BIND 10 #2641: Disable default account, require authentication setup during initialization
BIND 10 Development
do-not-reply at isc.org
Wed Feb 27 18:36:44 UTC 2013
#2641: Disable default account, require authentication setup during initialization
-------------------------------------+-------------------------------------
Reporter: shane | Owner:
Type: enhancement | jinmei
Priority: very high | Status:
Component: bind-ctl | reviewing
Keywords: | Milestone:
Sensitive: 0 | Sprint-20130305
Sub-Project: Core | Resolution:
Estimated Difficulty: 4 | CVSS Scoring:
Total Hours: 0 | Defect Severity: N/A
| Feature Depending on Ticket:
| Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
Comment (by jinmei):
Replying to [comment:20 muks]:
> I have removed the newly introduced cmdctl API endpoint and also the
call from bindctl to it (to check whether users exist or not). So the
major thing that this branch does is add missing tests for previously
existing code.
>
> From reading the code and also running bindctl -> cmdctl, there doesn't
seem to be any difference between how it treats a lack of users vs. a
password mismatch during authentication. For both cases, it returns
exactly the same error back to bindctl.
Looks like so, but I now wonder why the socket or SSL error doesn't
happen when, e.g., the account file exists but lacks permission.
Related, I wonder whether we still need these messages:
{{{#!python
except ssl.SSLError as err:
self._print("SSL error while sending login information: ",
err)
if err.errno == ssl.SSL_ERROR_EOF:
self.__print_check_ssl_msg()
except socket.error as err:
self._print("Socket error while sending login information: ",
err)
# An SSL setup error can also bubble up as a plain
CONNRESET...
# (on some systems it usually does)
if err.errno == errno.ECONNRESET:
self.__print_check_ssl_msg()
pass
}}}
I'd also note that this message isn't shown once the local password
cache (~/.bind10) is created. I'm not sure that was your intent, but
in any case I think the behavior makes sense.
There's one remaining open points: in cmdctl.py.in, I'd still like to
avoid hardconding 'tests/testdata':
{{{#!python
sysconf_path = os.environ["B10_FROM_SOURCE"] +
"/src/bin/cmdctl/"
accountsfile = sysconf_path + "tests/testdata/cmdctl-
accounts.csv"
}}}
one way is to keep it under
`os.environ["B10_FROM_SOURCE"] + "/src/bin/cmdctl/"` as before,
although you may not like it as this file is now also used in unit
tests. In that case, an alternative would be to copy
tests/testdata/cmdctl-accounts.csv to {top_builddir}/src/bin/cmdctl
(or even directly on top_builddir) and refer to it from cmdctl.py.in
when B10_FROM_BUILD is defined.
--
Ticket URL: <http://bind10.isc.org/ticket/2641#comment:21>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list