[Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
Nathaniel McCallum
npmccallum at redhat.com
Wed May 7 14:06:09 UTC 2014
On Wed, 2014-05-07 at 15:54 +0200, Petr Vobornik wrote:
> On 6.5.2014 17:07, Nathaniel McCallum wrote:
> > On Tue, 2014-05-06 at 16:11 +0200, Jan Cholasta wrote:
> >> On 6.5.2014 15:16, Nathaniel McCallum wrote:
> >>> On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote:
> >>>> Hi,
> >>>>
> >>>> On 5.5.2014 18:40, Nathaniel McCallum wrote:
> >>>>> Creating tokens for yourself is the most common operation. Making this
> >>>>> the default optimizes for the common case.
> >>>>
> >>>> The user-find call should be inside the if statement.
> >>>
> >>> This is actually for a reason. See my patch 0049 for further context.
> >>
> >> IMO something like this would be better:
> >>
> >> if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in
> >> entry_attrs:
> >> result = self.api.Command.user_find(whoami=True)['result']
> >> if result:
> >> cur_uid = result[0]['uid'][0]
> >> prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
> >> if cur_uid != prev_uid:
> >> entry_attrs.setdefault('ipatokenprotected', True)
> >
> > Fixed (see also my new revision of patch 0049).
> >
> > Nathaniel
> >
>
> I assume that this won't allow to create a token without an owner. Do we
> want to have this restriction?
>
> Usecase: import a batch of hw tokens
This case is currently very much on my radar (I'm finishing the import
script now). To set no owner, just use --owner="". We are testing for
key presence here, not the value of the key. So if the key is present
with an empty value, no owner will be set.
FYI, the import format (RFC 6030) also permits a mechanism for declaring
ownership in DN format.
Nathaniel
More information about the Freeipa-devel
mailing list