on these
> attributes. For collection attributes (e.g. inputs, outputs,
> policySets) we can use child LDAP entries to represent them.
>
> About the names, right now we use "profile" to refer to both cert
> profile in CA and token profile in TPS. We probably should use
> separate terms to distinguish them (e.g. CertProfile and
> TokenProfile). This applies to Java/Python class names, REST
> interface, CLI, LDAP schema, etc.
>
> So the LDAP entries for a profile may look like this:
>
> dn: cn=MyUserCert,ou=Profiles,ou=CA,{suffix}
> objectClass: certProfile
> cn: MyUserCert
> displayName: Manual User Dual-Use Certificate Enrollment
> description: This certificate profile is for enrolling user certificates.
> visible: true
> enabled: true
> enabledBy: admin
>
> dn: ou=Inputs,cn=MyUserCert,ou=Profiles,ou=CA,{suffix}
> objectClass: organizationalUnit
> ou: Inputs
>
> dn: cn=i1,ou=Inputs,cn=MyUserCert,ou=Profiles,ou=CA,o=pki-tomcat
> objectClass: pkiCertProfileInput
> cn: i1
> classId: keyGenInputImpl
>
> About the REST interface & CLI, since this will be the primary way to
> edit profiles, we might want to have more granular commands to modify
> parts of the profile. Right now with ca-profile-mod command you need
> to send the entire profile in a file. It would be nice to be able to
> specify some parameters to change certain attributes only, or use
> separate commands to manage the inputs/outputs.
>
> We'll also need an interface to find existing cert records that use a
> certain profile and bulk modify them to use a different profile. This
> will be useful when you create a clone to change the system profile.
>
> I'm not sure if we should support 10.2 -> 10.3 cloning. When we
> release 10.3 the 10.2 will still be fairly new so it might be
> reasonable to require all clones to be upgraded. It will reduce the
> amount of testing requirement too.
>
Makes sense.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Pki-devel
mailing list