On 08/18/2015 04:13 PM, thierry bordaz wrote:
On 08/18/2015 04:04 PM, Martin Basti wrote:
On 08/18/2015 03:49 PM, thierry bordaz wrote:
On 08/18/2015 03:06 PM, Martin Basti wrote:
On 08/18/2015 11:32 AM, thierry bordaz wrote:
On 08/18/2015 10:02 AM, Martin Basti wrote:
On 08/18/2015 09:59 AM, thierry bordaz wrote:
On 08/18/2015 09:55 AM, Martin Basti wrote:
On 08/18/2015 09:50 AM, thierry bordaz wrote:
On 08/17/2015 08:33 PM, Martin Basti wrote:
Hello,
the 'user-stage' command replaces 'stageuser-add
--from-delete' command.
https://fedorahosted.org/freeipa/ticket/5041
Thierry can you check If I don't break everything, it works
for me, but the one never knows.
Honza can you please check the framework side? I use
self.api.Object.stageuser.add.* in user command, I'm not sure
if this is right way, but it works.
Patch attached. I created it in hurry, I'm expecting NACK :D
Just question at the end: should I implement way Active user
-> stageuser? IMHO it would be implemented internally by
calling 'user-del --preserve' inside 'user-stage'.
Hi Martin,
There is a small failure with VERSION (edewata pushed his
patch first ;-) )
git apply -v
/tmp/freeipa-mbasti-0297-Add-user-stage-command.patch
Checking patch API.txt...
Checking patch VERSION...
error: while searching for:
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=148
# Last change: ftweedal - add --out option to user-show
error: patch failed: VERSION:90
error: VERSION: patch does not apply
Checking patch ipalib/plugins/stageuser.py...
Checking patch ipalib/plugins/user.py...
There is many pending patches that may change VERSION number, I
will change it to right one before push.
Does code looks good for you?
Hi Martin,
Just a question, there is no additional permission. Did you test
being 'admin' ?
thanks
theirry
No I didn't,.
I preserver all permission, the original permissions should work.
Martin
Hi Martin,
Running a test script, I have an issue with
ipa stageuser-add --first=t --last=b tb1
ipa: ERROR: an internal error has occurred
[Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486]
ipa: INFO: [jsonserver_kerb]
[email protected]: stageuser_add(u'tb1',
givenname=u't', sn=u'b', cn=u't b', displayname=u't b',
initials=u'tb', gecos=u't b',
krbprincipalname=u'[email protected]',
random=False, all=False, raw=False, version=u'2.149',
no_members=False): AttributeError
[Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485]
ipa: ERROR: non-public: AttributeError: 'DN' object has no
attribute 'setdefault'
[Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485]
Traceback (most recent call last):
[Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485]
File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
line 347, in wsgi_execute
[Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485]
result = self.Command[name](*args, **options)
[Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485]
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py",
line 443, in __call__
[Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485]
ret = self.run(*args, **options)
[Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485]
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py",
line 760, in run
[Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485]
return self.execute(*args, **options)
[Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485]
File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1227, in execute
[Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485]
*keys, **options)
[Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485]
File
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py", line
373, in pre_callback
[Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485]
attrs_list, *keys, **options)
[Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485]
File
"/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py", line
277, in set_default_values_pre_callback
[Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485]
entry_attrs.setdefault('description', [])
[Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485]
AttributeError: 'DN' object has no attribute 'setdefault'
[Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485]
ipa: INFO: [jsonserver_session]
[email protected]: stageuser_add(u'tb1',
givenname=u't', sn=u'b', cn=u't b', displayname=u't b',
initials=u'tb', gecos=u't b',
krbprincipalname=u'[email protected]',
random=False, all=False, raw=False, version=u'2.149',
no_members=False): AttributeError
The new set_default_values_pre_callback, can not use the
set_default function. It is not clear why. entry_attrs is one of
pre_callback parameter.
Should set_default_values_pre_callback be a subfonction of
pre_callback ?
thanks
thierry
Thank you,
updated patch attached.
So far, tests are ok.
Just one comment, the 'user-stage' command description is wrong, as
it moves an active user into the staged area
user-stage Move deleted user into staged
area
No, it's not doing that.
user-stage is replacement of stageuser-add --from-delete, it doesn't
work for active users.
The support to move active user to staged area is RFE, I did not
implemented it yet, and I dont know if this will fit IPA 4.2 timeframe
Ok. thanks.
Sure user-stage (active->stage) will not fit into IPA 4.2 timeframe.
Running the tests being admin, there is no problem.
I have a permission issue, when running as 'Stage administrator'. The
'delete' entry being moved to 'stage' container, we need the a special
permission for it.
Hello,
I tested this new permission to grant 'Stage user administrator' to do
a 'user-stage'.
Is it ok to add it to your patch ?
thanks
thierry
[root@vm-141 ~]# ipa user-del ttest1 --preserve
---------------------
Deleted user "ttest1"
---------------------
[root@vm-141 ~]# ipa user-stage ttest1
ipa: ERROR: Insufficient access: Insufficient 'moddn' privilege to
move an entry to 'cn=staged
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
[root@vm-141 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_hw3P667
Default principal: [email protected]
Valid starting Expires Service principal
08/18/2015 15:45:43 08/19/2015 15:45:42
ldap/vm-141.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.brq.redhat.com
08/18/2015 15:45:42 08/19/2015 15:45:42
krbtgt/[email protected]
[root@vm-141 ~]# kinit admin
Password for [email protected]:
[root@vm-141 ~]# ipa user-stage ttest1
----------------------------
Staged user account "ttest1"
----------------------------
[root@vm-141 ~]# ipa stageuser-find ttest1
--------------
1 user matched
--------------
User login: ttest1
First name: t
Last name: test1
Home directory: /home/ttest1
Login shell: /bin/sh
Email address: [email protected]
UID: 1814000011
GID: 1814000011
Password: False
Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------
From 924c879dcf875055d6bd021b4bde9222b9e0ce41 Mon Sep 17 00:00:00 2001
From: root <[email protected]>
Date: Tue, 18 Aug 2015 16:35:33 +0200
Subject: [PATCH] Add permission for user-stage
---
ACI.txt | 2 ++
ipalib/plugins/stageuser.py | 11 +++++++++++
2 files changed, 13 insertions(+)
diff --git a/ACI.txt b/ACI.txt
index 9909927..914d044 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -269,6 +269,8 @@ aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=
dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Stage preserved User";allow (moddn) groupdn = "ldap:///cn=System: Stage preserved User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example";)(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index d9d99bb..8ffab73 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -250,6 +250,17 @@ class stageuser(baseuser):
'ipapermright': {'moddn'},
'default_privileges': {'Stage User Administrators'},
},
+ # Allow to move preserved user to stage container (user-stage)
+ # Note: targetfilter is the target parent container
+ 'System: Stage preserved User': {
+ 'ipapermlocation': DN(api.env.basedn),
+ 'ipapermbindruletype': 'permission',
+ 'ipapermtargetfrom': DN(baseuser.delete_container_dn, api.env.basedn),
+ 'ipapermtargetto': DN(baseuser.stage_container_dn, api.env.basedn),
+ 'ipapermtargetfilter': {'(objectclass=nsContainer)'},
+ 'ipapermright': {'moddn'},
+ 'default_privileges': {'Stage User Administrators'},
+ },
}
@register()
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
