search

devpi / devpi-ldap

Plugin for devpi-server which provides LDAP authentication.
36 stars 20 forks source link

Should a user index automatically be created when a user logs in via LDAP? #15

Open msabramo opened 9 years ago

msabramo commented 9 years ago

If I log in via LDAP:

$ devpi login ${USER}
password for user marca:
logged in 'marca', credentials valid for 10.00 hours

No index gets automatically created for me:

$ devpi index -c foo
PUT http://devpi.corp.surveymonkey.com/marca/foo
404 Not Found: no user u'marca'

I have to manually create the user in devpi:

$ devpi user -c ${USER}
new password for user marca:
repeat new password for user marca:
user created: marca

and then it works:

$ devpi index -c foo
http://devpi.corp.surveymonkey.com/marca/foo:
  type=stage
  bases=root/pypi
  volatile=True
  uploadtrigger_jenkins=None
  acl_upload=marca
  pypi_whitelist=

Should devpi-ldap automatically create this index for the user?

Cc: @sudarkoff

fschulze commented 9 years ago

It's a conscious design decision not to create user objects and indices for external users. Would be great if you could add that to the readme. Thanks for your other PRs so far!

msabramo commented 9 years ago

Out of curiosity and maybe for the readme, what's the reasoning behind that design decision? E.g.: is it assumed that external users wouldn't need those things? Or is it because it's easy enough for users to do it with the devpi command-line tool, so that's good enough?

fschulze commented 9 years ago

There are a lot of use cases, where users get access via groups and don't need their own indices. Instead of adding an option to enable or disable index creation we decided that the user either needs the right to create the index himself, or an admin creates the index for the user.

hpk42 commented 9 years ago

On Wed, Feb 04, 2015 at 00:17 -0800, Florian Schulze wrote:

There are a lot of use cases, where users get access via groups and don't need their own indices. Instead of adding an option to enable or disable index creation we decided that the user either needs the right to create the index himself, or an admin creates the index for the user.

Marc raises a good UI experience question, though. By default, we might allow the creation of an index (and an implicit user object) if the user is externally validated via LDAP. By default you can explicitely create a user object yourself so it's not giving a user more power.

If a devpi-server operator does not want this to happen it should use --restrict-modify.

If we went for this change of defaults it's not clear where/how to implement it wrt to devpi-ldap and devpi-server core itself. But useability first! :)

thoughts? holger

Reply to this email directly or view it on GitHub: https://github.com/devpi/devpi-ldap/issues/15#issuecomment-72807653

fschulze commented 9 years ago

We can create the user object on index creation if the user has permission to do so. Then we don't get lots of unused user objects and the experience is the same as without plugins. That change would be completely in devpi-server, so if that sounds good, please create an issue there and assign to me.

hpk42 commented 9 years ago

On Wed, Feb 04, 2015 at 03:18 -0800, Florian Schulze wrote:

We can create the user object on index creation if the user has permission to do so. Then we don't get lots of unused user objects and the experience is the same as without plugins. That change would be completely in devpi-server, so if that sounds good, please create an issue there and assign to me.

Not sure i 100% understand. Without LDAP you need a user to be logged in (and thus a user object) before you can create an index, no?

If a user is logged in as "X" it should be able to create "Y/dev", auto-creating a Y user.

So the "auto-create-devpiuser-on-index-creation" beahviour is really for the case where an externally authenticated user wants to create an own index.

best, holger

Reply to this email directly or view it on GitHub: https://github.com/devpi/devpi-ldap/issues/15#issuecomment-72838485

hpk42 commented 9 years ago

On Wed, Feb 04, 2015 at 11:25 +0000, holger krekel wrote:

On Wed, Feb 04, 2015 at 03:18 -0800, Florian Schulze wrote:

We can create the user object on index creation if the user has permission to do so. Then we don't get lots of unused user objects and the experience is the same as without plugins. That change would be completely in devpi-server, so if that sounds good, please create an issue there and assign to me.

Not sure i 100% understand. Without LDAP you need a user to be logged in (and thus a user object) before you can create an index, no?

If a user is logged in as "X" it should be able to create "Y/dev", auto-creating a Y user.

sorry, i meant: "it should NOT be able ..."

So the "auto-create-devpiuser-on-index-creation" beahviour is really for the case where an externally authenticated user wants to create an own index.

best, holger

Reply to this email directly or view it on GitHub: https://github.com/devpi/devpi-ldap/issues/15#issuecomment-72838485

fschulze commented 9 years ago

The user object would only be created if the username matches the currently logged in user.

hpk42 commented 9 years ago

On Wed, Feb 04, 2015 at 03:28 -0800, Florian Schulze wrote:

The user object would only be created if the username matches the currently logged in user.

Which amounts to the use case i described (external auth users get their user object auto-created if neccessary).

Marc, do you care for opening an issue so Florian can tackle it?

holger

Reply to this email directly or view it on GitHub: https://github.com/devpi/devpi-ldap/issues/15#issuecomment-72839599

msabramo commented 9 years ago

Of course the least I can do is open an issue!

https://bitbucket.org/hpk42/devpi/issue/210/automatically-create-index-and-user-object

Thank you both!