Re: [Pki-devel] replication of new/modified profiles

Yes this has been on our wish list. I only want to comment on the Access Control Considerations for profiles. Please make sure the current security control in place is preserved. i.e. a profile addition or update by an administrator requires an agent's approval -- * update of an existing profile - agent disables the profile, admin then is allowed to update, agent reviews the profile and enables it. * adding a new profile - admin creates the profile, agent approves it Christina

On 06/24/2014 12:07 AM, Fraser Tweedale wrote: >On Fri, Jun 20, 2014 at 06:00:25PM +1000, Fraser Tweedale wrote: >>On Thu, Jun 19, 2014 at 03:12:05AM +0800, Ade Lee wrote: >>>This is something that has been on the wishlist for awhile. >>>There is no mechanism at this point to replicate profiles. >>> >>>I agree that we should start this design. >>> >>>Ade >>> >>LDAP Profile Storage Design proposal (work in progress) is up on the >>wiki: http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage >> >>Input and feedback greatly appreciated, especially if anyone could >>give guidance on the LDAP schema - I have no prior experience with >>developing LDAP schemata. >> >>Have a nice weekend, all. >> >>Fraser >> >I've fleshed out the design proposal some more; getting close to >ready now, modulo feedback and general approval. > >Particular sections for which I would appreciate feedback are: > >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Relationship_to_fi... > - whether deletion of file-based profiles should be prohibited > - whether a *restore profile* method is needed > >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#LDAP_schema > - Need feedback from people who understand LDAP schema better than > I :) > >- http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Cloning > - Need feedback from people who know more than me about the > cloning process. > >Cheers, > >Fraser > >>>On Wed, 2014-06-18 at 17:44 +1000, Fraser Tweedale wrote: >>>>Hi all, >>>> >>>>A requirement from the FreeIPA side is the ability to add and >>>>customise CA profiles. Dogtag's current profile creation behaviour >>>>writes the new profile to the filesystem beside the standard >>>>profiles (as well as making the appropriate update to the registry, >>>>etc.) >>>> >>>>There does not seem to be a mechanism to distribute new/modified >>>>profiles to replicas - though perhaps I have missed something. >>>> >>>>Because this behaviour is required, unless I have overlooked >>>>something or there is a better way (in which case please shout out), >>>>I think it makes sense to begin a design proposal for an LDAP-based >>>>profile store. >>>> >>>>Finally, a brief mention of some tickets related to profile storage >>>>that could be good to tackle simultaneously should the proposed >>>>change go ahead: >>>> >>>>- https://fedorahosted.org/pki/ticket/778 >>>>- https://fedorahosted.org/freeipa/ticket/4002 >>>> >>>>_______________________________________________ >>>>Pki-devel mailing list >>>>Pki-devel(a)redhat.com >>>>https://www.redhat.com/mailman/listinfo/pki-devel >>> >>_______________________________________________ >>Pki-devel mailing list >>Pki-devel(a)redhat.com >>https://www.redhat.com/mailman/listinfo/pki-devel >_______________________________________________ >Pki-devel mailing list >Pki-devel(a)redhat.com >https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel