[Freeipa-devel] [PATCH 0093] Enable service authentication indicator management

[Nathaniel McCallum]

On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
> On Fri, 27 May 2016, Nathaniel McCallum wrote:
> > All core functionality for authentication indicators has already
> > been
> > merged. All that is left is the CLI and UI patches. Attached is the
> > CLI
> > patch.
> > 
> > One outstanding question that I have is how to future-proof this
> > patch.
> > Right now, we want to only permit two possible values: otp and
> > radius.
> > So we are using an StrEnum. However, in the future (probably after
> > krb5-spake) we may want to have per-token custom indicators. That
> > means
> > that this value will need to become a Str.
> PKINIT has already support for AI, so it would be good to add pkinit
> indicator as well. The problem here is that pkinit indicator is not
> fixed and can be defined in the krb5.conf.

Okay. You've convinced me that we should just make it a string now and
be done with it since administrators can already set custom AIs. New
patch attached. I think this is ready for merge.

> > How do I code this so that we can later do a StrEnum => Str
> > transition
> > without breaking API?
> Maybe just go to Str* right now and make a validation function that
> performs the actual check? Once you'd upgrade the validation code
> would
> change but method signature wouldn't.

Since admins can already set custom AIs, there is no reason for a
validator. Let's just accept everything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0093-Enable-service-authentication-indicator-management.patch
Type: text/x-patch
Size: 4929 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160527/f66227de/attachment.bin>