Re: [Pki-devel] [PATCH] Lightweight CAs
On 9/24/2015 9:20 AM, Fraser Tweedale wrote:
Latest patches attached. Relative to previous patchset this one:
- fixes a compile error in CATest.java
- fixes a ton of warnings and some poorly ordered imports
- adds ACLs and ACL enforcement for privileged operations
on AuthorityResource
Here's an ldif snippet for adding the ACLs to an existing database
dn: cn=aclResources,o=ipaca
changetype: modify
add: resourceACLS
resourceACLS: certServer.ca.authorities:list,read:allow (list,read)
user="anybody":Anybody may list and read lightweight authorities
resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify)
group="Administrators":Administrators may create and modify lightweight
authorities
Cheers,
Fraser
Some comments:
1. Right now the create & modify operations over non-secure URL will fail:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin
ca-authority-create o=test --parent 85a2c5c2-869d-467c-9adf-dcc34367e836
ForbiddenException: No user principal provided.
It works with the secure URL:
$ pki -U https://$HOSTNAME:8443 -d ~/.dogtag/pki-tomcat/ca/alias -u
caadmin -w Secret123 ca-authority-create o=test --parent
85a2c5c2-869d-467c-9adf-dcc34367e836
Authority DN: O=test
ID: 14004c0f-3531-49c2-ae7a-99f715af7cc4
Parent DN: 85a2c5c2-869d-467c-9adf-dcc34367e836
Enabled: true
This can be fixed by adding <security-constraint> into the web.xml and
registering it in auth-method.properties.
2. The "Parent DN" field in the output above should show the DN of the
parent authority instead of the ID. We probably should show both Parent
DN and Parent ID.
3. Per discussion with alee, we need a way to find the host/main CA
using something like:
$ pki ca-authority-show --host-authority
4. I think we also need a way to translate a DN into ID:
$ pki ca-authority-show --dn <DN>
5. Also per discussion with alee, the authority DN should be unique only
among active CAs. So you should be able to create a CA, disable it, then
create another one with the same DN. If you try to enable the old CA it
should fail. This can be implemented later.
6. In AuthorityData.java the @XmlRootElement probably should be changed
to "authority" for consistency. Also the following fields can be renamed
because the "a" is redundant:
* aid -> id
* parentAID -> parentID
I think the XML output will look better that way.
7. The method description in ISigningUnit.java doesn't match the method
name (public vs. private).
I think these are not difficult to fix, and once fixed it should be
sufficient to push as initial implementation, so consider this a
conditional ACK (unless alee has other comments). Item #5 (or #4 too)
can be implemented later.
I also created this page to document the CLI:
http://pki.fedoraproject.org/wiki/PKI_CA_Authority_CLI
Feel free to expand it further.
--
Endi S. Dewata