Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TC-516] Deleting a DS thru the TO API should also delete all SSL keys (if applicable) #882

Closed
limited opened this issue Aug 29, 2017 · 6 comments · Fixed by #3333
Closed

[TC-516] Deleting a DS thru the TO API should also delete all SSL keys (if applicable) #882

limited opened this issue Aug 29, 2017 · 6 comments · Fixed by #3333
Labels
bug something isn't working as intended high impact impacts the basic function, deployment, or operation of a CDN Traffic Ops related to Traffic Ops
Milestone
2.3

Comments

@limited
Copy link
Contributor

limited commented Aug 29, 2017

There are currently 4 protocols for a DS:

0 - HTTP
1 - HTTPS
2 - HTTP AND HTTPS
3 - HTTP TO HTTPS

Currently, if you delete a DS thru the API, SSL keys are not deleted. This should occur if ds.protocol > 0.

Author: Jeremy Mitchell
JIRA Link: https://issues.apache.org/jira/browse/TC-516
Found Version: 2.1.0
@limited limited added this to the 2.1.0 milestone Aug 29, 2017
@limited limited added bug something isn't working as intended Traffic Ops API high impact impacts the basic function, deployment, or operation of a CDN labels Aug 29, 2017
@dneuman64 dneuman64 modified the milestones: 2.2.0, 2.1.0 Aug 31, 2017
@dneuman64
Copy link
Contributor

I don't believe this will be backported to 2.1. Moving to 2.2

@mitchell852 mitchell852 added the Traffic Ops related to Traffic Ops label Aug 31, 2017
@smalenfant
Copy link
Contributor

During some of my testing, I've had a few issues with the API call related to getting certificate for a CDN. I have a few questions here.

  • The API GET /api/1.2/cdns/name/:name/sslkeys brings up all certificates from Riak for a CDN no matter if the delivery service is configured or not in Traffic Ops. I believe this impacts both ORT and Traffic Router and can lead to some issues hard to resolve. If this is implemented, this might help with this situation.

  • On delete, should we keep the version of certificates around and only remove -latest? This way there is a recovery path, but what would happen if we recreate the delivery service?

  • Is the wanted behavior to delete certs for both API and UI? (This issue is only for API).

@mitchell852
Copy link
Member

mitchell852 commented Sep 6, 2017
edited

"On delete, should we keep the version of certificates around and only remove -latest? This way there is a recovery path, but what would happen if we recreate the delivery service?"

IMO, on DS delete thru the API all related SSL keys in riak should just go away. No recovery path. Too messy to think about recovery paths. I like to keep it simple if possible. If you end up recreating the DS, you're going to have to regenerate or enter the keys. Thoughts?

@mitchell852
Copy link
Member

mitchell852 commented Sep 6, 2017
edited

"Is the wanted behavior to delete certs for both API and UI? (This issue is only for API)."

in the old UI, this bug has been around for quite sometime i guess so IMO it stays there.

Our time is better served IMO tightening up the future (the API) but if you disagree @smalenfant maybe another issue would make sense for the "UI side".

after thinking about this more, you're probably right...if you delete thru api or UI then riak ssl keys should be deleted...

@mitchell852
Copy link
Member

"The API GET /api/1.2/cdns/name/:name/sslkeys brings up all certificates from Riak for a CDN no matter if the delivery service is configured or not in Traffic Ops. I believe this impacts both ORT and Traffic Router and can lead to some issues hard to resolve. If this is implemented, this might help with this situation."

maybe that warrents a different issue @smalenfant. if you agree, you want to create one? I kinda feel like this issue should just stick to deleting riak ssl keys when a ds is deleted...

@mitchell852 mitchell852 changed the title [TC-516] Deleting a DS thru the API should also delete all SSL keys (if applicable) [TC-516] Deleting a DS thru the TO API or TO UI should also delete all SSL keys (if applicable) Sep 6, 2017
@mitchell852 mitchell852 changed the title [TC-516] Deleting a DS thru the TO API or TO UI should also delete all SSL keys (if applicable) [TC-516] Deleting a DS thru the TO API should also delete all SSL keys (if applicable) Oct 13, 2017
@mitchell852 mitchell852 removed the Traffic Ops related to Traffic Ops label Oct 13, 2017
@mitchell852 mitchell852 removed this from the 2.2.0 milestone Oct 17, 2017
@mitchell852 mitchell852 removed their assignment Nov 10, 2017
@rob05c rob05c added this to the 2.3 milestone Jan 25, 2018
@mitchell852 mitchell852 added Traffic Ops related to Traffic Ops and removed Traffic Ops related to Traffic Ops Traffic Ops API labels Oct 17, 2018
@rob05c
Copy link
Member

rob05c commented Feb 14, 2019

This should happen on the CRConfig Snapshot, rather than the DS deletion. Because it's valid for an operator to delete a DS still receiving traffic, and not expect the "live" change to apply, and at some point the future to Snapshot the CRConfig to actually deploy the deletion.

@rob05c rob05c mentioned this issue Feb 18, 2019
Merged
17 tasks
@rob05c rob05c mentioned this issue Mar 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug something isn't working as intended high impact impacts the basic function, deployment, or operation of a CDN Traffic Ops related to Traffic Ops
Projects
None yet
Milestone
2.3
Development

Successfully merging a pull request may close this issue.

Add TO deleting old DS certs on snapshot rob05c/trafficcontrol
5 participants
@mitchell852 @limited @smalenfant @dneuman64 @rob05c