Bug 1165403 - Deprecate the cacert and cakey settings in server.conf
Summary: Deprecate the cacert and cakey settings in server.conf
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Pulp
Classification: Retired
Component: API/integration
Version: 2.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.0.0
Assignee: pulp-bugs
QA Contact: pulp-qe-list
URL:
Whiteboard:
Depends On:
Blocks: 1165405
TreeView+ depends on / blocked
 
Reported: 2014-11-18 21:22 UTC by Randy Barlow
Modified: 2015-02-28 22:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-28 22:44:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Pulp Redmine 621 None None None Never

Description Randy Barlow 2014-11-18 21:22:57 UTC
Description of problem:
The cacert and cakey settings in server.conf are currently used to configure Pulp to use a CA for signing client certificates generated by Pulp. These settings often confuse our users, as they tend to think it should be the CA that signed the httpd SSL certificates.

In addition, it is far from ideal that our /login/ API call generates the secret key, certificate, and signature and sends those to the client. This violates the principle that the key should never be transmitted.

We have two viable options:

1) Rename these settings to be more descriptive so that they don't confuse users. Something like client_auth_ca{cert,key} might make sense. If we do this, the client should generate the secret key and a CSR, and send that CSR with their credentials to the /login/ call. Then the server signs the CSR and sends back the certificate.

2) Get out of the business of signing certificates entirely, and change /login/ to return a session key or something along those lines. Of course, continue to support client certificates that are generated by users on both ends (through Apache and pulp-admin).

Either way, we need to put a deprecation on these two settings so that people know they are going away ahead of time.

This bug is not about changing the /login/ behavior, it is about depreacating these two settings.


Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time.

Steps to Reproduce:
1. Does Pulp have these settings in server.conf?

Actual results:
Yes.

Expected results:
No.

Comment 1 Jeff Ortel 2014-11-24 17:11:19 UTC
Deprecate.

Comment 2 Sayli Karmarkar 2015-01-12 22:52:13 UTC
Deprecates in https://github.com/pulp/pulp/pull/1512, but not moving to POST, since this will be moved to target release 3.0 after review and merge of the above PR.

Comment 3 Sayli Karmarkar 2015-01-13 20:10:43 UTC
Merged above PR. Moving to 3.0.

Comment 4 Brian Bouterse 2015-02-28 22:44:49 UTC
Moved to https://pulp.plan.io/issues/621


Note You need to log in before you can comment on or make changes to this bug.