[Freeipa-devel] session authentication URI issues

John Dennis jdennis at redhat.com
Wed Dec 28 18:02:50 UTC 2011 

On 12/22/2011 03:25 PM, Simo Sorce wrote:
> The WebUI uses /ipa/ui and /ipa/json The CLI uses only /ipa/xmlrpc
>
> In your whole discussion below you should rethink /ipa/rpc as
> /ipa/json because it looks to me you are only considering the WebUI
> client (that's just fine). Only because you conflated /ipa/json and
> /ipa/xmlrpc, treat them as separate things and it will be easier.

> Why can't we just keep /ipa/xmlrpc ? Why do you mix /ipa/json and
> /ipa/xmlrpc and call them the same and then propose to split them
> when they are separate from the start ?

Sometimes you get too close to what you're working on and can't see the
forest for the trees. Thank you for pointing out how /ipa/json and
/ipa/xml are used exclusively and independently by the web UI and the
command line tools respectively. How did I get confused? Those two URI's
are treated identically in the existing code base, entry into the system
via /ipa/json and /ipa/xml traverse the exact same code paths and hence
I incorrectly conflated them. Sometimes it takes a second pair of eyes
to see the obvious, thus this discussion was useful, thank you.

I have recoded the logic in ipaserver/rpcserver.py to separate the two
cases. I also had to refactor some of the logic surrounding when and
where backend connections with their credentials are managed.

The good news is both the web UI and the command line clients seem to be 
working fine with the new session based authentication.

I have some clean-up work to do on the code before I prepare a patch for
review. In particular I would like to do a better job of storing and 
setting the kerberos credentials than what I'm currently doing 
(currently more proof-of-concept than deployable robust code).

> We can have different URIs once we change the CLI, to maintain
> compatibility with old tools. But it would be the other way around.
> /ipa/xmlrpc would be krb protected by default and then we add
> /ipa/session/xmlrpc which is instead the session base one.

Yes, once we implement session support in the command line clients we'll
need a new URI (e.g /ipa/session/xmlrpc). I don't see anyway around
that, but given the functionality is new that won't be an issue,
everything remains backwards compatible.



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list