[Freeipa-devel] session authentication URI issues

Simo Sorce simo at redhat.com
Thu Dec 29 03:14:30 UTC 2011


On Wed, 2011-12-28 at 13:02 -0500, John Dennis wrote:
> On 12/22/2011 03:25 PM, Simo Sorce wrote:
> > The WebUI uses /ipa/ui and /ipa/json The CLI uses only /ipa/xmlrpc
> >
> > In your whole discussion below you should rethink /ipa/rpc as
> > /ipa/json because it looks to me you are only considering the WebUI
> > client (that's just fine). Only because you conflated /ipa/json and
> > /ipa/xmlrpc, treat them as separate things and it will be easier.
> 
> > Why can't we just keep /ipa/xmlrpc ? Why do you mix /ipa/json and
> > /ipa/xmlrpc and call them the same and then propose to split them
> > when they are separate from the start ?
> 
> Sometimes you get too close to what you're working on and can't see the
> forest for the trees. Thank you for pointing out how /ipa/json and
> /ipa/xml are used exclusively and independently by the web UI and the
> command line tools respectively. How did I get confused? Those two URI's
> are treated identically in the existing code base, entry into the system
> via /ipa/json and /ipa/xml traverse the exact same code paths and hence
> I incorrectly conflated them. Sometimes it takes a second pair of eyes
> to see the obvious, thus this discussion was useful, thank you.
> 
> I have recoded the logic in ipaserver/rpcserver.py to separate the two
> cases. I also had to refactor some of the logic surrounding when and
> where backend connections with their credentials are managed.
> 
> The good news is both the web UI and the command line clients seem to be 
> working fine with the new session based authentication.
> 
> I have some clean-up work to do on the code before I prepare a patch for
> review. In particular I would like to do a better job of storing and 
> setting the kerberos credentials than what I'm currently doing 
> (currently more proof-of-concept than deployable robust code).

Great news! Glad it was just a misunderstanding and not a hard to manage
issue.

> > We can have different URIs once we change the CLI, to maintain
> > compatibility with old tools. But it would be the other way around.
> > /ipa/xmlrpc would be krb protected by default and then we add
> > /ipa/session/xmlrpc which is instead the session base one.
> 
> Yes, once we implement session support in the command line clients we'll
> need a new URI (e.g /ipa/session/xmlrpc). I don't see anyway around
> that, but given the functionality is new that won't be an issue,
> everything remains backwards compatible.

Yup, everything sounds nice and workable,
thank you John.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list