[Pki-devel] [PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch
Christina Fu
cfu at redhat.com
Wed May 13 16:13:33 UTC 2015
Thanks, Endi!!
pushed to master:
commit ccf2eb507471a9f19a1768befadeff404c96635e
Christina
On 05/12/2015 01:42 PM, Endi Sukma Dewata wrote:
> On 5/12/2015 1:01 PM, Christina Fu wrote:
>> Attached please find the update.
>> Two things to note:
>> 1. for comment #2, as discussed over irc, I put the auth manager id in
>> the authToken instead. Turns out the session contaxt has the whole
>> authToken in it, so there is no need to put it in separately in the
>> session context.
>> 2. for comment #3, the difference between the password based and cert
>> based auth is that by the time it gets here, cert based auth already
>> passed the ssl auth, so we know exactly who the subject is, and what
>> remains is just a matter of mapping it to the right user in the
>> internaldb. Unlike cert based auth, the password based auth could be
>> anyone attempted to be the uid provided in the auth, so the "attempted"
>> is more useful in capturing the attempt.
>> I changed it so that for cert based auth now has "attemptedUID" to be
>> the same as that of the subjectid, and I added comment to explain that.
>> The two auth methods are going to be different, and for a good reason.
>>
>> I addressed the rest of the comments as requested.
>>
>> thanks,
>> Christina
>
> There is one more mSignedAuditLogger in PKIRealm. Other than that it's
> ACKed.
>
More information about the Pki-devel
mailing list