Hi Oliver,
Thanks for the suggestion, it solved the problem!
For anyone interested, here are the changes in
certificate_signing_request_v2.yaml workflow (have to be set also in the
certificate_revocation_request_v2.yaml workflow):
condition:
is_approved:
class: Workflow::Condition::LazyOR
param:
condition1: is_approved_by_ra
condition2: is_approved_by_sa
is_approved_by_ra:
class: OpenXPKI::Server::Workflow::Condition::Approved
param:
role: RA Operator
is_approved_by_sa:
class: OpenXPKI::Server::Workflow::Condition::Approved
param:
role: SA Operator
Regards,
Cho
On Tue, Aug 20, 2024 at 7:46 AM Oliver Welter <[email protected]> wrote:
> Hi Cho,
>
> the "Conditon::Aproved" module is wiring the input as "AND" so as you
> already observed this does not fit your needs. You have to create two
> conditons, e.g. "is_approved_by_sa" and "is_approved_by_ra" and then use
> the nested "LazyOR" condition to merge them together.
>
> If you need a more sophistiacted Mult-Role / Multi-Tenant setup you might
> consider getting an EE license, there is a nice set of modules for such
> cases :D
>
> Oliver
> On 19.08.24 23:22, Cho Chan wrote:
>
> Hello list,
>
> I am trying to create a custom role (like 'SA Operator') to be used only
> for signing/revoking/searching certificates.
>
> My steps are:
> 1. Create a custom role in '/etc/openxpki/config.d/realm/testca/roles.yaml'
> 2. Create proper connector, handler and stack for the custom role
> 3. Create '/etc/openxpki/config.d/realm/testca/uicontrol/SA Operator'
> directory with configs for needed menus/actions
> 4. Add the role to the 'acl' object in the needed workflows in
> '/etc/openxpki/config.d/realm/testca/workflow/def'
> - certificate_signing_request_v2.yaml
> - certificate_revocation_request_v2.yaml
> - metadata workflows
> - etc.
>
> For now I am able to login with a user mapped to the custom 'SA Operator'
> role. I can see all the defined menus, I can search for certificates, I can
> see workflows, I can check CSR(s), but I am having problems when the user
> has to approve/reject a certificate.
>
> My tests are:
> 1. A user mapped to 'User' role uploads a CSR -> workflow goes to PENDING
> 2. A user mapped to 'SA Operator' role goes to My Tasks and see the
> PENDING task/workflow
> - when it opens the task -> only the recheck status button is visible
>
> After some troubleshooting I found out that I have to add the custom role
> in
> '/etc/openxpki/config.d/realm/testca/workflow/global/condition/is_operator.yaml'.
> After that the user is able to see also the buttons for approve/reject,
> edit custom metadata, etc.
>
> - when the user click on the Approve button -> nothing happens
>
> in the logs I am seeing:
>
> 2024/08/19 15:10:07 openxpki.application.INFO Unsigned approval for
> workflow 6911 by user XXXXXXXXX, role SA Operator
> [pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]
> 2024/08/19 15:10:07 openxpki.audit.approval.INFO operator approval
> givenHASH(0x55d238cbe028)
> [pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]
>
> I did a little digging in 'certificate_signing_request_v2.yaml' workflow
> and found out
>
> CHECK_APPROVALS:
> autorun: 1
> action:
> - notify_approval > APPROVED ? is_approved
> - global_noop > NOTIFY_CSR_PENDING ? !is_approved
>
> condition:
> # If you want a 4-eyes approval, just add a second "RA Operator"
> # e.g. "role: RA Operator, RA Operator" - you should add also
> # add current approval count to the output in the relevant states
> is_approved:
> class: OpenXPKI::Server::Workflow::Condition::Approved
> param:
> role: RA Operator
>
> When I change the role to be 'SA Operator' -> user is able to approve the
> request, but then a user mapped to 'RA Operator' role is not able to
> approve the request.
>
> Is there a way how I can make it work for users mapped to 'RA Operator' OR
> 'SA Operator' roles?
>
> Regards,
> Cho
>
>
> _______________________________________________
> OpenXPKI-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
> Protect your environment - close windows and adopt a penguin!
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
