Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updating security domain for clones on subsystem removal has problems #1075

Open
pki-bot opened this issue Oct 2, 2020 · 2 comments
Open

updating security domain for clones on subsystem removal has problems #1075

pki-bot opened this issue Oct 2, 2020 · 2 comments
Milestone
UNTRIAGED

Comments

@pki-bot
Copy link

pki-bot commented Oct 2, 2020

This issue was migrated from Pagure Issue #505. Originally filed by vakwetu (@vakwetu) on 2013-02-08 18:05:10:

  • Assigned to nobody

Currently, if you are on a subsystem that is not a security domain master, pkiremove/ pkidestroy will call updateDomainXML to remove the subsystem from the security domain. This servlet does a few things:

  1. removes the entry from the list of subsystems in the security domain.
  2. removes a user corresponing to uid= <subsystem_type>--
  3. removes that user from the subsystem group.

There are some problems with this.

  1. CA's which are clones of security domain CA's automatically become masters themselves. This means that when the clone is removed, updateDomainXML is not updated and the clone entry remains in the security domain. This is also true for a security domain master.

  2. the user that uses the subsystem cert is created in the SubsystemGroupUpdater when the subsystem certificate is issued on the security domain. This means that there is only one such user for all clones. In general then, when clones (of a KRA for instance) are removed, they will try to remove a non-existent user. And if you remove the master instead, then there will be no subsystem user left for the clones to use!

Proposed solution A (keeping only one user in security domain):

  1. Change the current setting of "Clone" in the security domain to be the name of the master, rather than "True" -- or more specifically the prototypical master. That is, if A->B and B-> C , then the prototypical master is A.
  2. All subsystems will call updateDomainXML to remove themselves from the domain.
  3. updateDomainXML will only remove the user and remove user from group if no clones exist with the same prototypical master.
  4. In the case that the prototypical master is removed, clones will be updated to make another clone the prototypical master.

Proposed Change B:

  1. When a clone is created, also create a user for this system in the security domain master, and populate with subsystem cert.
  2. All subsystems will call updateDomainXML to remove their user and entry.
@pki-bot pki-bot added this to the UNTRIAGED milestone Oct 2, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 2, 2020

Comment from vakwetu (@vakwetu) at 2013-02-08 18:19:10

This may not be as bad after all. It seems like the subsystem group is only used for updateDomainXML - basically in removing the server. But we already plan to change this servlet to require a enterprise level admin login instead. Maybe its just time to retire the subsystem group instead?

@pki-bot
Copy link
Author

pki-bot commented Oct 2, 2020

Comment from vakwetu (@vakwetu) at 2017-02-27 14:08:16

Metadata Update from @vakwetu:

  • Issue set to the milestone: UNTRIAGED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
UNTRIAGED
Development

No branches or pull requests
1 participant
@pki-bot