Re: [Pki-devel] [PATCH] 93, 94 - changes for a common admin user
On Fri, 2012-11-30 at 09:56 -0600, Endi Sukma Dewata wrote:
Some issues:
1. The pki_use_common_admin_user is set to true in [Common] but
overwritten to false in [CA]:
[Common]
pki_use_common_admin_user=true
[CA]
pki_use_common_admin_user=false
If I understood correctly it's done this way to make sure that if we use
a common admin user, only CA will generate the certificate file, but not
the other subsystems:
if not config.str2bool(master['pki_clone']) and \
not config.str2bool(master['pki_use_common_admin_user']):
... create cert file ...
Having conflicting pki_use_common_admin_users in the same config file is
confusing to users because we are actually using a common admin user for
all subsystems including CA so the value should be "true". I think it
would be better to check for CA explicitly in the code:
[Common]
pki_use_common_admin_user=true
if not config.str2bool(master['pki_clone']):
if not config.str2bool(master['pki_use_common_admin_user']) or
master['pki_subsystem'] == 'CA':
... create cert file ...
The thing is - someone might install a subordinate CA and want to use
this mechanism to import an admin cert. So we dont really want to
exclude this simply because its a CA. Maybe we can change the name of
the directive to import_admin_cert = true/false ? This makes it clearer
what we are doing. Sound reasonable?
2. The location of the admin cert was changed from pki_client_dir to
pki_database_path. I think we should keep it in pki_client_dir because
the certificate belongs to the admin, not the instance, so it should be
in the admin's home directory. As long as the other subsystems are
created by the same admin the code should be able to read the cert from
the admin's home directory.
So the following parameters should point to the admin's home directory:
- pki_client_admin_cert_p12
- pki_admin_cert_file
I agree with you that the cert belongs to the admin and not the
instance. The problem is that we purge the client database by default.
And we should purge it once we have generated the p12 file, because it
includes the nss database and password files and so on. I suppose we
could be a little smarter about exactly what it is that we purge.
3. The default pki_admin_nickname is too long:
PKI Administrator's example.com Security Domain ID
It can be simplified without losing information:
PKI Administrator of example.com
OK - will change.
4. The common cert files are called ca_admin.*. I think we should remove
the "ca_" to reflect that the cert works on all subsystems.
Well along the lines of my response to above, if we change the name of
the directive to import_admin_cert - then its clearer that we are
importing a cert that was generated during the CA install for the admin
user on all subsystems.
In that case, using ca_admin is probably OK.