docs: permit user/group services that do not support enumeration

sssd people don't like enumeration and for some other cases it's not nice to support either, in particular when synthesizing records for container/userns UID/GID ranges. Hence, let's make enumeration optional.
2020-07-07 11:55:21 +02:00 · 2020-07-07 11:55:21 +02:00 · 56870d324b
parent 16a4a2f8cc
commit 56870d324b
2 changed files with 10 additions and 0 deletions
--- a/docs/USER_GROUP_API.md
+++ b/docs/USER_GROUP_API.md
@ -185,6 +185,7 @@ error NoRecordFound()
 error BadService()
 error ServiceNotAvailable()
 error ConflictingRecordFound()
+error EnumerationNotSupported()
 ```

 The `GetUserRecord` method looks up or enumerates a user record. If the `uid`
@ -264,4 +265,11 @@ services. Result of this is that it can be one service that defines a user A,
 and another service that defines a group B, and a third service that declares
 that A is a member of B.

+Looking up explicit users/groups by their name or UID/GID, or querying
+user/group memberships must be supported by all services implementing these
+interfaces. However, supporting enumeration (i.e. user/group lookups that may
+result in more than one reply, because neither UID/GID nor name is specified)
+is optional. Services which are asked for enumeration may return the
+`EnumerationNotSupported` error in this case.
+
 And that's really all there is to it.
--- a/src/shared/userdb.c
+++ b/src/shared/userdb.c
@ -156,6 +156,8 @@ static int userdb_on_query_reply(
                        r = -ESRCH;
                else if (streq(error_id, "io.systemd.UserDatabase.ServiceNotAvailable"))
                        r = -EHOSTDOWN;
+                else if (streq(error_id, "io.systemd.UserDatabase.EnumerationNotSupported"))
+                        r = -EOPNOTSUPP;
                else if (streq(error_id, VARLINK_ERROR_TIMEOUT))
                        r = -ETIMEDOUT;
                else