Re: [Freeipa-devel] Reasons for not using certmonger DBus API
Dne 30.7.2014 v 16:39 Nalin Dahyabhai napsal(a): On Wed, Jul 30, 2014 at 04:28:50PM +0200, Jan Cholasta wrote: These two functions are used to force local hostname in certmonger. IMO the right thing to do here would be to drop these two functions and fix ipa-submit so that it reads the required configuration from /etc/ipa/default.conf. Can you elaborate on that? Either here or in a trac ticket or in bugzilla? The only hostname I see in the default.conf(5) man page is the name of the server, which it should already be using when there's no xmlrpc_uri set. Nalin If you mean host, yes, the man page says it's the server's hostname, but I don't think that's entirely true - it is currently set during server install, but it defaults to local hostname even on clients. IMO we could set it in ipa-client-install as well (at least when --hostname is used) and then ipa-submit could use it to construct the principal name. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Thu, Jul 31, 2014 at 09:19:28AM +0200, Jan Cholasta wrote: If you mean host, yes, the man page says it's the server's hostname, but I don't think that's entirely true - it is currently set during server install, but it defaults to local hostname even on clients. IMO we could set it in ipa-client-install as well (at least when --hostname is used) and then ipa-submit could use it to construct the principal name. Sounds workable to me (though, yikes, that means it's unsuitable for use as a fallback when xmlrpc_uri isn't set, so that'll probably have to get changed at the same time). If there's a ticket for the client-install change in IPA that I should follow and/or one for certmonger for the rest of it, I can try to land it around the same time. Thanks, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 03:45 PM, Nalin Dahyabhai wrote: On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to talk to the daemon, so they provide at least what it needs. Two words of caution: * That file's manually maintained, so it might not completely reflect what's available. The introspection data's generated at runtime, so if you poke the service with an introspection request, or using d-feet, which does so under the covers, you might spot discrepancies. It probably goes without saying, but please report any that you find. * The majority of properties are currently marked read-only, and you currently have to use the 'modify' API request to change them. Mostly this is a result of 'getcert' not having needed anything more than that, and properties having been added after the initial versions, so it's not set in stone. HTH, Nalin In fact it is almost enough complete for us. The only operation I can't find is 'write ca_external_helper'. add_principal_to_cas and remove_principal_from_cas are modifying this entry in ca file. Certmonger provide 'get_location' DBus method that returns value of this entry but I can't find any 'set_location' method, writable property or other way to modify it over DBus. Am I searching wrong? If not I looked in certmonger code and think that I will be able to add the missing functionality. But I'm unsure what is the preferred way, I can think of two: 1. set_location method 2. read-write location/ca_external_helper property -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
Dne 30.7.2014 v 15:51 David Kupka napsal(a): On 07/23/2014 03:45 PM, Nalin Dahyabhai wrote: On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to talk to the daemon, so they provide at least what it needs. Two words of caution: * That file's manually maintained, so it might not completely reflect what's available. The introspection data's generated at runtime, so if you poke the service with an introspection request, or using d-feet, which does so under the covers, you might spot discrepancies. It probably goes without saying, but please report any that you find. * The majority of properties are currently marked read-only, and you currently have to use the 'modify' API request to change them. Mostly this is a result of 'getcert' not having needed anything more than that, and properties having been added after the initial versions, so it's not set in stone. HTH, Nalin In fact it is almost enough complete for us. The only operation I can't find is 'write ca_external_helper'. add_principal_to_cas and remove_principal_from_cas are modifying this entry in ca file. Certmonger provide 'get_location' DBus method that returns value of this entry but I can't find any 'set_location' method, writable property or other way to modify it over DBus. Am I searching wrong? If not I looked in certmonger code and think that I will be able to add the missing functionality. But I'm unsure what is the preferred way, I can think of two: 1. set_location method 2. read-write location/ca_external_helper property These two functions are used to force local hostname in certmonger. IMO the right thing to do here would be to drop these two functions and fix ipa-submit so that it reads the required configuration from /etc/ipa/default.conf. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 30, 2014 at 04:28:50PM +0200, Jan Cholasta wrote: These two functions are used to force local hostname in certmonger. IMO the right thing to do here would be to drop these two functions and fix ipa-submit so that it reads the required configuration from /etc/ipa/default.conf. Can you elaborate on that? Either here or in a trac ticket or in bugzilla? The only hostname I see in the default.conf(5) man page is the name of the server, which it should already be using when there's no xmlrpc_uri set. Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 30, 2014 at 03:51:08PM +0200, David Kupka wrote: In fact it is almost enough complete for us. The only operation I can't find is 'write ca_external_helper'. add_principal_to_cas and remove_principal_from_cas are modifying this entry in ca file. Certmonger provide 'get_location' DBus method that returns value of this entry but I can't find any 'set_location' method, writable property or other way to modify it over DBus. Yeah, it wasn't originally expected that those'd need to be edited after they were added. Am I searching wrong? If not I looked in certmonger code and think that I will be able to add the missing functionality. But I'm unsure what is the preferred way, I can think of two: 1. set_location method 2. read-write location/ca_external_helper property Probably the latter, since it's slightly less code and I think more in keeping with the way D-Bus clients generally expect to be doing things. That's assuming you don't need to kill any in-progress attempts to contact a CA and restart them with the new value. Cheers, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Reasons for not using certmonger DBus API
While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. Thanks, Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, 23 Jul 2014, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Anyway, it looks good target to rewrite this code to use DBus these days. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 07/23/2014 10:49 AM, Jan Cholasta wrote: On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urowI! 3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. Ah, ok. Then I think this snippet will help: properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-presave-command') dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-postsave-command') dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert cert-pki-ca') Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On 23.7.2014 12:23, Martin Kosek wrote: On 07/23/2014 10:49 AM, Jan Cholasta wrote: On 23.7.2014 10:38, Martin Kosek wrote: On 07/23/2014 10:33 AM, Jan Cholasta wrote: On 23.7.2014 10:12, Martin Kosek wrote: On 07/23/2014 09:56 AM, David Kupka wrote: While solving ticket #4280 I noticed that we are messing with certmonger's files right under its hands. That can lead to some unpleasant race condition issues. Is there any reason why not to call certmonger via DBus and ask it to stop tracking the requests? +1 for using the dbus API. When I saw the hacky way of parsing certmonger internal configuration files in ipapython/certmonger.py, I suggested the dbus way as IMO it would not be difficult to implement, it would make us more future proof and it would remove intermittent problems like #4280. I have already started using the API, e.g. for adding/removing of the CA helper in cainstance. Word of warning, the API apparently does not exercised much and there might be bugs (I found one causing certmonger to segfault which Nalin promptly fixed). Yup, this is the place where the inspiration came from :-) Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. IIRC some of the properties in requests might not be accessible using the API. But I'm not sure if this is true or if it affects us. I did couple tests and it seems that getting properties works fine: import dbus bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') reqs = iface.get_requests() req = bus.get_object('org.fedorahosted.certmonger', reqs[0]) iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request') iface_request.get_nickname() dbus.String(u'20140723081859') iface_request.get_status() (dbus.String(u'MONITORING'), dbus.Boolean(False)) iface_request.get_key_storage_info() (dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'), dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate DB')) iface_request.get_cert_data() dbus.String(u'-BEGIN CERTIFICATE-\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urow! I! 3! iB! jhOXyweJDF 7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-END CERTIFICATE-\n\n') Martin When I said some of the properties, I certainly did not mean the absolute basics, but rather stuff like cert-presave-command. Ah, ok. Then I think this snippet will help: properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-presave-command') dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad') properties_manager.Get('org.fedorahosted.certmonger.request', 'cert-postsave-command') dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert auditSigningCert cert-pki-ca') Martin Nice, I think we are good to go then. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 11:32:52AM +0300, Alexander Bokovoy wrote: Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Yes, but the API itself wasn't all there, and large parts of the internals needed to be rewritten around its 0.53 release. Before then, it didn't expose _anything_ as properties. The methods that return data were all that it provided. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reasons for not using certmonger DBus API
On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to talk to the daemon, so they provide at least what it needs. Two words of caution: * That file's manually maintained, so it might not completely reflect what's available. The introspection data's generated at runtime, so if you poke the service with an introspection request, or using d-feet, which does so under the covers, you might spot discrepancies. It probably goes without saying, but please report any that you find. * The majority of properties are currently marked read-only, and you currently have to use the 'modify' API request to change them. Mostly this is a result of 'getcert' not having needed anything more than that, and properties having been added after the initial versions, so it's not set in stone. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel