[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Jan Cholasta
jcholast at redhat.com
Mon Mar 16 12:35:22 UTC 2015
Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
> On 03/16/2015 12:15 PM, Martin Kosek wrote:
>> On 03/13/2015 05:37 PM, Martin Babinsky wrote:
>>> Attaching the next iteration of patches.
>>>
>>> I have tried my best to reword the ipa-client-install man page bit
>>> about the
>>> new option. Any suggestions to further improve it are welcome.
>>>
>>> I have also slightly modified the 'kinit_keytab' function so that in
>>> Kerberos
>>> errors are reported for each attempt and the text of the last error
>>> is retained
>>> when finally raising exception.
>>
>> The approach looks very good. I think that my only concern with this
>> patch is
>> this part:
>>
>> + ccache.init_creds_keytab(keytab=ktab, principal=princ)
>> ...
>> + except krbV.Krb5Error as e:
>> + last_exc = str(e)
>> + root_logger.debug("Attempt %d/%d: failed: %s"
>> + % (attempt, attempts, last_exc))
>> + time.sleep(1)
>> +
>> + root_logger.debug("Maximum number of attempts (%d) reached"
>> + % attempts)
>> + raise StandardError("Error initializing principal %s: %s"
>> + % (principal, last_exc))
>>
>> The problem here is that this function will raise the super-generic
>> StandardError instead of the proper with all the context and
>> information about
>> the error that the caller can then process.
>>
>> I think that
>>
>> except krbV.Krb5Error as e:
>> if attempt == max_attempts:
>> log something
>> raise
>>
>> would be better.
>>
>
> Yes that seems reasonable. I'm just thinking whether we should re-raise
> Krb5Error or raise ipalib.errors.KerberosError? the latter options makes
> more sense to me as we would not have to additionally import Krb5Error
> everywhere and it would also make the resulting errors more consistent.
>
> I am thinking about someting like this:
>
> except krbV.Krb5Error as e:
> if attempt == attempts:
> # log that we have reaches maximum number of attempts
> raise KerberosError(minor=str(e))
>
> What do you think?
>
NACK, don't use ipalib from ipapython in new code, we are trying to get
rid of this circular dependency. Krb5Error is OK in this case.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list