[Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.
John Magne
jmagne at redhat.com
Thu Nov 10 23:40:02 UTC 2016
Looked over all these and it looks good. Post checkin ACK :)
Just a couple of questions:
1. Code like this:
if (!synchronous) {
+ // Has to be in this state or it won't go anywhere.
+ request.setRequestStatus(RequestStatus.BEGIN);
+ queue.processRequest(request);
+ } else {
+ kra.processSynchronousRequest(request);
+ }
I know we are handling the synchronous request with a processor and such, but the standard async request is being
handled with the same queue method. Would it look nicer to have a layer for the standard case, like processAsynchRequest?
No big deal.
2. Did we do a sanity sweep of the various scenarios to make sure that they refactor is good with respect to legacy code paths?
I"m sure we have but was just asking.
3. Also I realize that the "realm" param is not yet supported but is a hook for future code, if we have to touch anything again, might help to give a comment
in the key methods as to why it is not yet being used.
thanks,
jack
----- Original Message -----
> From: "Ade Lee" <alee at redhat.com>
> To: pki-devel at redhat.com
> Sent: Friday, November 4, 2016 1:11:03 PM
> Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.
>
> Hi all,
>
> This is in support of Ticket https://fedorahosted.org/pki/ticket/2532
>
> This is preliminary set of patches - just so you can see what I'm doing
> in case I need to change anything.
>
> Note: With the changes, you can archive a secret like this:
>
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
> "test_1"
>
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
> "test_2" --express
>
> The first invocation will archive a secret and create an archival
> request in LDAP. The second will create one only in memory - and will
> not store it in LDAP.
>
> You can of course, see the requests created using -
>
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-request-find
>
> For retrieving the secret, you can do either:
>
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> aleeredhat.laptop -p 8443 key-retrieve --keyID 0x5
>
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> aleeredhat.laptop -p 8443 key-retrieve --keyID 0x5 --express
>
> The first will retrieve the secret while creating a retrieval request.
> The second will create a retrieval request only in memory, and will not
> write it to LDAP.
>
> In both cases, there should be audit logs both for retrieval and
> archival.
>
> Thanks,
> Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list