On Wed, 2011-12-28 at 13:02 -0500, John Dennis wrote: > On 12/22/2011 03:25 PM, Simo Sorce wrote: > > The WebUI uses /ipa/ui and /ipa/json The CLI uses only /ipa/xmlrpc > > > > In your whole discussion below you should rethink /ipa/rpc as > > /ipa/json because it looks to me you are only considering the WebUI > > client (that's just fine). Only because you conflated /ipa/json and > > /ipa/xmlrpc, treat them as separate things and it will be easier. > > > Why can't we just keep /ipa/xmlrpc ? Why do you mix /ipa/json and > > /ipa/xmlrpc and call them the same and then propose to split them > > when they are separate from the start ? > > Sometimes you get too close to what you're working on and can't see the > forest for the trees. Thank you for pointing out how /ipa/json and > /ipa/xml are used exclusively and independently by the web UI and the > command line tools respectively. How did I get confused? Those two URI's > are treated identically in the existing code base, entry into the system > via /ipa/json and /ipa/xml traverse the exact same code paths and hence > I incorrectly conflated them. Sometimes it takes a second pair of eyes > to see the obvious, thus this discussion was useful, thank you. > > I have recoded the logic in ipaserver/rpcserver.py to separate the two > cases. I also had to refactor some of the logic surrounding when and > where backend connections with their credentials are managed. > > The good news is both the web UI and the command line clients seem to be > working fine with the new session based authentication. > > I have some clean-up work to do on the code before I prepare a patch for > review. In particular I would like to do a better job of storing and > setting the kerberos credentials than what I'm currently doing > (currently more proof-of-concept than deployable robust code).
Great news! Glad it was just a misunderstanding and not a hard to manage issue. > > We can have different URIs once we change the CLI, to maintain > > compatibility with old tools. But it would be the other way around. > > /ipa/xmlrpc would be krb protected by default and then we add > > /ipa/session/xmlrpc which is instead the session base one. > > Yes, once we implement session support in the command line clients we'll > need a new URI (e.g /ipa/session/xmlrpc). I don't see anyway around > that, but given the functionality is new that won't be an issue, > everything remains backwards compatible. Yup, everything sounds nice and workable, thank you John. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel