[Pki-devel] replication of new/modified profiles
Fraser Tweedale
ftweedal at redhat.com
Thu Jun 26 00:51:42 UTC 2014
On Wed, Jun 25, 2014 at 02:51:08PM -0700, Christina Fu wrote:
> Yes this has been on our wish list.
>
> I only want to comment on the Access Control Considerations for profiles.
> Please make sure the current security control in place is preserved. i.e. a
> profile addition or update by an administrator requires an agent's approval
> --
> * update of an existing profile - agent disables the profile, admin then is
> allowed to update, agent reviews the profile and enables it.
> * adding a new profile - admin creates the profile, agent approves it
>
> Christina
>
Thanks Christina; the current security controls will be preserved.
Fraser
> On 06/24/2014 12:07 AM, Fraser Tweedale wrote:
> >On Fri, Jun 20, 2014 at 06:00:25PM +1000, Fraser Tweedale wrote:
> >>On Thu, Jun 19, 2014 at 03:12:05AM +0800, Ade Lee wrote:
> >>>This is something that has been on the wishlist for awhile.
> >>>There is no mechanism at this point to replicate profiles.
> >>>
> >>>I agree that we should start this design.
> >>>
> >>>Ade
> >>>
> >>LDAP Profile Storage Design proposal (work in progress) is up on the
> >>wiki: http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
> >>
> >>Input and feedback greatly appreciated, especially if anyone could
> >>give guidance on the LDAP schema - I have no prior experience with
> >>developing LDAP schemata.
> >>
> >>Have a nice weekend, all.
> >>
> >>Fraser
> >>
> >I've fleshed out the design proposal some more; getting close to
> >ready now, modulo feedback and general approval.
> >
> >Particular sections for which I would appreciate feedback are:
> >
> >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Relationship_to_file-based_profile_storage
> > - whether deletion of file-based profiles should be prohibited
> > - whether a *restore profile* method is needed
> >
> >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#LDAP_schema
> > - Need feedback from people who understand LDAP schema better than
> > I :)
> >
> >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Cloning
> > - Need feedback from people who know more than me about the
> > cloning process.
> >
> >Cheers,
> >
> >Fraser
> >
> >>>On Wed, 2014-06-18 at 17:44 +1000, Fraser Tweedale wrote:
> >>>>Hi all,
> >>>>
> >>>>A requirement from the FreeIPA side is the ability to add and
> >>>>customise CA profiles. Dogtag's current profile creation behaviour
> >>>>writes the new profile to the filesystem beside the standard
> >>>>profiles (as well as making the appropriate update to the registry,
> >>>>etc.)
> >>>>
> >>>>There does not seem to be a mechanism to distribute new/modified
> >>>>profiles to replicas - though perhaps I have missed something.
> >>>>
> >>>>Because this behaviour is required, unless I have overlooked
> >>>>something or there is a better way (in which case please shout out),
> >>>>I think it makes sense to begin a design proposal for an LDAP-based
> >>>>profile store.
> >>>>
> >>>>Finally, a brief mention of some tickets related to profile storage
> >>>>that could be good to tackle simultaneously should the proposed
> >>>>change go ahead:
> >>>>
> >>>>- https://fedorahosted.org/pki/ticket/778
> >>>>- https://fedorahosted.org/freeipa/ticket/4002
> >>>>
> >>>>_______________________________________________
> >>>>Pki-devel mailing list
> >>>>Pki-devel at redhat.com
> >>>>https://www.redhat.com/mailman/listinfo/pki-devel
> >>>
> >>_______________________________________________
> >>Pki-devel mailing list
> >>Pki-devel at redhat.com
> >>https://www.redhat.com/mailman/listinfo/pki-devel
> >_______________________________________________
> >Pki-devel mailing list
> >Pki-devel at redhat.com
> >https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list