On Fri, 2014-02-28 at 10:01 -0500, Rob Crittenden wrote: > Petr Spacek wrote: > > On 28.2.2014 15:25, Nathaniel McCallum wrote: > >> On Fri, 2014-02-28 at 10:47 +0100, Petr Vobornik wrote: > >>> On 28.2.2014 04:02, Rob Crittenden wrote: > >>>> Alexander Bokovoy wrote: > >>>>> On Thu, 27 Feb 2014, Nathaniel McCallum wrote: > >>>>>> So the recent discussion on importing tokens led me to write a > >>>>>> script to > >>>>>> parse RFC 6030 xml files into IPA token data. This all works well. > >>>>>> But > >>>>>> now I need to integrate it into the IPA framework. > >>>>>> > >>>>>> This command will parse one or more xml files, creating a set of > >>>>>> tokens > >>>>>> to be added. Given that we already have otptoken-add on the > >>>>>> server-side, > >>>>>> it seems to me that all work needs to be done on the client-side. > >>>>>> How do > >>>>>> I create a new client-side command that calls existing server-side > >>>>>> API? > >>>>> subclass from frontend.Local, override run() or forward() method and > >>>>> perform batch > >>>>> operation of otptoken_add from there. > >>>>> > >>>>> See cli.help, for example. > >>>> > >>>> If you do an override, do forward() for cli-specific work. > >>>> > >>>> But you should do as little as possible for reasons you already stated: > >>>> the UI. Anything you do in forward Petr will need to implement in > >>>> the UI. > >>>> > >>>> Unfortunately we don't yet have a nice way to handle files. We have > >>>> tickets open at https://fedorahosted.org/freeipa/ticket/1225 and > >>>> https://fedorahosted.org/freeipa/ticket/2933 > >>>> > >>>> If this file is something that would be pasted into a big text field > >>>> then you can probably handle it in a similarly clumsy way that we do > >>>> CSRs in the cert plugin. > >>>> > >>>> rob > >>> > >>> +1 for parsing it on server. Otherwise every client, not just CLI or Web > >>> UI, would have to reimplement the same logic - having it on server will > >>> support better integration with third party products. > >>> > >>> Parsing on client would be understandable if there was some middle step > >>> which would require some action from user, i.e, pick only some tokens to > >>> import. > >> > >> If we parse on the server side, how do we handle the long-running > >> operation? Think of the case of importing hundreds or thousands of > >> tokens... > > > > My experience is that operation on server side can run for (at least) > > few minutes without a problem. I haven't try longer periods but we can > > check that. > > It can run for hours. Migration performance in IPA used to be rather > pitiful and migrating several thousand users could easily take 5+ hours. > IIRC sometimes the client would time out but the server side would still > complete, you just got no feedback.
In this case, feedback is pretty crucial. We will validate all the tokens before writing any of them, so this feedback could be pretty quick. However, if an error occurs during writing, we need to continue adding all the tokens and give an error report at the end of all the tokens that weren't added. Ideally, this report should be in the same import xml format that was provided. Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
