-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adapt cert-find performance workaround for users #2990
Conversation
This LGTM. |
# no ra_options are set and exactly one service, host, or user is | ||
# supplied. | ||
# IPA enforces that subject CN is either a hostname or a username. | ||
# The complete flag is left to False to catch overrides. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code (including the existing workaround) makes some assumptions that I'm not 100% sure about - in particular that the hostname/username is used as the CN in the issued cert (a custom profile may violate this assumption). I need to work through it in more detail, and have run out of week, so I'll resume early next week.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confident that the restriction
freeipa/ipaserver/plugins/cert.py
Lines 747 to 753 in 3509545
elif principal_type == USER: | |
# check user name | |
if cn != principal.username: | |
raise errors.ValidationError( | |
name='csr', | |
error=_("DN commonName does not match user's login") | |
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I had the same concerns as @frasertweedale but after looking at the code I don't see a way for an IPA-issued cert to not have cn=uid in the subject.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tiran @rcritten it is actually pretty easy - you just import a profile configuration with parameter like:
policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.cn$, O=EXMAPLE.COM
...and update or relax the corresponding constraint component.
The CSR comes in with CN=alice
, and comes out with UID=alice
(but of course how you configure the subject DN to look is arbitrary).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@frasertweedale Oh no :/
We can either decide to ignore this edge case or somebody has to redesign and rewrite the entire cert_find
API. The current implementation doesn't scale at all. Several common cases download all certificates from Dogtag, which puts a lot of stress on 389-DS, Dogtag, and the Python API. The BZ mentions > 100k certs.
I have an idea how to optimize the most critical cases for cert revocation. We can use the fact that host certs, service certs, and user certs are always stored on the host, service, or user LDAP entry. For simple host, service, and user cert search, perform _ldap_search
before _ca_search
. In _ca_search
only retrieve certificates with subject CNs or serial numbers of certs as returned by _ldap_search
.
There is one catch: It looks like Dogtag does not support list of serial numbers. :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add support on the Dogtag side for that. I'm inclined to ACK this, given the problem only occurs on an edge case, and file tickets to rework the whole thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... once you fix the 'users'
/ 'user'
issue that is :)
ipaserver/plugins/cert.py
Outdated
if not ra_options: | ||
services = options.get('service', ()) | ||
hosts = options.get('host', ()) | ||
if len(services) == 1 and not hosts: | ||
principal = kerberos.Principal(options['service'][0]) | ||
users = options.get('users', ()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be options.get('user', ())
(the key in options
is 'user'
).
But even with this correction, this PR regresses in the subject DN corner case I mentioned above.
So... I am considering NAKing this. We might need to go back to the drawing board on cert-find
.
OTOH the scenario that breaks this code is a corner case. It's not the end of the world if we ship this patch as-is. cert-find
has a lot of limitations as it is, and this patch may help in the common case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the view and good catch! I have updated the patch.
Do we already have a ticket to track the comments? GH has a tendency to eat comments on rebased PRs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tiran I filed https://pagure.io/freeipa/issue/7904 to capture the comments and discuss re-working cert-find and friends.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One definite bug. And a bug in the Subject DN corner case (see inline discussion).
ipa cert-find --users=NAME was slow on system with lots of certificates. User certificates have CN=$username, therefore the performance tweak from ticket 7835 also works for user certificates. Related: https://pagure.io/freeipa/issue/7835 Fixes: https://pagure.io/freeipa/issue/7901 Signed-off-by: Christian Heimes <cheimes@redhat.com>
8214f7f
to
0ce63ee
Compare
I'm gonna ACK this and we can address the corner case later. |
master:
|
experimental patch
ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.
Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes cheimes@redhat.com