RFE: finer grained auth with providers #52
Comments
|
hm... .netrc basically maps a hostname to a password. This is a documented, well established behaviour and it's probably a Bad Idea to add something to the hostname -- this will break the file when used in other contexts. Ergo: no reasonable solution as long as using .netrc. Likewise, the idea to invent some other file for this purpose is, well... let's not do that. Which basically leaves the option to have this actual while handling #23. There is now code supporting multiple configuration file sections (#25), this is a step forward also when thinking about this. |
|
More thinking. The hostname of the API server might not be unique when there are several accounts on the same API server, However, the hostname we configure, something like myhost.someservice.net, has to be unique, right? That is, if we use this as key rather than the API hostname we should be fine. Since netrc supports an account token it should be possible to implement this on current netrc solution, decoupling it from #23. @g2p: Thoughts? |
|
... which actually boils down to that the current system fundamentally should work out of the box if writing a plugin for, say, Google domains. The only thing required by the plugin is to use instead of which should work just fine. However, ddupdate-config would not make the right things here so it would require manual editing of ~/.netrc. @g2p : Let me know what you think. If you plan to make a plugin for google domains, I might look into ddupdate-config (which is EDIT: If you need also the account we could modify For ddupdate-config we would need to mark the plugin as using configured hostname rather than API hostname, probably just an attribute like |
|
I've looked at how curl handles netrc and have an idea that should work with the configuration system. I'm pleased that it now handles multiple sections by the way. Have |
|
hm... I don't really follow you here.
OK, something like
Here, I'm lost... |
becomes Whereas just becomes |
|
With a netrc file like this:
|
|
ok, the 'configuration sections' wording fooled me The drawback here is that netrc will contain multiple lines with the same machine. This is not really how things are intended to work, and the standard python bindings just not support it [1] For that reason, the approach to use the configured hostname as key has an advantage -- the configured host is a DNS name which by definition is unique. Can you see any drawbacks with this? |
|
Ah, I looked at the stdlib module, there's no issue with the parsing, just with the way it stuffs everything into a hosts[machine] dictionary. It wouldn't be too hard to add an accounts[(machine, login)] dictionary as well, using the stdlib code as a starting point. Your idea works as well, but as far as drawbacks, the configured host might have its own netrc entry for unrelated reasons, maybe for curl or ftp. |
Sure, but forking standard libraries is seldom a good idea.
True. So this is about forking a system library vs collisions when using netrc for a configured host for other purposes. As I see it, using the configured host is overall a more simple solution. It also maintains the netrc semantics as described in the manpage -- if we have two lines with the same machine the use of .netrc becomes more or less undefined when running for example ftp. The "collision" drawback exists. Perhaps we could handle it by adding a fake TLD to the configured host entries. That is, a host like Thoughts? |
|
ping? |
|
My preferred way is still the way curl does it, which uses the login. My next preferred way might be to alias hosts under a .ddupdate tld, but it requires care if you still want to handle netrc entries that predate the change. |
|
Seems that we still disagree. OTOH, in the end I am the maintainer here, and we need to make a decision. So, in other words: can you live with the "aliased hosts" solution? |
|
Sure, I can. Thank you. |
|
I'll add a parameter to With that change you should be fine to develop and test a google-domains plugin. You would need to edit the .netrc manually. OK? |
|
I'm willing to send a PR that does both (update get_netrc_auth and the domains plugin) if we go with the tld as described here: #52 (comment) |
Some dynamic dns providers (like Google domains) support updating
multiple hosts, each with their own API credentials.
To specify credentials that are specific to a target domain
at a provider, put the following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
Closes leamas#52.
Some dynamic dns providers (like Google domains) support updating
multiple hosts, each with their own API credentials.
To specify credentials that are specific to a target domain
at a provider, put the following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
With machine of the form:
targetdomain.providerdomain.ddupdate
Closes leamas#52.
Google domains dynamic dns API credentials are scoped to update a single
hostname.
To update multiple hosts, we update the way credentials are found in netrc.
To specify credentials that are specific to a target host, put the
following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
With machine of the form:
targethost.providerhost.ddupdate
Existing netrc entries like:
domains.google.com login AAA password BBB
are still recognized but with lower priority than a per-host match.
Closes leamas#52 (in the Google Domains case).
Google domains dynamic dns API credentials are scoped to update a single
hostname.
To update multiple hosts, we update the way credentials are found in netrc.
To specify credentials that are specific to a target host, put the
following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
With machine of the form:
targethost.providerhost.ddupdate
Existing netrc entries like:
domains.google.com login AAA password BBB
are still recognized but with lower priority than a per-host match.
Addresses leamas#52 (only in the Google Domains case).
Google domains dynamic dns API credentials are scoped to update a single
hostname.
To update multiple hosts, we update the way credentials are found in netrc.
To specify credentials that are specific to a target host, put the
following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
With machine of the form:
targethost.providerhost.ddupdate
Existing netrc entries like:
domains.google.com login AAA password BBB
are still recognized but with lower priority than a per-host match.
Addresses #52 (only in the Google Domains case).
Google domains dynamic dns API credentials are scoped to update a single
hostname.
To update multiple hosts, we update the way credentials are found in netrc.
To specify credentials that are specific to a target host, put the
following in ~/.netrc:
machine mydomain.tld.domains.google.com.ddupdate login AAA password BBB
machine mydomain2.tld.domains.google.com.ddupdate login CCC password DDD
With machine of the form:
targethost.providerhost.ddupdate
This is arguably a hack, to work with the fact that the Python netrc
parser disambiguates by hostname only (unlike curl which distinguishes by
username as well).
Existing netrc entries like:
domains.google.com login AAA password BBB
are still recognized but with lower priority than a per-host match.
Addresses leamas#52 (only in the Google Domains case).
Currently the netrc-based system picks passwords based on just the hostname of the API server. We need a way to discriminate multiple accounts at the same provider when selecting login and password. In particular, with Google Domains, multiple records appear as separate accounts, so this is needed to support updating multiple records.
Might be solved with #23 or possibly separately.
The text was updated successfully, but these errors were encountered: