www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Canonical sources for information
Date Tue, 28 May 2013 22:48:30 GMT
On Tue, May 28, 2013 at 6:19 PM, sebb <sebbaz@gmail.com> wrote:
> On 28 May 2013 23:11, Sam Ruby <rubys@intertwingly.net> wrote:
>> On Tue, May 28, 2013 at 5:55 PM, Tony Stevenson <tony@pc-tony.com> wrote:
>>>
>>> On 28 May 2013, at 21:50, Alan Cabrera <adc@toolazydogs.com> wrote:
>>>>>
>>>>> This requires an LDAP login, which means the code probably cannot be
>>>>> safely automated to run on a shared host, as the password would need
>>>>> to be stored somewhere.
>>>>>
>>>>> Would it be possible to provide access to the public information
>>>>> without requiring a login?
>>>>
>>>> How about returning just public information when credentials are not supplied
and returning full information if credentials are supplied?
>>>
>>> The issue here is that your credentials are used to bind to LDAP to collect this
data, AIUI.
>>
>> Actually, I don't believe so.
>
> Aren't the credentials used to restrict which data is returned?
> i.e. members get more info than committers?

Yes, the authenticated user name is used in determining what filters
to apply to the results; but the point still stands that the
credentials aren't used to bind to LDAP.

>> Anybody with shell access to certain
>> machines can obtain this data (read only).  This includes role
>> accounts, including the one used by the web server.
>
> I think that's a separate feature.

Indeed.

> AFAIK it's how the people.a.o cron job works.

Almost certainly.

>> Given the way HTTP authentication works, it probably would be best if
>> we want to provide an unauthenticated service that we do so with a
>> separate URI.
>
> Or (as I already wrote) update the people cron job to generate
> additional output file formats.

That works too.

I'll note that the json output option on whimsy was created long
before this request was made.

And I will also note that python has excellent libraries for dealing
directly with LDAP, should Alan make the choice to run his scripts on
ASF Infrastructure.

I'll finally note that LDAP isn't the only authoritative source,
though in many cases it is the only one that matters.  Many of our
other authoritative sources contain contradictory information, as you
can see here:

  https://whimsy.apache.org/roster/committee/

- Sam Ruby

Mime
View raw message