Issue #3685: KCM: Default to a new back end that would write to the secrets database directly - sssd

SSSD / sssd

#3685 KCM: Default to a new back end that would write to the secrets database directly

Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.

At the moment, KCM uses the sssd-secrets REST API to communicate with the SSSD secrets database. This has the advantage of using a clean public API and the advantage that the secret can be forwarded to a Custodia server and potentially shared, but at the same time the disadvantage that there are two daemons to synchronize, two set of debug logs to correlate. Also, we are /bound/ to the sssd-secrets REST API, which might prevent us from doing things like quota reporting easily.

Therefore, this ticket proposes adding a new sssd-secrets back end that would write directly to the secrets database.

We should probably define some API that would be only private to SSSD to write to the secrets database. We should also expose the option that allows to choose the KCM back end. Since we have integration tests, we can just run them the same with just the back new back end changed, like we already do for the memory back end.

Metadata Update from @jhrozek:
- Issue tagged with: KCM

6 years ago

simo commented 6 years ago

Ideally you use the same code sssd-secrets uses for KCM, sharing it completely.
KCM would basically just shortcircuit the kcm->secrets communication over sockets.
If you do that the API is common and no divergence will happen.

Metadata Update from @jhrozek:
- Issue priority set to: blocker (was: minor)
- Issue set to the milestone: SSSD 2.0

6 years ago

Metadata Update from @jhrozek:
- Issue tagged with: RFE

6 years ago

jhrozek commented 6 years ago

Another side-effect of this change might be that we might split the secrets responder into a lib and the responder itself to avoid the dependency on http-parser and libjansson. Considering that Fedora ships KCM in its default installation, reducing dependencies is something we should do.

jhrozek commented 5 years ago

master:
fcbedf4
f74feb0
7dd1991
f91adcc
24ba212
0b9001e
e0bf64a
fdfa36a
24b151e
ca73eed
80811f9
0294bcf
aafaacd
4d7f078

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

pbrezina commented 4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4704

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

blocker

Milestone

SSSD 2.0

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3685 KCM: Default to a new back end that would write to the secrets database directly Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.

Metadata

KCM RFE

#3685 KCM: Default to a new back end that would write to the secrets database directly

Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.