[Freeipa-devel] [PATCH 0048] Default the token owner to the person adding the token

Jan Cholasta jcholast at redhat.com
Fri May 23 05:45:17 UTC 2014 

On 22.5.2014 16:21, Nathaniel McCallum wrote:
> I still need a review on this.
>
> On Wed, 2014-05-07 at 10:06 -0400, Nathaniel McCallum wrote:
>> On Wed, 2014-05-07 at 15:54 +0200, Petr Vobornik wrote:
>>> On 6.5.2014 17:07, Nathaniel McCallum wrote:
>>>> On Tue, 2014-05-06 at 16:11 +0200, Jan Cholasta wrote:
>>>>> On 6.5.2014 15:16, Nathaniel McCallum wrote:
>>>>>> On Tue, 2014-05-06 at 13:46 +0200, Jan Cholasta wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On 5.5.2014 18:40, Nathaniel McCallum wrote:
>>>>>>>> Creating tokens for yourself is the most common operation. Making this
>>>>>>>> the default optimizes for the common case.
>>>>>>>
>>>>>>> The user-find call should be inside the if statement.
>>>>>>
>>>>>> This is actually for a reason. See my patch 0049 for further context.
>>>>>
>>>>> IMO something like this would be better:
>>>>>
>>>>>        if 'ipatokenowner' not in entry_attrs or 'ipatokenprotected' not in
>>>>> entry_attrs:
>>>>>            result = self.api.Command.user_find(whoami=True)['result']
>>>>>            if result:
>>>>>                cur_uid = result[0]['uid'][0]
>>>>>                prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
>>>>>                if cur_uid != prev_uid:
>>>>>                    entry_attrs.setdefault('ipatokenprotected', True)
>>>>
>>>> Fixed (see also my new revision of patch 0049).
>>>>
>>>> Nathaniel
>>>>
>>>
>>> I assume that this won't allow to create a token without an owner. Do we
>>> want to have this restriction?
>>>
>>> Usecase: import a batch of hw tokens
>>
>> This case is currently very much on my radar (I'm finishing the import
>> script now). To set no owner, just use --owner="". We are testing for
>> key presence here, not the value of the key. So if the key is present
>> with an empty value, no owner will be set.
>>
>> FYI, the import format (RFC 6030) also permits a mechanism for declaring
>> ownership in DN format.
>>
>> Nathaniel
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

ACK.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list