www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Cabrera <...@toolazydogs.com>
Subject Re: Canonical sources for information
Date Wed, 29 May 2013 05:39:02 GMT

On May 28, 2013, at 3:48 PM, Sam Ruby <rubys@intertwingly.net> wrote:

> On Tue, May 28, 2013 at 6:19 PM, sebb <sebbaz@gmail.com> wrote:
>> On 28 May 2013 23:11, Sam Ruby <rubys@intertwingly.net> wrote:
>>> On Tue, May 28, 2013 at 5:55 PM, Tony Stevenson <tony@pc-tony.com> wrote:
>>>> 
>>>> On 28 May 2013, at 21:50, Alan Cabrera <adc@toolazydogs.com> wrote:
>>>>>> 
>>>>>> This requires an LDAP login, which means the code probably cannot
be
>>>>>> safely automated to run on a shared host, as the password would need
>>>>>> to be stored somewhere.
>>>>>> 
>>>>>> Would it be possible to provide access to the public information
>>>>>> without requiring a login?
>>>>> 
>>>>> How about returning just public information when credentials are not
supplied and returning full information if credentials are supplied?
>>>> 
>>>> The issue here is that your credentials are used to bind to LDAP to collect
this data, AIUI.
>>> 
>>> Actually, I don't believe so.
>> 
>> Aren't the credentials used to restrict which data is returned?
>> i.e. members get more info than committers?
> 
> Yes, the authenticated user name is used in determining what filters
> to apply to the results; but the point still stands that the
> credentials aren't used to bind to LDAP.
> 
>>> Anybody with shell access to certain
>>> machines can obtain this data (read only).  This includes role
>>> accounts, including the one used by the web server.
>> 
>> I think that's a separate feature.
> 
> Indeed.
> 
>> AFAIK it's how the people.a.o cron job works.
> 
> Almost certainly.
> 
>>> Given the way HTTP authentication works, it probably would be best if
>>> we want to provide an unauthenticated service that we do so with a
>>> separate URI.
>> 
>> Or (as I already wrote) update the people cron job to generate
>> additional output file formats.
> 
> That works too.
> 
> I'll note that the json output option on whimsy was created long
> before this request was made.
> 
> And I will also note that python has excellent libraries for dealing
> directly with LDAP, should Alan make the choice to run his scripts on
> ASF Infrastructure.
> 
> I'll finally note that LDAP isn't the only authoritative source,
> though in many cases it is the only one that matters.  Many of our
> other authoritative sources contain contradictory information, as you
> can see here:
> 
>  https://whimsy.apache.org/roster/committee/


So,  the tooling for now will always provide the username/password.  I will code it against


https://whimsy.apache.org/roster/committer/<username>


Regards,
Alan


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message