[Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token

Alexander Bokovoy abokovoy at redhat.com
Fri May 23 08:53:34 UTC 2014 

On Fri, 23 May 2014, Jan Cholasta wrote:
>On 22.5.2014 16:21, Nathaniel McCallum wrote:
>>I still need a review on this.
>>
>>On Wed, 2014-05-07 at 10:06 -0400, Nathaniel McCallum wrote:
>>>On Wed, 2014-05-07 at 15:54 +0200, Petr Vobornik wrote:
>>>>On 6.5.2014 17:07, Nathaniel McCallum wrote:
>>>>>On Tue, 2014-05-06 at 16:11 +0200, Jan Cholasta wrote:
>>>>>>On 6.5.2014 15:16, Nathaniel McCallum wrote:
>>>>>>>On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote:
>>>>>>>>Hi,
>>>>>>>>
>>>>>>>>On 5.5.2014 18:40, Nathaniel McCallum wrote:
>>>>>>>>>Creating tokens for yourself is the most common operation. Making this
>>>>>>>>>the default optimizes for the common case.
>>>>>>>>
>>>>>>>>The user-find call should be inside the if statement.
>>>>>>>
>>>>>>>This is actually for a reason. See my patch 0049 for further context.
>>>>>>
>>>>>>IMO something like this would be better:
>>>>>>
>>>>>>       if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in
>>>>>>entry_attrs:
>>>>>>           result = self.api.Command.user_find(whoami=True)['result']
>>>>>>           if result:
>>>>>>               cur_uid = result[0]['uid'][0]
>>>>>>               prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
>>>>>>               if cur_uid != prev_uid:
>>>>>>                   entry_attrs.setdefault('ipatokenprotected', True)
>>>>>
>>>>>Fixed (see also my new revision of patch 0049).
>>>>>
>>>>>Nathaniel
>>>>>
>>>>
>>>>I assume that this won't allow to create a token without an owner. Do we
>>>>want to have this restriction?
>>>>
>>>>Usecase: import a batch of hw tokens
>>>
>>>This case is currently very much on my radar (I'm finishing the import
>>>script now). To set no owner, just use --owner="". We are testing for
>>>key presence here, not the value of the key. So if the key is present
>>>with an empty value, no owner will be set.
>>>
>>>FYI, the import format (RFC 6030) also permits a mechanism for declaring
>>>ownership in DN format.
>>>
>>>Nathaniel
>>>
>>>_______________________________________________
>>>Freeipa-devel mailing list
>>>Freeipa-devel at redhat.com
>>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>ACK.
>
Pushed to master
* db7d0219bac72daa270ee28d5db5c18ea41fb8b1 Default the token owner to the person adding the token


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list