[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Fri Feb 14 23:39:37 UTC 2014

Petr Viktorin wrote:
> On 02/14/2014 12:07 AM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/28/2014 09:35 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 01/23/2014 02:17 PM, Petr Viktorin wrote:
>>> ...
>>>>> The URL endpoint /ipa/rest suggests that if we implement a complete
>>>>> REST
>>>>> API for IPA it would live here. Is the API supposed to be
>>>>> future-compatible? (The API itself seems to be a good subset of a
>>>>> complete REST API, but can we easily add an frontend with
>>>>> authentication, i18n, etc. here later, and keep the limitations for
>>>>> unauthenticated access?)
>>>>> Perhaps /ipa/smartproxy would be a better choice?
>>>>
>>>> It was future-proofing. I'm fine with changing the URI, it is
>>>> probably a good
>>>> thing to save that name.
>>>
>>> +1 for moving to /ipa/smartproxy/rest, we will want a complete REST
>>> interface
>>> in ipa/rest/ in the future. I rather opened a ticket to track that:
>>>
>>> https://fedorahosted.org/freeipa/ticket/4168
>>>
>>> Martin
>>>
>>
>> I think I've addressed most of Petr's suggestions with the exception of
>> the global ipa handle and I stuck with *args, **options as this is
>> pretty much standard in IPA calls.
>
> Well, I can't have everything :)
> Here's some quick feedback.
>
>> The gssproxy.conf.snippet just makes it easier to copy/paste. I can drop
>> it if you want, I suppose it is duplication.
>
> Please do. It's not discoverable at all. Anyone can copy it from the man
> page and keep it around.
>
>> Note that I ran this past the Foreman design again and as a result added
>> another interface, /realm. It was my understanding that this Foreman
>> design wasn't set into stone but a patch is working its way through
>> their system that followed the spec so I went ahead and added it. It
>> isn't a big deal, the Host() class handles it out of the box.
>>
>> I also updated the design page a bit to reflect some of the changes made.
>>
>> Right now there are no plans to backport python-kerberos to F20.
>
> Not even in a COPR?
> So if this goes in, all developers would need to switch to Rawhide. I'm
> not sure we're prepared for that yet.
>
>> rob
>
> Currently we return this for errors in JSON:
>
> {
>      "error": {
>          "code": 4002,
>          "message": "user with name \\"admin\\" already exists",
>          "name": "DuplicateEntry"
>      },
>      "id": 0,
>      "principal": "admin at IDM.LAB.ENG.BRQ.REDHAT.COM",
>      "result": null,
>      "version": "3.3.90GIT8e26acb"
> }
>
> It would be more consitent if we used the same "error" dict also for REST.
>
>
> The default port, 8090, is still not documented.
>

Done some renaming. Still arguing about what to call this thing later in 
the thread, but that's code-independent.

I fixed up the man pages a bit, re-tested everything, improved the spec 
slightly and probably some other minor things I'm forgetting.

I raise a single, server-specific exception which is why I do all the 
basestring/Exception handwringing in the IPAError class. I'm open to 
suggestions. I'd rather not declare an error in the IPA Namespace for 
this. This sort of brings us back to a previous discussion on where 
errors.py should live...

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1106-4-rest.patch
Type: text/x-patch
Size: 45622 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140214/6145dcc3/attachment.bin>