URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

MartinBasti commented:
"""
`upgrade and transitions between PKINIT configurations` does this cover:

- CA-less to CA-full upgrade?
- installed 4.4.4 --- upgraded ---> 4.5.0 --- upgraded ----> 4.5.1
- installed 4.5.0 --- upgraded ---> 4.5.1

?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-291960041

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
@MartinBasti I haven't thought about CA-less -> CA-full but in this case you would have local PKINIT and should configure full PKINIT manually

All the other scenarios should be covered by the incoming code.

Regarding your comment on the certmonger helper/special CA, we (me and @HonzaCholasta ) decided to remove it and use a self-sign CA instead.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292096092

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [ ] removal of anonymous keytab, asi it is now useless (and always was)
- [ ] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [x] removal of anonymous keytab, asi it is now useless (and always was)
- [ ] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [x] removal of anonymous keytab, asi it is now useless (and always was)
- [x] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
I have re-worked the PR and implemented most of the missing steps (except for API for querying PKINIT status in topology). I have also removed the PKINIT-specific CA and helper. The installer will now call either `IPA` or self-sign CA depending on configuration and passed-in options. The PKINIT state recording was also changed to depend on the KDC certificate tracking status and CA that tracks it.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292254190

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

MartinBasti commented:
"""
Should be anon keytab removed by upgrade, are there any leftovers in LDAP to be removed during upgrade?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292297598

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
@MartinBasti I can add some removal logic to upgrader if required.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292477063

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
I have added comments to the "hidden" PKINIT setup steps. I would also like @simo5 and @abbra to answer further comments regarding thid PR. It was on ice for nearly two weeks and we should really have it merged soon.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-294869009

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

abbra commented:
"""
I read through the code and I believe it addresses all use cases we have been discussing. LGTM.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295613748

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +ack

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
@abbra I received an interactive review from @HonzaCholasta today and he is not very keen on idea of having ternary (absent/local/external/full) PKINIT configuration. He suggests to only have it absent/off (local implementation)/on and thus drop differentiation between PKINIT configured with IPA CA issued or 3rd party certificates. The main concern here is that the 'local' PKINIT configuration is actually an implementation detail we should not leak to clients, they should be only able to tell if it is configured for them or not.

If you look into the design page, the two states (full/external) behave the same during replica installation and upgrade so the differentiation does not bring much new information to the users. So a simple on/off switch (something like pkinitStatus: off/on) could be enough and it could simplify the transition and UX. What do you think?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295692167

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

abbra commented:
"""
I agree that it is internal detail whether we use local pkinit or not. However, we need to know that it is existing as oposed to not existing at all for older systems where we are going to perform upgrades. However, as you can derive this information by presence or lack of actual KDC certificate file in the file system during upgrade, this can be reduced, indeed.

One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`) which has `ipa pkinit-anonymous enable/disable` command. This command cannot now be used because even for 'local' case we require anonymous PKINIT to be usable and this means we cannot disable the principal.

Perhaps, you can remove this command and add instead `ipa pkinit-status` command to show the status? It would show list of KDCs and their status.

"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295696911

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
We can query that PKINIT was not configured at all by a) checking the presence of KDC keypair, b) checking the sysupgrade (no presence of pkinit flag implies no configuration is present), and c) querying LDAP (no presence of ipaConfigString) so we have multiple redundant ways to determine that PKINIT is not configured at all.

As for the removal of pkinit status, I intend to replace the existing command by `ipa pkinit-status` as a follow-up PR once this one is merged.

I will then update the design page to reflect this discussion and update the implementation in this PR.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295727092

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

abbra commented:
"""
Yep. Then this PR can be merged once you removed distinction external/full.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295731813

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
I have rewritten the PKINIT state reporting code as agreed with @abbra and also re-factored the installation/upgrade logic. @HonzaCholasta also requested to remove the local PKINIT check completely and have a test suite for that. On the one hand I tend to agree, on the other I would keep the check there for now until the password authentication test is implemented. Then remove the checks once we have coverage for it.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296613316

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
@martbab, this sounds like a typical instance of a we will do it later = we will do it never situation. IMO we should remove the superfluous check right away, as that would give us more incentive to actually implement the test.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296916627

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
@HonzaCholasta Then the best course of action is to remove the PKINIT check and raise the priority of the issue for test case.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296999874

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
LGTM.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297645225

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
Any volunteer to do a functional review?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297677004

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +blocker

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
Works for me, ACK.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +ack

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +pushed

URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
master:

* b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry
* fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC
* 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP
* 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache
* 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it
* 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests
* a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status
* 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade


ipa-4-5:

* 31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry
* b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC
* a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP
* fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache
* 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it
* 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests
* 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status
* d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade


"""

See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297941980

URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694