[Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token
Nathaniel McCallum
npmccallum at redhat.com
Thu May 22 14:21:17 UTC 2014
I still need a review on this.
On Wed, 2014-05-07 at 10:06 -0400, Nathaniel McCallum wrote:
> On Wed, 2014-05-07 at 15:54 +0200, Petr Vobornik wrote:
> > On 6.5.2014 17:07, Nathaniel McCallum wrote:
> > > On Tue, 2014-05-06 at 16:11 +0200, Jan Cholasta wrote:
> > >> On 6.5.2014 15:16, Nathaniel McCallum wrote:
> > >>> On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote:
> > >>>> Hi,
> > >>>>
> > >>>> On 5.5.2014 18:40, Nathaniel McCallum wrote:
> > >>>>> Creating tokens for yourself is the most common operation. Making this
> > >>>>> the default optimizes for the common case.
> > >>>>
> > >>>> The user-find call should be inside the if statement.
> > >>>
> > >>> This is actually for a reason. See my patch 0049 for further context.
> > >>
> > >> IMO something like this would be better:
> > >>
> > >> if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in
> > >> entry_attrs:
> > >> result = self.api.Command.user_find(whoami=True)['result']
> > >> if result:
> > >> cur_uid = result[0]['uid'][0]
> > >> prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
> > >> if cur_uid != prev_uid:
> > >> entry_attrs.setdefault('ipatokenprotected', True)
> > >
> > > Fixed (see also my new revision of patch 0049).
> > >
> > > Nathaniel
> > >
> >
> > I assume that this won't allow to create a token without an owner. Do we
> > want to have this restriction?
> >
> > Usecase: import a batch of hw tokens
>
> This case is currently very much on my radar (I'm finishing the import
> script now). To set no owner, just use --owner="". We are testing for
> key presence here, not the value of the key. So if the key is present
> with an empty value, no owner will be set.
>
> FYI, the import format (RFC 6030) also permits a mechanism for declaring
> ownership in DN format.
>
> Nathaniel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list