[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Petr Viktorin pviktori at redhat.com
Fri Feb 14 11:02:41 UTC 2014 

On 02/14/2014 12:07 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/28/2014 09:35 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 01/23/2014 02:17 PM, Petr Viktorin wrote:
>> ...
>>>> The URL endpoint /ipa/rest suggests that if we implement a complete
>>>> REST
>>>> API for IPA it would live here. Is the API supposed to be
>>>> future-compatible? (The API itself seems to be a good subset of a
>>>> complete REST API, but can we easily add an frontend with
>>>> authentication, i18n, etc. here later, and keep the limitations for
>>>> unauthenticated access?)
>>>> Perhaps /ipa/smartproxy would be a better choice?
>>>
>>> It was future-proofing. I'm fine with changing the URI, it is
>>> probably a good
>>> thing to save that name.
>>
>> +1 for moving to /ipa/smartproxy/rest, we will want a complete REST
>> interface
>> in ipa/rest/ in the future. I rather opened a ticket to track that:
>>
>> https://fedorahosted.org/freeipa/ticket/4168
>>
>> Martin
>>
>
> I think I've addressed most of Petr's suggestions with the exception of
> the global ipa handle and I stuck with *args, **options as this is
> pretty much standard in IPA calls.

Well, I can't have everything :)
Here's some quick feedback.

> The gssproxy.conf.snippet just makes it easier to copy/paste. I can drop
> it if you want, I suppose it is duplication.

Please do. It's not discoverable at all. Anyone can copy it from the man 
page and keep it around.

> Note that I ran this past the Foreman design again and as a result added
> another interface, /realm. It was my understanding that this Foreman
> design wasn't set into stone but a patch is working its way through
> their system that followed the spec so I went ahead and added it. It
> isn't a big deal, the Host() class handles it out of the box.
>
> I also updated the design page a bit to reflect some of the changes made.
>
> Right now there are no plans to backport python-kerberos to F20.

Not even in a COPR?
So if this goes in, all developers would need to switch to Rawhide. I'm 
not sure we're prepared for that yet.

> rob

Currently we return this for errors in JSON:

{
     "error": {
         "code": 4002,
         "message": "user with name \\"admin\\" already exists",
         "name": "DuplicateEntry"
     },
     "id": 0,
     "principal": "admin at IDM.LAB.ENG.BRQ.REDHAT.COM",
     "result": null,
     "version": "3.3.90GIT8e26acb"
}

It would be more consitent if we used the same "error" dict also for REST.


The default port, 8090, is still not documented.

-- 
Petr³

More information about the Freeipa-devel mailing list