[Freeipa-devel] [PATCH 0093] Enable service authentication indicator management

[Petr Vobornik]

On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
> Pavel, since we made the change here from a StrEnum to a Str, we need
> to update the UI patch accordingly.

How should admin know what to write there intuitively?

Shouldn't Web UI or CLI advertise the indicators supported by IPA? E.g.
CLI in doc string. Web UI might even combine checkboxes (otp, radius)
with textbox.

> 
> On Fri, 2016-05-27 at 11:55 -0400, Nathaniel McCallum wrote:
>> On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
>>> On Fri, 27 May 2016, Nathaniel McCallum wrote:
>>>> All core functionality for authentication indicators has already
>>>> been
>>>> merged. All that is left is the CLI and UI patches. Attached is
>>>> the
>>>> CLI
>>>> patch.
>>>>
>>>> One outstanding question that I have is how to future-proof this
>>>> patch.
>>>> Right now, we want to only permit two possible values: otp and
>>>> radius.
>>>> So we are using an StrEnum. However, in the future (probably
>>>> after
>>>> krb5-spake) we may want to have per-token custom indicators. That
>>>> means
>>>> that this value will need to become a Str.
>>> PKINIT has already support for AI, so it would be good to add
>>> pkinit
>>> indicator as well. The problem here is that pkinit indicator is not
>>> fixed and can be defined in the krb5.conf.
>>
>> Okay. You've convinced me that we should just make it a string now
>> and
>> be done with it since administrators can already set custom AIs. New
>> patch attached. I think this is ready for merge.
>>
>>>> How do I code this so that we can later do a StrEnum => Str
>>>> transition
>>>> without breaking API?
>>> Maybe just go to Str* right now and make a validation function that
>>> performs the actual check? Once you'd upgrade the validation code
>>> would
>>> change but method signature wouldn't.
>>
>> Since admins can already set custom AIs, there is no reason for a
>> validator. Let's just accept everything.
> 


-- 
Petr Vobornik