latchset / custodia.ipa Goto Github PK
View Code? Open in Web Editor NEWFreeIPA vault plugin for Custodia
License: GNU General Public License v3.0
FreeIPA vault plugin for Custodia
License: GNU General Public License v3.0
The cert request and caching code is subject to a potential race condition. There is no locking in place that prevents issuing of multiple certs for the same service. In case a replication controller schedules multiple instances of a pod on multiple nodes at the same time, IPACertRequest
may request multiple certificates in parallel.
KRA needs to be configured with ipa-kra-install
. I'm not sure if KRA needs to be available on all CA replicas or if FreeIPA finds any available KRA in the cluster by itself.
It looks like GSSAPI does not auto-refresh a TGT with client keytab when the TGT is expired:
2017-04-13 13:38:12 - custodia - Custodia debug logger enabled
2017-04-13 13:38:12 - custodia - Custodia audit log: /tmp/audit.log
2017-04-13 13:38:12 - custodia - Config file <closed file 'custodia.conf', mode 'r' at 0x7f025fc29660> loaded
2017-04-13 13:38:13 - IPAInterface-[auth:ipa] - Unable to get principal from GSSAPI. Are you missing a TGT or valid Kerberos keytab?
Traceback (most recent call last):
File "/tmp/venv/bin/custodia", line 11, in <module>
sys.exit(main())
File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 211, in main
_load_plugins(config, cfgparser)
File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 191, in _load_plugins
raise RuntimeError(menu, name, e)
RuntimeError: ('authenticators', 'ipa', CCacheError(u'Major (720896): The referenced credential has expired, Minor (100001): Success',))
$ klist
Ticket cache: FILE:/tmp/ccache
Default principal: custodia/[email protected]
Valid starting Expires Service principal
2017-04-12 13:07:18 2017-04-13 13:07:18 krbtgt/[email protected]
2017-04-12 13:07:39 2017-04-13 13:07:18 HTTP/[email protected]
IPACertRequest.get
does not validate if a cached cert is still valid. It should perform at least two tests:
The list() operation simply grabs a list of all available vaults from the server. That doesn't scale well. Find a way to optimize it.
By default, ipalib creates a file handler and writes all log messages to ~/.ipa/log/default.log
(or whatever the context is). The log file is not auto-rotated or shrinked. File logging can be disable with bootstrap(log=None)
.
When principal has no permission to set or get an entry, FreeIPA fails with an exception like
ACIError: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=keys__secrets__test10,cn=custodia/[email protected],cn=services,cn=vaults,cn=kra,dc=ipa,dc=example'
custodia.ipa should map the exception to HTTP 404 error.
With https://pagure.io/freeipa/issue/6652 and https://pagure.io/freeipa/issue/6787 FreeIPA 4.6 and 4.5 + patch will be able to properly cache the KRA transport cert. custodia.ipa
should retrieve the KRA transport cert in the master process by calling vaultconfig_show
command. The command always overrides the KRA transport cert on disk.
Path to cache is currently hard-coded.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables
It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken's response to that error.
If set to to "1" or unset, Softoken will trigger an assertion failure in debug builds, and will report an error in non-DEBUG builds.
If set to "DISABLED", Softoken will ignore forks, and behave as it did in older versions.
If set to any other non-empty value, Softoken will report an error in both DEBUG and non-DEBUG builds.
Perhaps python-nss has a way to init the crypto module again?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.