Hi, Am Dienstag, 16. September 2008 schrieb Jan Kupec:
Michael Calmer wrote:
Hi,
Am Montag, 8. September 2008 schrieb Jan Kupec:
Hi,
Current solution uses simple text files containing one URL per line, _containing_ also 'username:password@'. These URLs are then fed to the zypp::Url constructor which parses them into an object from which you can get the username and password, as well as compare with other URLs using different zypp::url::ViewOption, etc...
I would like to see an enhancement to this. It should be possible to write a pointer to a file into the url. With this we have the possibility to use the same credentials for more then one repo/service.
Proposal:
https://hostname.domain.top/path/?credentials=/etc/credentials.d/mycreden tial
OK, i like this as a third way to store/get credentials. So to sum it up, the media backend would look at:
1) global, world readable:
having credentials world readable is bad. I would suggest to have them 600 root root in etc/[zypp]/credentials.d/ . A normal user cannot use them. A normal user should use 2).
/etc/zypp/credentials.d/* files (in case of INI format) OR /etc/zypp/credentials file (in case of one URL/line format)
(which one do you like more? Note that the files in the credentials.d dir would have to have random names in case the name is not supplied in ?credentials=filename (without path))
I would suggest "?credetials=filename" in the service or repos file mean: If user is "root": look into /etc/zypp/credentials.d/<filename> . If user is not root: look into ~/.zypp/credentials.d/<filename>
2) user readable
~/.zypp/credentials.d/* or ~/.zypp/credentials
3) user specified file (world/user readable?)
look at the file provided as ?credentials=/absolute/path/credfile
- the URL has to be saved with this parameter - Q: isn't revealing of the location of the credentials file a security issue?
The credential file has the format:
username=... password=...
(of soemthing similar if curl supports credentials from file)
plus a URL, in case the location is not part of the URL as the 'credentials' parameter. The URL could be the INI section name: [URL].
No. The URL in a service or repo defines which credetial file to use. Not the other way. This is the only way to use one credential file for more then one service or repo.
As suggested above, this would require to save each credentials in a separate file. Or we still could put all the credentials in one file (except for those user-specified) and separate them by the [URL] sections.
I do not like the idea of INI. One file per credential is easy. In case somebody has to replace a credentail it is much easier to remove the file and create a new with the new credentails under the same name.
The current inplementation can stay. So http://username:password@hostname.domain.to/path is an alternative.
I guess one format should be enough :O) So i'll wait a bit for some votes choosing one of them.
-- MFG Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)