Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
	"Markus Frank" <m.frank@proxmox.com>,
	pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE
Date: Fri, 21 Feb 2025 17:45:47 +0100	[thread overview]
Message-ID: <8e3bbcc0-442b-4af7-88ae-bf817482ace7@proxmox.com> (raw)
In-Reply-To: <613520840.10274.1740145968755@webmail.proxmox.com>

Am 21.02.25 um 14:52 schrieb Fabian Grünbichler:
>> Markus Frank <m.frank@proxmox.com> hat am 21.02.2025 14:44 CET geschrieben:
>> We use /access/domain in PVE/PBS and already allow /access/domains in PMG/HTTPServer.pm:
>> ```
>>       # explicitly allow some calls without auth
>>       if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
>>          ($rel_uri eq '/quarantine/sendlink' && ($method eq 'GET' || $method eq 'POST')) ||
>>   	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
>> ```
>>
>> Before renaming it to Realm, I was using Authdomain as the
>> file/module name.
>> If we want to stick to one name, we either use Authdomains (or

Whatever we end up with, let's please ensure to use CamelCase for the
module name though.

>> something similar) again, or we change everything to realm and use a
>> different api path than PVE/PBS.
>> I think I would prefer using Authdomains and /access/domain.
>>
>> Any opinions?
> 
> I think we have three options:
> - use domains just for the api path, rename it to realm across the
>   board otherwise in PMG (this is a bit what the v5 of the patch does,
>   but it doesn't do it 100% ;))

meh, but something I'd be OK to accept if it helps bringin this over the
line faster, but changing this just for PMG should not be _that_ much
work.

> - use realm everywhere in PMG (might require adaptations in pwt and
>   other common code to allow this, and probably requires API clients
>   to adapt to that as well if shared across PMG/PBS/PVE?), and migrate
>   PVE and PBS to that terminology as well at some point

Would also favour that, but IMO it could be indeed fine to switch to
something very close to authentication-realm or probably better, as it
would be shorter but still as telling, auth-realm to make it even
clearer what realm means in this conetxt. I.e., get a tiny bit more
benefits out of changing this, especially if we want to align our other
projects in the future.

That said, I do not have _that_ strong feelings about the "auth" part
being included, so just reaml is fine too.

> - use domains and realm interchangeably like in PVE (requires to name
>   at least the perl module differently in PMG, and might be
>   confusing?)

yeah that would be worse in PMG than it already is in PVE/PBS due to
frequent use of the domain term for FQDNs.

_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel