On Fri, 2016-05-27 at 18:35 +0300, Alexander Bokovoy wrote:
> On Fri, 27 May 2016, Nathaniel McCallum wrote:
> > All core functionality for authentication indicators has already
> > been
> > merged. All that is left is the CLI and UI patches. Attached is the
> > CLI
> > patch.
> > 
> > One outstanding question that I have is how to future-proof this
> > patch.
> > Right now, we want to only permit two possible values: otp and
> > radius.
> > So we are using an StrEnum. However, in the future (probably after
> > krb5-spake) we may want to have per-token custom indicators. That
> > means
> > that this value will need to become a Str.
> PKINIT has already support for AI, so it would be good to add pkinit
> indicator as well. The problem here is that pkinit indicator is not
> fixed and can be defined in the krb5.conf.

Okay. You've convinced me that we should just make it a string now and
be done with it since administrators can already set custom AIs. New
patch attached. I think this is ready for merge.

> > How do I code this so that we can later do a StrEnum => Str
> > transition
> > without breaking API?
> Maybe just go to Str* right now and make a validation function that
> performs the actual check? Once you'd upgrade the validation code
> would
> change but method signature wouldn't.

Since admins can already set custom AIs, there is no reason for a
validator. Let's just accept everything.
From 6edda3ea40a4ab1bc3a45c1415b8a2ee9150af34 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Wed, 4 May 2016 17:08:45 -0400
Subject: [PATCH] Enable service authentication indicator management

https://fedorahosted.org/freeipa/ticket/433
---
 API.txt                   | 9 ++++++---
 VERSION                   | 4 ++--
 ipalib/plugins/service.py | 9 ++++++++-
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index dbc6f1adc614607fab106ab0de7163961e7ecedc..16c286d85fb1c94b9c438bb908d735cc716ce728 100644
--- a/API.txt
+++ b/API.txt
@@ -3901,7 +3901,7 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add
-args: 1,11,3
+args: 1,12,3
 arg: Str('krbprincipalname', cli_name='principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -3909,6 +3909,7 @@ option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
+option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
@@ -4011,10 +4012,11 @@ output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
 command: service_find
-args: 1,11,4
+args: 1,12,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('krbprincipalname?', autofill=False, cli_name='principal')
 option: Str('man_by_host*', cli_name='man_by_hosts')
 option: Flag('no_members', autofill=True, default=False)
@@ -4029,7 +4031,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: service_mod
-args: 1,12,3
+args: 1,13,3
 arg: Str('krbprincipalname', cli_name='principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4037,6 +4039,7 @@ option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Flag('rights', autofill=True, default=False)
diff --git a/VERSION b/VERSION
index eb7957eb1c5ae2487975a2fae4485a43f613cb64..bdf408e2ed108dbf7503970559c39b998fa2689e 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=169
-# Last change: vault: copy arguments of client commands from server counterparts
+IPA_API_VERSION_MINOR=170
+# Last change: npmccallum - enable setting authinds on services
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 4f03bd35f80805c7f821cac8a3f0e85c547a6219..1cdfce759a516a80f18097beefed41f64bd7e7e6 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -411,7 +411,7 @@ class service(LDAPObject):
     permission_filter_objectclasses = ['ipaservice']
     search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
     default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
-        'ipakrbauthzdata', 'memberof', 'ipaallowedtoperform']
+        'ipakrbauthzdata', 'memberof', 'ipaallowedtoperform', 'krbprincipalauthind']
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'managedby': ['host'],
@@ -505,6 +505,13 @@ class service(LDAPObject):
                   " e.g. this might be necessary for NFS services."),
             values=(u'MS-PAC', u'PAD', u'NONE'),
         ),
+        Str('krbprincipalauthind',
+            cli_name='auth_ind',
+            label=_('Authentication Indicators'),
+            doc=_('Authentication Indicator whitelist'),
+            multivalue=True,
+            required=False,
+        ),
     ) + ticket_flags_params
 
     def validate_ipakrbauthzdata(self, entry):
-- 
2.8.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to