From 0cc453bcfb8fc4b5cf7378fa8d6496f7d6f6efc3 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 1 Nov 2013 17:11:13 -0700 Subject: Flesh out TODO with lots more work Change-Id: I8f63cfd9692039f37ecfd46ab6072aa2f71c344d Reviewed-on: https://gerrit.stanford.edu/1328 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- TODO | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index cd95736..061d764 100644 --- a/TODO +++ b/TODO @@ -27,6 +27,9 @@ Client: stored on the server is different than what's on disk. This will require server support as well for returning the checksum of a file. + * WALLET-80: Incorporate the wallet-rekey-periodic script into the + package and teach it how to ignore foreign credentials. + Server Interface: * WALLET-13: Provide a way to get history for deleted objects and ACLs. @@ -67,6 +70,21 @@ Server Interface: keytab (maybe). Or, alternately, maybe we allow get of any keytab? Requires more thought. + * WALLET-69: "owner" should print the name as well as the number of the + ACL. Also check "getacl". + + * WALLET-70: Add command to list available types and schemes. + + * WALLET-72: Add a mechanism to automate owner updates based on + default_owner. + + * WALLET-79: Partially merge create and autocreate. create and autocreate + should do the same thing provided there is an autocreation configuration + available. If not, autocreate should fail and create should fall back on + checking for ADMIN privileges. + + * WALLET-83: Support file object renaming. + ACLs: * WALLET-23: Error messages from ACL operations should refer to the ACLs @@ -93,6 +111,17 @@ ACLs: * WALLET-29: Investigate how best to support client authentication using anonymous PKINIT for things like initial system keying. + * WALLET-68: Generalize the current NetDB ACL type to allow a generic + remctl query for whether a particular user is authorized to create + host-based objects for a particular host. + + * WALLET-71: Add ldap-group ACL scheme. + + * WALLET-75: Provide a root-instance version of the ldap-attr (and + possibly the ldap-group) ACL schemes. + + * WALLET-81: Add a comment field to ACLs. + Database: * WALLET-30: Fix case-insensitivity bug in unique keys with MySQL for @@ -101,6 +130,8 @@ Database: * WALLET-31: On upgrades, support adding new object types and ACL verifiers to the class tables. + * WALLET-76: Fix wallet-admin destroy with MySQL. + Objects: * WALLET-32: Check whether we can just drop the realm restriction on @@ -131,7 +162,8 @@ Objects: * WALLET-36: Implement an X.509 CA so that you can get certificate objects without storing them first. Need to resolve naming conventions if you want to run multiple CAs on the same wallet server (but why?). - Should this be a different type than stored certificates? + Should this be a different type than stored certificates? Consider + using hxtool as the underlying CA mechanism. * WALLET-37: Support returning the checksum of a file object stored in wallet so that one can determine whether the version stored on disk is @@ -145,6 +177,9 @@ Objects: for a particular host, allowing cleanup of all of those host's objects after retiring the host. + * WALLET-76: Support setting the disallow-svr flag on created principals. + In general, support setting arbitrary principal flags. + Reports: * WALLET-38: Add audit for references to unknown ACLs, possibly @@ -216,7 +251,8 @@ Code Style and Cleanup: * WALLET-52: Consider using Class::Accessor to get rid of the scaffolding code to access object data, and a Wallet::Base class to handle things - like the error() method common to many classes. + like the error() method common to many classes. Alternately, consider + using Moose. Test Suite: -- cgit v1.2.3 From 2d1e12169c416b8ba84f38bfd53b3c81cadc9dbc Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 15 Jul 2014 21:51:09 -0700 Subject: Update TODO for more Commerzbank contributions, other changes Change-Id: I478ed7812a4d25641ee85846e4092e17536e5a1d Reviewed-on: https://gerrit.stanford.edu/1557 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- TODO | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index 061d764..da526c6 100644 --- a/TODO +++ b/TODO @@ -27,8 +27,9 @@ Client: stored on the server is different than what's on disk. This will require server support as well for returning the checksum of a file. - * WALLET-80: Incorporate the wallet-rekey-periodic script into the - package and teach it how to ignore foreign credentials. + * WALLET-80: Incorporate the wallet-rekey-periodic script (currently in + contrib) into the package and teach it how to ignore foreign + credentials. Server Interface: @@ -85,6 +86,18 @@ Server Interface: * WALLET-83: Support file object renaming. + * Rewrite server backends to use Net::Remctl::Backend. + + * Merge the Wallet::Logger support written by Commerzbank AG: create a + new class that handles logging, probably based on Log::Log4perl, and + add logging points to all of the core classes. + + * Support an authorization hook to determine whether or not to permit + autocreate. One requested example feature is to limit autocreate of + keytab objects to certain hosts involved in deployment. It should be + possible to write a hook that takes the information about what object + is being autocreated and can accept or decline. + ACLs: * WALLET-23: Error messages from ACL operations should refer to the ACLs @@ -138,10 +151,6 @@ Objects: keytabs and allow the name to contain the realm if the Kerberos type is Heimdal. - * WALLET-4: Write a WebAuth keyring object store. It should support - attributes saying how long to keep old keys and how far in advance to - create new keys and update the keyring as needed on object download. - * WALLET-33: Use the Perl Authen::Krb5::Admin module instead of rolling our own kadmin code with Expect now that MIT Kerberos has made the kadmin API public. @@ -204,6 +213,9 @@ Reports: possibly use the notification service, although a version that sends mail directly would be useful external to Stanford. + * Merge the Commerzbank AG work to dump all the object history, applying + various search criteria to it, or clear parts of the object history. + Administrative Interface: * WALLET-42: Add a function to wallet-admin to purge expired entries. @@ -231,6 +243,8 @@ Documentation: * WALLET-46: Document all diagnostics for all wallet APIs. + * Document configuration with an Oracle database. + Code Style and Cleanup: * WALLET-47: There is a lot of duplicate code in wallet-backend. Convert @@ -250,9 +264,10 @@ Code Style and Cleanup: better internal API to reference the variables in it. * WALLET-52: Consider using Class::Accessor to get rid of the scaffolding - code to access object data, and a Wallet::Base class to handle things - like the error() method common to many classes. Alternately, consider - using Moose. + code to access object data. Alternately, consider using Moose. + + * Rewrite the error handling to use exceptions instead of the C-style + return value and separate error call. Test Suite: @@ -269,7 +284,8 @@ Test Suite: use of shared code so that it can be broken into function components. * WALLET-57: Refactor the test suite for the wallet backend to try to - reduce the duplicated code. + reduce the duplicated code. Using a real mock infrastructure should + make this test suite much easier to write. * WALLET-58: Pull common test suite code into a Perl library that can be reused. -- cgit v1.2.3 From ee79913831be70fc51c193ea4118a15abb038a67 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 15 Jul 2014 22:07:48 -0700 Subject: Fix ordering of table drops on wallet-admin destroy Fix the ordering of table drops during a wallet-admin destroy action to remove tables with foreign key references before the tables they are referencing. Should fix destroy in MySQL and other database engines that enforce referential integrity. Change-Id: I9b37c516f67acdf1d9e25222f067df6749e8c769 Reviewed-on: https://gerrit.stanford.edu/1558 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- NEWS | 5 +++++ TODO | 2 -- perl/lib/Wallet/Admin.pm | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'TODO') diff --git a/NEWS b/NEWS index 4cf12b0..40efd3a 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,11 @@ wallet 1.1 (unreleased) would just ignore the time. Now wallet-backend correctly requires the date and time be passed as a single argument. + Fix the ordering of table drops during a wallet-admin destroy action + to remove tables with foreign key references before the tables they + are referencing. Should fix destroy in MySQL and other database + engines that enforce referential integrity. + The initial creation and membership of the ADMIN ACL during database initialization or reinitialization is no longer recorded in the acl_history table. (This is fallout from making a specific type of diff --git a/TODO b/TODO index da526c6..a8d0aef 100644 --- a/TODO +++ b/TODO @@ -143,8 +143,6 @@ Database: * WALLET-31: On upgrades, support adding new object types and ACL verifiers to the class tables. - * WALLET-76: Fix wallet-admin destroy with MySQL. - Objects: * WALLET-32: Check whether we can just drop the realm restriction on diff --git a/perl/lib/Wallet/Admin.pm b/perl/lib/Wallet/Admin.pm index b07c7d1..8481979 100644 --- a/perl/lib/Wallet/Admin.pm +++ b/perl/lib/Wallet/Admin.pm @@ -170,9 +170,9 @@ sub destroy { # Get an actual DBI handle and use it to delete all tables. my $dbh = $self->dbh; - my @tables = qw/acls acl_entries acl_history acl_schemes duo enctypes - flags keytab_enctypes keytab_sync objects object_history - sync_targets types dbix_class_schema_versions/; + my @tables = qw/acl_entries object_history objects acls acl_history + acl_schemes enctypes flags keytab_enctypes keytab_sync sync_targets + duo types dbix_class_schema_versions/; for my $table (@tables) { my $sql = "DROP TABLE IF EXISTS $table"; $dbh->do ($sql); -- cgit v1.2.3