[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

[Rob Crittenden]

Jan Cholasta wrote:
> On 24.11.2015 22:17, Simo Sorce wrote:
>> On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote:
>>> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
>>>> Since some time we use the getkeytab operation to fetch keytabs on
>>>> newer
>>>> clients. According to bug #232 setkeytab can be used to circumvent
>>>> password quality controls so it needs to be slowly retired.
>>>>
>>>> The attached patches implement #5485 in 2 parts.
>>>>
>>>> The first introduces the option DisableSetKeytab which globally
>>>> disables
>>>> the setkeytab extended operation. This is set to false by default for
>>>> backwards compatibility.
>>>>
>>>> The second introduces an option called DisableUserSetKeytab, which is
>>>> active by default in new installs (but not in upgraded ones), and only
>>>> disables the use of setkeytab for ipa suers, but not for
>>>> hosts/services.
>>>> This is because user's are the ones that may abuse the interface to
>>>> escape password policies and users also normally do not acquire
>>>> keytabs,
>>>> so it is a safe bet to disable just them by default in new installs.
>>>>
>>>> (Testing in progress)
>>>
>>> Tested and working as expected.
>>
>> I realized that adding options to ipaConfig require to add them in the
>> UI as well, attached patches add options in API.txt and config.py
>> Make now complain I should change API Major or Minor, but it is not
>> clear to me why given this are additional values and no real change or
>> new function is introduced. What's the recommendation ?
> 
> When does make complain? It is supposed to complain only when API.txt
> does not match code.
> 
> Anyway, we usually bump minor version even for backward compatible
> changes, see e.g. commit 9549a59.
> 

The point of API.txt (and the heavy client) was to save a round-trip.
Being able to pass in an invalid option would void that rule hence
having to update the API when new values are added.

rob