Mailinglist Archive: zypp-devel (149 mails)

[Michael Calmer <mc@xxxxxxx>]

Hi,

Am Dienstag, 16. September 2008 schrieb Jan Kupec:
> Michael Calmer wrote:
> > Hi,
> >
> > Am Montag, 8. September 2008 schrieb Jan Kupec:
> > > Hi,
> > >
> > > Current solution uses simple text files containing one URL per line,
> > > _containing_ also 'username:password@'. These URLs are then fed to the
> > > zypp::Url constructor which parses them into an object from which you
> > > can get the username and password, as well as compare with other URLs
> > > using different zypp::url::ViewOption, etc...
> >
> > I would like to see an enhancement to this. It should be possible to
> > write a pointer to a file into the url. With this we have the possibility
> > to use the same credentials for more then one repo/service.
> >
> > Proposal:
> >
> > https://hostname.domain.top/path/?credentials=/etc/credentials.d/mycreden
> > tial
>
> OK, i like this as a third way to store/get credentials. So to sum it
> up, the media backend would look at:
>
> 1) global, world readable:

having credentials world readable is bad. I would suggest to have them 
600 root root in etc/[zypp]/credentials.d/ . A normal user cannot use them. A 
normal user should use 2).

>     /etc/zypp/credentials.d/* files (in case of INI format)
>     OR
>     /etc/zypp/credentials file (in case of one URL/line format)
>
>     (which one do you like more? Note that the files in the
>      credentials.d dir would have to have random names in case the name
>      is not supplied in ?credentials=filename (without path))

I would suggest "?credetials=filename" in the service or repos file mean:

If user is "root": look into /etc/zypp/credentials.d/<filename> . 
If user is not root: look into ~/.zypp/credentials.d/<filename>


> 2) user readable
>
>     ~/.zypp/credentials.d/* or ~/.zypp/credentials
>
> 3) user specified file (world/user readable?)
>
>     look at the file provided as ?credentials=/absolute/path/credfile
>
>     - the URL has to be saved with this parameter
>     - Q: isn't revealing of the location of the credentials file
>       a security issue?
>
> > The credential file has the format:
> >
> > username=...
> > password=...
> >
> > (of soemthing similar if curl supports credentials from file)
>
> plus a URL, in case the location is not part of the URL as the
> 'credentials' parameter. The URL could be the INI section name: [URL].

No. The URL in a service or repo defines which credetial file to use. Not the 
other way. This is the only way to use one credential file for more then one 
service or repo. 


> As suggested above, this would require to save each credentials in a
> separate file. Or we still could put all the credentials in one file
> (except for those user-specified) and separate them by the [URL] sections.

I do not like the idea of INI. One file per credential is easy. In case 
somebody has to replace a credentail it is much easier to remove the file and 
create a new with the new credentails under the same name. 

> > The current inplementation can stay. So
> > http://username:password@xxxxxxxxxxxxxxxxxx/path is an alternative.
>
> I guess one format should be enough :O) So i'll wait a bit for some
> votes choosing one of them.


-- 
MFG

        Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: Michael.Calmer@xxxxxxxx
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)