The default token location is confusing #100
Labels
enhancement
New feature or request
Comments
|
I was wondering if ti made sense to create a default config file in /etc/kryoptic/kryoptic.conf, but allow a $XDG_CONFIG_DIR one to override it if present. What do you think ? |
|
and change KRYOPTIC_CONF to point to a config file rather then directly to a database file ... |
|
Yes that makes sense. |
|
It would be nice if the configuration file and its directives was documented in README.md |
|
Yep, I'll open an issue for improving docs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The default token file location is determined in this order:
I'd suggest moving 4 to before 2.
The problem with relying on the environment variable is it has to be set or inherited by every user that will interact with the token. I think this would be cumbersome to do for IPA development (we don't recommend users use software HSMs in production). It is very difficult to troubleshoot just exactly which file is being opened. I had to resort to strace and sift through the output.
This is likely to cause issues with any secondary tooling like certmonger which runs as a daemon. We'd have to, only for this one provider, set an environment variable in the systemd scripts.
Similarly we'd have to add it to .bashrc to ensure that the token will be visible to tools like certutil.
An alternative, which might bring new issues, would be to define a configuration file that describes the location. I think the problem with my location suggestion and with a configuration file it could preclude users from having a nice default of their own if there is a system-level token because it is an existence check. If the file exists then it is used.
The text was updated successfully, but these errors were encountered: