Story #859
closed
Deprecate rsa_key, rsa_pub, id_cert_dir, and id_cert_filename from consumer.conf
0%
Description
Motivation:
/etc/pki/pulp is designed to be shared in multi-node clustered Pulp deployments. Currently some consumer things that are meant to be exclusive to a registered consumer machine itself are registered here. These locations are configurable via consumer.conf, but the rsa_key, rsa_pub, id_cert_dir, and id_cert_filename fields default to a location inside of /etc/pki/pulp. This causes unexpected behavior such as registering two pulp nodes in clustered Pulp installation will fail because the second node things its already registered due to the shared nature of /etc/pki/pulp.
Outlined solution:
We will deprecate the rsa_key, rsa_pub, id_cert_dir, and id_cert_filename fields, and introduce a fallback behavior for backwards compatibility. The new locations will be as follows:
rsa_key = /var/lib/pulp-consumer/rsa.key
rsa_pub = /var/lib/pulp-consumer/rsa_pub.key
cert = /var/lib/pulp-consumer/consumer-cert.pem
When looking for any of these files, code will first check the new CONSTANT based locations, and if the rsa_key, rsa_pub, or cert cannot be found will use the conf file locations (for backwards compatibility). Unregistration will delete the credentials in either place depending on where they live.
rsa_key and rsa_pub are in [authentication]. The cert currently is made by concatenating id_cert_dir and id_cert_filename in [filesystem].
Deliverables:
- Add the deprecation note to consumer.conf
- Add a release note about the deprecation
- Add the new 3 locations as CONSTANTS
- Introduce a method/function that abstracts the finding of these files with the fallback behavior.
- Have all create/read/write/delete code gets its path from the abstraction above instead of directly from the conf file.
- Remove the note/warning on the scaling page that Pulp clustered nodes cannot be registered as consumers.
- Add test code for new code introduced.
Related issues
Updated by bmbouter about 9 years ago
This is likely reverse incompatible, but I can think of one way it could not be. If we deprecate these four settings altogether and make them constants we could have the gofer package move the files as part of the upgrade in the pulp-consumer spec file. Or is it the gofer spec file? Is it valuable to have the user able to set the location of these?
Updated by bmbouter about 9 years ago
The new location could be a folder that pulp-consumer manages in /etc/pki like /etc/pki/pulp-consumer/. It could also be one that adheres to Table 3-2 in this doc.
Updated by jortel@redhat.com about 9 years ago
It's important to note that pulp-consumer actually writes to these locations. Not goferd.
Updated by bmbouter about 9 years ago
- Description updated (diff)
Good point; pulp-consumer does the writing. I updated the story description.
Updated by mhrivnak about 9 years ago
I suggest putting this data in /var/lib/pulp-consumer/. For backward-compatibility, we can continue to look in the location designated by the config file as a fallback.
Updated by bmbouter about 9 years ago
- Tracker changed from Task to Story
- Subject changed from Move all consumer files out of /etc/pki/pulp/ to Deprecate rsa_key, rsa_pub, id_cert_dir, and id_cert_filename from consumer.conf
- Description updated (diff)
Updating the story with everything from the notes discussion.
Updated by bmbouter about 9 years ago
- Related to Story #872: Remove rsa_key, rsa_pub, id_cert_dir, and id_cert_filename from consumer.conf added
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.