|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
edewata commented 8 years ago | ||
vakwetu commented 8 years ago will do. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
edewata commented 8 years ago Can we call this "permission"? "Tag" is too generic and what it really does is granting permissions. | ||
cfu commented 8 years ago I actually think "Tag" is more appropriate between the two. If "Tag" means some other things that could confuse anyone, words like "Label", "World", "scope" etc. to differentiate the realm or scope of the relevance could be used. | ||
vakwetu commented 8 years ago I think "tag" is more appropriate too. We could use "Label" if that is less confusing. We are labeling or tagging a secret to be of a specific type, so that we know how to apply permissions rules to it. tag != permission What other use of "tag" are we trying to disambiguate against? | ||
edewata commented 8 years ago The concern is if there's no well-defined usage people might use tags for things other than permission. When that happens it could interfere with how the permission works, and it would be harder to separate permission tags and non-permission tags later. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago If this is going to be a field that requires external management, then perhaps the "owner" field should be outside of the CS system. And perhaps change this field to be "creator" instead, a single value field that is populated when the record was first created. | ||
vakwetu commented 8 years ago I'm ok with this suggestion. If IPA or another app wants to have multiple "owners", then they can -- and in fact do -- keep track of it. Endi? | ||
edewata commented 8 years ago Since we won't be using GSSAPI between PKI and DS, there is actually no need to have an owner/creator field in the DS since all secrets will only be accessed by pkidbuser. If we plan to have users other than pkidbuser to access the secrets, then it would make sense to have owner(s)/creator field with an ACL that grants certain permission. | ||
edewata commented 8 years ago Also, since we won't be using GSSAPI between PKI and DS, there is no need to store tags in the DS either. The PKI server can utilize an authorization plugin to check with IPA if the user has access to certain secrets (which can be determined by IPA vault ownership/membership). | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago I actually prefer this one instead of special casing in the other method. | ||
vakwetu commented 8 years ago It does make things cleaner, although there are migration considerations here. We don't want to disable existing customer's access to their secrets if a migration script failed to run. Most likely, what we'll end up doing is having a migration script that adds the special tag, and then, on completion, sets a config flag that disables the special casing. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago It is probably fine to have metadata put in the key record at the time of creation, as long as no further management needed after the creation. | ||
vakwetu commented 8 years ago Because the metadata is user-defined, I don't think we can enforce that it will not change. IPA, for example, will store the vault_secret_id here, and while that does not currently change, it seems unreasonable for us to require them to create a brand new secret and remove the old one in order to change it. This is just defining a user-defined metadata field -- why does it have to be immutable? | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago I don't think non-CS role users should go into the KRA database. The day-to-day management of non-CS users should be kept out of the core CS. | ||
vakwetu commented 8 years ago Eventually, barbican users will be defined in an IPA database and the barbican-dogtag-plugin will use kerberos/GSSAPI to talk with Dogtag. There is a lot of work needed to get there though. In the interim and because it is possible to deploy the KRA with Barbican outside of IPA -- the simplest possible scenario to promote adoption -- we need to add the user to the KRA DB. Note that we now need to consider CS as just another (albeit important) application that is using the KRA. If we have CS users, why not barbican users? | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago yes | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago I was hoping that tags are static. Again, I'm hoping to keep day-to-day management of these out of the CS authorities.. | ||
vakwetu commented 8 years ago Consider that several applications need to use the KRA to store secrets. Right now we have three -- CS, IPA Vault and Barbican. Each application needs to contact the KRA administrator to: This must be done in co-ordination with the KRA administrator to ensure that the apps do not use the same tag. This is just adding an interface that can be used by KRA admins to do this task, rather than having to go to the console (which we are trying to deprecate, remember?). It also allows apps to be added post-install possibly without server restart. | ||
vakwetu commented 8 years ago We don't expect this to be a daily occurrence. We do expect though, that this should be made easy for the admin to do. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
cfu commented 8 years ago yes. Overall, I believe that any application specific components, e.g. authentication and authorization are best to be implemented with plugin framework; | ||
vakwetu commented 8 years ago Exactly. But tags are the way we associate authz plugins with specific keys. We need to manage those just as we need to manage which authz plugins are registered. You could say that adding and mapping a tag is part of registering an authz plugin. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Need to clarify that GSSAPI will only be used between IPA and PKI, but not between PKI and DS, although IPA is already using GSSAPI to communicate to DS directly.