dogtagpki

Clone
Source Code
GIT

#438 RFE: REST interface for profile management
Closed: Fixed None Opened 11 years ago by nkinder.

Closed: Fixed
Reopen Issue

We should add REST interfaces for managing certificate profiles.

Initial Checkin:

To ssh://vakwetu@git.fedorahosted.org/git/pki.git
dbf97df..9eb2c35 master -> master

The following still needs to be fixed:

  1. It looks like the current clientAuth setting is fine, but the SSL
    authenticator needs to be configured to use session. See the
    alwaysUseSession parameter in this page:
    http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html. I posted
    patch #278 to add this parameter.

Then the security constraint can be configured without <auth-constraint>
to allow anonymous access:

<security-constraint>
         <web-resource-collection>
             <web-resource-name>Profiles</web-resource-name>
             <url-pattern>/rest/profiles/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>

I've tested this with profile-find, it will return different number of
results depending on the authentication. This way we won't need to use
separate agent/admin interface.

  1. For the profile-find output, I think it would be useful to show some
    basic info such as profile name and description in addition to the ID
    and URL.

  2. The profile-show command stores the entire profile into an output
    file, it doesn't show anything to the screen. I think it would be useful
    and more consistent to show the profile summary such as id, name,
    description, input and output attribute names, URL. Then people can
    optionally specify --output download the entire file.

  3. Does the profile subsystem support renaming a profile? The
    profile-mod may need to take 2 parameters: the old profile name and an
    input file containing the new profile name and the new attributes.

  4. Some methods in ProfileService would catch and swallow the exception.
    It might be better for now to throw a generic exception or just don't
    catch at all. This way the client will know if there's an error. In the
    future we can revisit the code to throw more specific errors.

  5. Audit logging needs to be added.

Metadata Update from @nkinder:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.1 - 08/13 (August)
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1009

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
enhancement
None
None
None
None
Profile Management REST Interfaces
IPA
None
None
None
None
None
None
CA
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.