Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE

From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE
Date: Fri, 21 Feb 2025 15:38:53 +0100	[thread overview]
Message-ID: <20250221153853.2522e0bc@rosa.proxmox.com> (raw)
In-Reply-To: <613520840.10274.1740145968755@webmail.proxmox.com>

On Fri, 21 Feb 2025 14:52:48 +0100 (CET)
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:

> > Markus Frank <m.frank@proxmox.com> hat am 21.02.2025 14:44 CET geschrieben:
> > 
> >  
> > Thank you for reviewing this patch series.
> > 
> > On  2025-02-21 13:41, Fabian Grünbichler wrote:  
> > >   
> > >> Markus Frank <m.frank@proxmox.com> hat am 18.02.2025 17:19 CET geschrieben:
> > >>
> > >>   
> > >> The name Realm.pm was chosen because a Domain.pm already exists.  
> > > 
> > > but the API path is still domains, and the naming inside the code/descriptions/.. is also rather inconsistent. should we settle on one or the other?  
> > 
> > We use /access/domain in PVE/PBS and already allow /access/domains in PMG/HTTPServer.pm:
> > ```
> >       # explicitly allow some calls without auth
> >       if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
> >          ($rel_uri eq '/quarantine/sendlink' && ($method eq 'GET' || $method eq 'POST')) ||
> >   	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
> > ```
> > 
> > Before renaming it to Realm, I was using Authdomain as the file/module name.
> > If we want to stick to one name, we either use Authdomains (or something similar) again, or we change everything to realm and use a different api path than PVE/PBS.
> > I think I would prefer using Authdomains and /access/domain.
> > 
> > Any opinions?  
> 
> I think we have three options:
> - use domains just for the api path, rename it to realm across the board otherwise in PMG (this is a bit what the v5 of the patch does, but it doesn't do it 100% ;))
> - use realm everywhere in PMG (might require adaptations in pwt and other common code to allow this, and probably requires API clients to adapt to that as well if shared across PMG/PBS/PVE?), and migrate PVE and PBS to that terminology as well at some point
> - use domains and realm interchangeably like in PVE (requires to name at least the perl module differently in PMG, and might be confusing?)
> 
> this is a bit of a historic issue, and not the fault of this patch series - I'd just like to avoid making it worse by calling the same thing "realm", "domain", "authdomain", "authentication domain" while also having other "domain"s in PMG if we can avoid it ;) for that reason alone the third option is the least attractive to me.
I prefer the second option - and if we pick it it would be a good time to
consider if 'realm' might be used in a different context (now or later on)
as well?
I've only heard the term in context of authentication(/authorization) -
and a quick search online did not show too much other uses - but before we
have to rename API-paths again in the future - I thought I'd ask now (if
there's other uses 'authrealm', 'authentication realm' should be unique
enough I hope)


> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel