Re: [Pki-devel] replication of new/modified profiles

On 7/2/2014 12:17 PM, Ade Lee wrote: Just to clarify, so there are 3 proposals: 1. Stacked profiles (Fraser's proposal) 2. Pure LDAP profiles (Ade's proposal) 3. Separate file/LDAP profiles (my proposal) As discussed over IRC, proposal #3 will be supplemented with a mechanism to allow creating aliases for backward compatibility. I'm trying to generalize the mechanism to become "profile inheritance". Basically each LDAP profile will have an optional parent. The parent can be the file-based system/default profile, or another LDAP profile. A sub-profile will inherit all attributes, except when it's explicitly declared in the sub-profile. This mechanism allows us to create just a proxy/alias, a full clone, or anything in between. For example, a proxy profile might only have a few attributes: dn: cn=caAdminCert,ou=Profiles,ou=CA,{suffix} objectClass: certProfile cn: caAdminCert parent: defaultAdminCert visible: true Let's say in the old system we have an unchanged caAdminCert and a customized caUserCert. With proposal #1 we'll have: 1. caAdminCert (file) 2. caUserCert (LDAP) 3. caUserCert (file, inaccessible via REST due to the LDAP entry) With proposal #2 we'll have: 1. caAdminCert (LDAP) 2. caUserCert (LDAP) 3. caAdminCert (file, for initial installation only) 4. caUserCert (file, for initial installation only) With proposal #3 we'll have: 1. caAdminCert -> defaultAdminCert (proxy) 2. caUserCert (LDAP) 3. defaultAdminCert (file) 4. defaultUserCert (file) The benefits of proposal #3 are: 1. The system/default profiles will be stored in /usr/share/pki. People will be naturally discouraged to change them since it will be overwritten during RPM upgrade. On the other hand, an LDAP profile, although we can flag it as system profile or make it read-only, is more tempting to change. 2. The original/unchanged system profiles will be accessible via REST as well so people can use it directly and rely on auto update. 3. Backward compatibility can be maintained with proxy profiles. These profiles will be updated automatically during RPM upgrade since it's pointing to the file-based system profiles. No need to write upgrade scripts. 4. The proxy profiles can be used to hide certain system profiles without creating a full clone. With stacking, to hide caAdminCert we probably would have to create a full clone then change the visibility, and lose the auto update ability. 5. The mechanism can be used to extend/change the behavior of the default profiles without having to create the full custom profile. For example we want to create IPA-specific caUserCert with different inputs. In this case we'll be able to just create a sub-profile with the new inputs. No need to clone the entire profile. As discussed, we're separating database changes into: 1. structural changes (e.g. schema change, adding/removing attributes) 2. behavioral changes (e.g. changing SHA1 to SHA512, default validity) The structural changes will be semi-automatic. The admin decides when to run them, but it's not necessary to review them one-by-one. The behavioral changes should be reviewed by a security expert to make sure that it won't affect their particular system negatively. With proposal #3 the admin can decide whether to (a) trust us (developers) to make the behavioral changes automatically by using the default profiles directly or using proxy profiles, or (b) maintain a full control of all behavioral changes using custom profiles. If all profiles are in LDAP they might be limited to option (b) because the upgrade script won't be able to tell whether the current value is a default value that we can change, or it was intentionally set by the admin. -- Endi S. Dewata