freeipa/ipaserver/secrets
Christian Heimes beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
..
handlers Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
__init__.py ipapython: move dnssec, p11helper and secrets to ipaserver 2016-11-29 14:50:51 +01:00
client.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
common.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
kem.py Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
service.py secrets: disable relative-imports for custodia 2017-09-08 15:42:07 +02:00
store.py Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00