Currently, if you are on a subsystem that is not a security domain master, pkiremove/ pkidestroy will call updateDomainXML to remove the subsystem from the security domain. This servlet does a few things:
There are some problems with this.
CA's which are clones of security domain CA's automatically become masters themselves. This means that when the clone is removed, updateDomainXML is not updated and the clone entry remains in the security domain. This is also true for a security domain master.
the user that uses the subsystem cert is created in the SubsystemGroupUpdater when the subsystem certificate is issued on the security domain. This means that there is only one such user for all clones. In general then, when clones (of a KRA for instance) are removed, they will try to remove a non-existent user. And if you remove the master instead, then there will be no subsystem user left for the clones to use!
Proposed solution A (keeping only one user in security domain): 1. Change the current setting of "Clone" in the security domain to be the name of the master, rather than "True" -- or more specifically the prototypical master. That is, if A->B and B-> C , then the prototypical master is A. 2. All subsystems will call updateDomainXML to remove themselves from the domain. 3. updateDomainXML will only remove the user and remove user from group if no clones exist with the same prototypical master. 4. In the case that the prototypical master is removed, clones will be updated to make another clone the prototypical master.
Proposed Change B: 1. When a clone is created, also create a user for this system in the security domain master, and populate with subsystem cert. 2. All subsystems will call updateDomainXML to remove their user and entry.
This may not be as bad after all. It seems like the subsystem group is only used for updateDomainXML - basically in removing the server. But we already plan to change this servlet to require a enterprise level admin login instead. Maybe its just time to retire the subsystem group instead?
Metadata Update from @vakwetu: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1075
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.