On Wed, 2013-02-13 at 12:40 -0500, John Dennis wrote: > I appreciate Simo's concern for authorization and audit in this process, > we must solve that problem. If I understand the proposal correctly it's > akin to recording a macro that can be replayed. The framework executes > as normal but instead of issuing the LDAP modify commands we record > them. Then after the entire command completes we send the recorded > operations back to 389DS in some form Did I understand this correctly? > If so I'm very much against the idea of sending JSON back to 389DS to > execute the totality of the operation. Why? It either breaks or has the > potential to break our entire processing model, pre and post operations, > validity checks (e.g. querying the current state) user supplied plugins, > etc. I could see this working in some limited cases which might give you > the illusion it would work. But the only robust general solution I think > we can sign up for supporting is to use the API commands we designed, > period. Anything else just seems like a nightmare scenario of corner cases. > > Therefore I think the proposal of watching something (yet to be > determined), calling our API commands, and then cleaning up the watched > entity afterwards is the best approach. Figuring out how to > authenticate/authorize/audit this is the primary challenge, a challenge > far more manageable then trying to subvert the framework with every > known and unknown risk that introduces. It's hard enough as it is > assuring our documented API works correctly. Our API is the only thing I > think we can realistically commit to supporting.
See my reply to Petr, it can be done the way you ask (ie framework does the actual ldap add), the only concern I have is looping and deadlocks. If we can solve the looping and potential deadlocking concerns I think we can avoid the json reply and let the framework do the actual final ldap add. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
