Bug 753115

Summary: aviary-root-cert-dir [RFE]
Product: Red Hat Enterprise MRG Reporter: Stanislav Graf <sgraf>
Component: cuminAssignee: grid-maint-list <grid-maint-list>
Status: CLOSED WONTFIX QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: unspecified Docs Contact:
Priority: low    
Version: 2.1CC: matt, tmckay
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-26 20:23:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Graf 2011-11-11 11:43:47 UTC 
Description of problem:
Cumin doesn't allow to set CA_DIR for multiple CA cert files for SSL connection with multiple condor-aviary hosts (e.g. different job server and query server).

- condor-aviary has similar options:
SCHEDD.AVIARY_SSL_CA_DIR = 
QUERY_SERVER.AVIARY_SSL_CA_DIR = 

- cumin.conf has:
aviary-root-cert: 
- in addition I propose:
aviary-root-cert-dir:


Version-Release number of selected component (if applicable):
cumin-0.1.5098-2

How reproducible:
100%

Steps to Reproduce:
1. Look into condor aviary config
2. Look into cumin config
  
Actual results:
option aviary-root-cert-dir not available

Expected results:
option aviary-root-cert-dir available

Additional info:
Comment 2 Trevor McKay 2011-11-11 14:09:07 UTC 
Hmmm,

  I'll have to investigate.  Off the top of my head, this might require some cert file naming convention (or another config line) to associate certs with particular servers.  I don't believe the APIs we're using for ssl that we're using under the hood allow a CA directory to be passed, only a single file (but I could be wrong, maybe they have a mechanism for a dir or multiple files to search).  If multiples work, we don't need an association.  If not, we do.
Comment 3 Trevor McKay 2011-11-23 14:06:21 UTC 
Note,

  There is a simple workaround for this (tested on my VM).  Copy a ca-bundle.crt to /etc/cumin/somefile, or even start with a copmpletely blank file, and append all of the server certificates cumin should recognize to this file.  Then set aviary-root-cert to point to /etc/cumin/somefile.

  This will let cumin recognize multiple self-signed server certificates (just like a dir would) without contaminating the /etc/pki/tls/certs/ca-bundle.crt or having an aviary-root-cert-dir option.

  Essentially, cumin can look at a certificate chain file anywhere, and you can construct your own as you choose.
Comment 4 Anne-Louise Tangring 2016-05-26 20:23:32 UTC 
MRG-Grid is in maintenance and only customer escalations will be considered. This issue can be reopened if a customer escalation associated with it occurs.