-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relocate SSNv2 range objects for new CA instances #4885
Conversation
@fmarco76 For SSNv2 we could use it like this: edewata@4a85681 |
request_dn = self.mdict.get('pki_request_number_range_dn') | ||
if request_dn: | ||
subsystem.set_config('dbs.requestRangeDN', request_dn) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dbs.requestRangeDN
is assigned twice, here and on line 1188. Could we merge with something like:
request_dn = self.mdict.setdefault('pki_request_number_range_dn', 'ou=requests,ou=ranges')
subsystem.set_config('dbs.requestRangeDN', request_dn)
and remove the one in line 1188 so it is assigned only once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided not to add the pkispawn
param for now due to complexity, so the subtree is always ou=ranges
for SSNv1 and ou=ranges_v2
for SSNv2.
serial_dn = self.mdict.get('pki_serial_number_range_dn') | ||
if serial_dn: | ||
subsystem.set_config('dbs.serialRangeDN', serial_dn) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above. (I think we could use the same for the other configuration here)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see above.
@@ -105,6 +109,21 @@ public void execute(CommandLine cmd) throws Exception { | |||
|
|||
if (!cmd.hasOption("skip-containers")) { | |||
ldapConfigurator.createContainers(subsystem); | |||
|
|||
String requestRangeRDN = dbConfig.getRequestRangeDN(); | |||
if (!StringUtils.isEmpty(requestRangeRDN)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the id generator is legacy or legacy2 should we throw an exception if this is not configured?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the updated PR the param is guaranteed to exist in CA and KRA so it won't fail. The param will not exist in other subsystems so the code won't create the subtree.
} | ||
|
||
String serialRangeRDN = dbConfig.getSerialRangeDN(); | ||
if (!StringUtils.isEmpty(serialRangeRDN)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above
Since the DS was configurable from the start it is OK to add the possibility to configure. To move the |
With the new commit PR #4887 the current ranges tree is not modified so it is alwais possible to get the
The option |
As mentioned in PR #4887 we are still modifying the same |
There should be no problem to move from ssnv1 to ssnv2 and going back. Certificates are serial and there is no overlap issue so the problem is to find the right values to avoid conflicts. In the worst case it is possible to read last serial released and start new range from that point. You could have a big gap but not issues. To move the nextRange in a different location additional configuration parameters could be needed. It is weird that looking at the repository object the nextRange is not used and maintain a wrong value while the new repository for nextRange actually it is not a repository. Therefore, I am also looking at the possibility to store the nextRange in a different place (e.g. the description field is not used, could it be used?) |
Yes, it might work just fine, but since we do not have a test for this, we don't really know whether there's any unforeseen issues. It's better to minimize the risk as much as possible, especially since we will not be able to assist directly during the actual migration of production environment.
In edewata@4a85681 I was actually trying to use |
@fmarco76 Sorry for the delay. Please see the updated PR. I've changed the code to create SSNv2 range objects in |
pkispawn has been modified to create ou=ranges subtree for SSNv1 and optionally ou=ranges_v2 subtree for SSNv2 if it's enabled for new CA instances. The pki-server <subsystem>-db-init and <subsystem>-range-update commands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in the create.ldif have been removed. Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet.
The test scripts have been updated to use ou=ranges_v2 subtree for SSNv2 range objects.
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@fmarco76 Thanks! |
pkispawn
has been modified to createou=ranges
subtree for SSNv1 and optionallyou=ranges_v2
subtree for SSNv2 if it's enabled for new CA instances. Thepki-server <subsystem>-db-init
and<subsystem>-range-update
commands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in thecreate.ldif
have been removed.Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet.
The test scripts have been updated to use
ou=ranges_v2
subtree for SSNv2 range objects.