[Pki-devel] replication of new/modified profiles
Christina Fu
cfu at redhat.com
Wed Jun 25 21:51:08 UTC 2014
Yes this has been on our wish list.
I only want to comment on the Access Control Considerations for
profiles. Please make sure the current security control in place is
preserved. i.e. a profile addition or update by an administrator
requires an agent's approval --
* update of an existing profile - agent disables the profile, admin then
is allowed to update, agent reviews the profile and enables it.
* adding a new profile - admin creates the profile, agent approves it
Christina
On 06/24/2014 12:07 AM, Fraser Tweedale wrote:
> On Fri, Jun 20, 2014 at 06:00:25PM +1000, Fraser Tweedale wrote:
>> On Thu, Jun 19, 2014 at 03:12:05AM +0800, Ade Lee wrote:
>>> This is something that has been on the wishlist for awhile.
>>> There is no mechanism at this point to replicate profiles.
>>>
>>> I agree that we should start this design.
>>>
>>> Ade
>>>
>> LDAP Profile Storage Design proposal (work in progress) is up on the
>> wiki: http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
>>
>> Input and feedback greatly appreciated, especially if anyone could
>> give guidance on the LDAP schema - I have no prior experience with
>> developing LDAP schemata.
>>
>> Have a nice weekend, all.
>>
>> Fraser
>>
> I've fleshed out the design proposal some more; getting close to
> ready now, modulo feedback and general approval.
>
> Particular sections for which I would appreciate feedback are:
>
> - http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Relationship_to_file-based_profile_storage
> - whether deletion of file-based profiles should be prohibited
> - whether a *restore profile* method is needed
>
> - http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#LDAP_schema
> - Need feedback from people who understand LDAP schema better than
> I :)
>
> - http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Cloning
> - Need feedback from people who know more than me about the
> cloning process.
>
> Cheers,
>
> Fraser
>
>>> On Wed, 2014-06-18 at 17:44 +1000, Fraser Tweedale wrote:
>>>> Hi all,
>>>>
>>>> A requirement from the FreeIPA side is the ability to add and
>>>> customise CA profiles. Dogtag's current profile creation behaviour
>>>> writes the new profile to the filesystem beside the standard
>>>> profiles (as well as making the appropriate update to the registry,
>>>> etc.)
>>>>
>>>> There does not seem to be a mechanism to distribute new/modified
>>>> profiles to replicas - though perhaps I have missed something.
>>>>
>>>> Because this behaviour is required, unless I have overlooked
>>>> something or there is a better way (in which case please shout out),
>>>> I think it makes sense to begin a design proposal for an LDAP-based
>>>> profile store.
>>>>
>>>> Finally, a brief mention of some tickets related to profile storage
>>>> that could be good to tackle simultaneously should the proposed
>>>> change go ahead:
>>>>
>>>> - https://fedorahosted.org/pki/ticket/778
>>>> - https://fedorahosted.org/freeipa/ticket/4002
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list