[MediaWiki-commits] [Gerrit] operations/puppet[production]: wmfkeystonehooks: Look in the whole tree for the next gid.

Andrew Bogott (Code Review) Thu, 13 Apr 2017 10:18:43 -0700

Andrew Bogott has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/348105 )


Change subject: wmfkeystonehooks:  Look in the whole tree for the next gid.
......................................................................

wmfkeystonehooks:  Look in the whole tree for the next gid.

Previously we were only looking for group IDs in the project
group tree, which meant we were missing (and colliding with)
service groups.

Change-Id: I733a3665f5fe9b295a0780267d8e31f8a2523ab2
---
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
M modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
M modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
4 files changed, 16 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/05/348105/1

diff --git 
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py 
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
index 8fa0323..04472ce 100644
--- a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
+++ b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
@@ -72,8 +72,8 @@
 
 # ds is presumed to be an already-open ldap connection
 def _all_groups(ds):
-    basedn = cfg.CONF.wmfhooks.ldap_group_base_dn
-    allgroups = ds.search_s(basedn, ldap.SCOPE_ONELEVEL)
+    basedn = cfg.CONF.wmfhooks.ldap_base_dn
+    allgroups = ds.search_s(basedn, ldap.SCOPE_SUBTREE)
     return allgroups
 
 
@@ -180,9 +180,9 @@
             try:
                 ds.add_s(dn, modlist)
                 break
-            except ldap.LDAPError:
-                LOG.warning("Failed to create group, attempt number %s: %s" %
-                            (i, modlist))
+            except ldap.LDAPError as exc:
+                LOG.warning("Failed to create group %s, attempt number %s: %s 
%s" %
+                            (dn, i, exc, modlist))
 
 
 def create_sudo_defaults(project_id):
diff --git 
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py 
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index c31cdbc..09cab25 100644
--- 
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++ 
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -59,6 +59,9 @@
     cfg.StrOpt('admin_role_name',
                default='projectadmin',
                help='Name of project-local admin role'),
+    cfg.StrOpt('ldap_base_dn',
+               default='dc=wikimedia,dc=org',
+               help='ldap dn for posix groups'),
     cfg.StrOpt('ldap_group_base_dn',
                default='ou=groups,dc=wikimedia,dc=org',
                help='ldap dn for posix groups'),
diff --git 
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py 
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
index 8fa0323..04472ce 100644
--- a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
+++ b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
@@ -72,8 +72,8 @@
 
 # ds is presumed to be an already-open ldap connection
 def _all_groups(ds):
-    basedn = cfg.CONF.wmfhooks.ldap_group_base_dn
-    allgroups = ds.search_s(basedn, ldap.SCOPE_ONELEVEL)
+    basedn = cfg.CONF.wmfhooks.ldap_base_dn
+    allgroups = ds.search_s(basedn, ldap.SCOPE_SUBTREE)
     return allgroups
 
 
@@ -180,9 +180,9 @@
             try:
                 ds.add_s(dn, modlist)
                 break
-            except ldap.LDAPError:
-                LOG.warning("Failed to create group, attempt number %s: %s" %
-                            (i, modlist))
+            except ldap.LDAPError as exc:
+                LOG.warning("Failed to create group %s, attempt number %s: %s 
%s" %
+                            (dn, i, exc, modlist))
 
 
 def create_sudo_defaults(project_id):
diff --git 
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py 
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index c31cdbc..09cab25 100644
--- 
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++ 
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -59,6 +59,9 @@
     cfg.StrOpt('admin_role_name',
                default='projectadmin',
                help='Name of project-local admin role'),
+    cfg.StrOpt('ldap_base_dn',
+               default='dc=wikimedia,dc=org',
+               help='ldap dn for posix groups'),
     cfg.StrOpt('ldap_group_base_dn',
                default='ou=groups,dc=wikimedia,dc=org',
                help='ldap dn for posix groups'),

-- 
To view, visit https://gerrit.wikimedia.org/r/348105
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I733a3665f5fe9b295a0780267d8e31f8a2523ab2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: wmfkeystonehooks: Look in the whole tree for the next gid.

Reply via email to