[Freeipa-devel] [PATCH 0093] Enable service authentication indicator management
Nathaniel McCallum
npmccallum at redhat.com
Fri May 27 16:00:30 UTC 2016
Pavel, since we made the change here from a StrEnum to a Str, we need
to update the UI patch accordingly.
On Fri, 2016-05-27 at 11:55 -0400, Nathaniel McCallum wrote:
> On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
> > On Fri, 27 May 2016, Nathaniel McCallum wrote:
> > > All core functionality for authentication indicators has already
> > > been
> > > merged. All that is left is the CLI and UI patches. Attached is
> > > the
> > > CLI
> > > patch.
> > >
> > > One outstanding question that I have is how to future-proof this
> > > patch.
> > > Right now, we want to only permit two possible values: otp and
> > > radius.
> > > So we are using an StrEnum. However, in the future (probably
> > > after
> > > krb5-spake) we may want to have per-token custom indicators. That
> > > means
> > > that this value will need to become a Str.
> > PKINIT has already support for AI, so it would be good to add
> > pkinit
> > indicator as well. The problem here is that pkinit indicator is not
> > fixed and can be defined in the krb5.conf.
>
> Okay. You've convinced me that we should just make it a string now
> and
> be done with it since administrators can already set custom AIs. New
> patch attached. I think this is ready for merge.
>
> > > How do I code this so that we can later do a StrEnum => Str
> > > transition
> > > without breaking API?
> > Maybe just go to Str* right now and make a validation function that
> > performs the actual check? Once you'd upgrade the validation code
> > would
> > change but method signature wouldn't.
>
> Since admins can already set custom AIs, there is no reason for a
> validator. Let's just accept everything.
More information about the Freeipa-devel
mailing list