BIND 10 #2641: Disable default account, require authentication setup during initialization
BIND 10 Development
do-not-reply at isc.org
Mon Mar 4 18:11:35 UTC 2013
#2641: Disable default account, require authentication setup during initialization
-------------------------------------+-------------------------------------
Reporter: shane | Owner:
Type: enhancement | jinmei
Priority: very high | Status:
Component: bind-ctl | reviewing
Keywords: | Milestone:
Sensitive: 0 | Sprint-20130305
Sub-Project: Core | Resolution:
Estimated Difficulty: 4 | CVSS Scoring:
Total Hours: 0 | Defect Severity: N/A
| Feature Depending on Ticket:
| Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
Comment (by jinmei):
Replying to [comment:29 muks]:
> > > If such exceptions are raised (due to any environmental reasons),
> > > they'll go unhandled. So maybe there's no harm in leaving them
there.
> >
> > Could you also explain this?
>
> The method's description has been updated for it.
Maybe I wasn't clear enough...first off, I didn't understand whether
or not SSL or socket error can still happen in the scenario described
in #2595. If it can still happen, we should still also prevent that
in the sense we discussed in this (#2641) ticket. If it can't, at
least it doesn't make sense any more to be this specific in bindcmd.py:
{{{#!python
except ssl.SSLError as err:
self._print("SSL error while sending login information: ",
err)
if err.errno == ssl.SSL_ERROR_EOF:
self.__print_check_ssl_msg()
except socket.error as err:
self._print("Socket error while sending login information: ",
err)
# An SSL setup error can also bubble up as a plain
CONNRESET...
# (on some systems it usually does)
if err.errno == errno.ECONNRESET:
self.__print_check_ssl_msg()
pass
}}}
At least it doesn't make sense to catch specific errno's like
SSL_ERROR_EOF or ECONNRESET. `__print_check_ssl_msg` would also not
be needed any more either. And, since ssl.SSLError is derived from
socket.error (but maybe Python 3.3 has changed that; don't remember
it), it also does not even make sense to catch SSLError separately.
And, further, if socket.error is sufficiently unusual (again, it's
just an 'if'; I didn't check how often it can happen in the latest
code), explicitly catching socket.error may also not even make sense.
What I wanted is to clarify these things and make the code as simple
(while still providing necessary logs/outputs) as possible based on
that clarification.
BTW, bindctl unit tests now fail. I suspect it was because of the
latest changes.
(and I couldn't confirm whether distcheck now passes).
As for the change to b10-certgen_test, (although maybe not directly
related to this ticket) I wonder why we have this 'if-else':
{{{#!python
if ('CMDCTL_TESTDATA_PATH' in os.environ):
path = os.environ['CMDCTL_TESTDATA_PATH'] + "/tests/testdata/"
else:
path = "testdata/"
}}}
Also, setting CMDCTL_TESTDATA_PATH' to the srcdir seems to be awkward
(why it's named "TESTDATA_PATH" then?). Some clarification and
cleanup seem to be needed here.
--
Ticket URL: <http://bind10.isc.org/ticket/2641#comment:30>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list