[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch

Thanks, Endi!!
pushed to master:
commit ccf2eb507471a9f19a1768befadeff404c96635e


On 05/12/2015 01:42 PM, Endi Sukma Dewata wrote:
On 5/12/2015 1:01 PM, Christina Fu wrote:
Attached please find the update.
Two things to note:
1. for comment #2, as discussed over irc, I put the auth manager id in
the authToken instead.  Turns out the session contaxt has the whole
authToken in it, so there is no need to put it in separately in the
session context.
2. for comment #3, the difference between the password based and cert
based auth is that by the time it gets here, cert based auth already
passed the ssl auth, so we know exactly who the subject is, and what
remains is just a matter of mapping it to the right user in the
internaldb.  Unlike cert based auth, the password based auth could be
anyone attempted to be the uid provided in the auth, so the "attempted"
is more useful in capturing the attempt.
I changed it so that for cert based auth now has "attemptedUID" to be
the same as that of the subjectid, and I added comment to explain that.
The two auth methods are going to be different, and for a good reason.

I addressed the rest of the comments as requested.


There is one more mSignedAuditLogger in PKIRealm. Other than that it's ACKed.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]