Re: [PATCH] Add auth_param request_format, request_realm to proxy authentication schemes

On 16/11/2013 6:38 p.m., Alex Rousskov wrote:
> On 11/15/2013 08:56 PM, Amos Jeffries wrote:
>> On 16/11/2013 6:13 a.m., Alex Rousskov wrote:
>>> On 11/15/2013 08:11 AM, Amos Jeffries wrote:
>>>> On 30/10/2013 5:13 a.m., Tsantilas Christos wrote:
>>>>> The attached patch add the "auth_param request_format" and "auth_param
>>>>> request_realm" to proxy authentication schemes.
>>>>>
>>>>> The request_format value used to define the format of the helper request
>>>>> line. It is a "quoted string" with logformat %macro support. A new
>>>>> %credentials macro can be used to supply user password and other
>>>>> scheme-dependent information to the helper.
>>>>>
>>>>> The request_realm is an authenticated users cache key format, needed
>>>>> when request_format feature is used to authenticate different users with
>>>>> identical user names (e.g., when user authentication depends on http_port).
>>>
>>>
>>>> I dont think the idea made it out of the IRC planning discussion properly.
>>>
>>> There was a detailed RFC posted after the informal IRC discussion. The
>>> RFC email date is October 10, 2013. It is rather unfortunate that your
>>> objections come so late. The primary purpose of RFCs is to prevent the
>>> waste of resources and confusion related to changing the primary
>>> functionality of the developed, tested, and often deployed features!
>>>
>>
>> Which did not look much different to what we discussed on IRC.
>> You discussed there that teh request_realm parameter as alternative to
>> request_format,
>
> No, I did not discuss request_realm parameter as an alternative to
> request_format. I proposed it as a solution to use cases where the admin
> wants to change not just the request format, but the cache key as well.
> I even provided a list of reasons for allowing an admin to configure the
> two aspects separately.
>
>
>>>> We need only _one_ format called realm_format.
>>>
>>> In other words, you want to restrict the proposed request_realm to its
>>> proposed default value, eliminating the need for an explicit
>>> request_realm configuration option, right?
>>
>> No. Other way around. realm_format is nicely being appended to the
>> existing cache key. It needs likewise to be an append on the existing
>> helper lookup line instead of a full replacement of that line (which is
>> what request_format does here).
>
> OK.
>
> Now about the name: "realm_format" is a bad choice IMO because some
> folks will think that it controls the format of the authentication realm
> string displayed to the user (for schemes where we can specify that
> user-visible string). I suggest calling the new option "request_extras".
> The configured extras will be appended to the helper request and to the
> cache key. Any better naming ideas?
>

Hmm. We could call it "notes" or "annotations" and document it as part
of the custom annotations and other details being sent to the helper.

Amos
Received on Sat Nov 16 2013 - 06:49:48 MST