Andrew Bogott has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/348105 )
Change subject: wmfkeystonehooks: Look in the whole tree for the next gid.
......................................................................
wmfkeystonehooks: Look in the whole tree for the next gid.
Previously we were only looking for group IDs in the project
group tree, which meant we were missing (and colliding with)
service groups.
Change-Id: I733a3665f5fe9b295a0780267d8e31f8a2523ab2
---
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
M modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
M modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
4 files changed, 30 insertions(+), 26 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
index 8fa0323..b071a3c 100644
--- a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
+++ b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
@@ -71,18 +71,17 @@
# ds is presumed to be an already-open ldap connection
-def _all_groups(ds):
- basedn = cfg.CONF.wmfhooks.ldap_group_base_dn
- allgroups = ds.search_s(basedn, ldap.SCOPE_ONELEVEL)
- return allgroups
-
-
-# ds is presumed to be an already-open ldap connection
def _get_next_gid_number(ds):
+ basedn = cfg.CONF.wmfhooks.ldap_base_dn
+ allrecords = ds.search_s(basedn,
+ ldap.SCOPE_SUBTREE,
+ filterstr='(objectClass=posixGroup)',
+ attrlist=['gidNumber'])
+
highest = cfg.CONF.wmfhooks.minimum_gid_number
- for group in _all_groups(ds):
- if 'gidNumber' in group[1]:
- number = int(group[1]['gidNumber'][0])
+ for record in allrecords:
+ if 'gidNumber' in record[1]:
+ number = int(record[1]['gidNumber'][0])
if number > highest:
highest = number
@@ -180,9 +179,9 @@
try:
ds.add_s(dn, modlist)
break
- except ldap.LDAPError:
- LOG.warning("Failed to create group, attempt number %s: %s" %
- (i, modlist))
+ except ldap.LDAPError as exc:
+ LOG.warning("Failed to create group %s, attempt number %s: %s
%s" %
+ (dn, i, exc, modlist))
def create_sudo_defaults(project_id):
diff --git
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index c31cdbc..09cab25 100644
---
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -59,6 +59,9 @@
cfg.StrOpt('admin_role_name',
default='projectadmin',
help='Name of project-local admin role'),
+ cfg.StrOpt('ldap_base_dn',
+ default='dc=wikimedia,dc=org',
+ help='ldap dn for posix groups'),
cfg.StrOpt('ldap_group_base_dn',
default='ou=groups,dc=wikimedia,dc=org',
help='ldap dn for posix groups'),
diff --git
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
index 8fa0323..b071a3c 100644
--- a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
+++ b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/ldapgroups.py
@@ -71,18 +71,17 @@
# ds is presumed to be an already-open ldap connection
-def _all_groups(ds):
- basedn = cfg.CONF.wmfhooks.ldap_group_base_dn
- allgroups = ds.search_s(basedn, ldap.SCOPE_ONELEVEL)
- return allgroups
-
-
-# ds is presumed to be an already-open ldap connection
def _get_next_gid_number(ds):
+ basedn = cfg.CONF.wmfhooks.ldap_base_dn
+ allrecords = ds.search_s(basedn,
+ ldap.SCOPE_SUBTREE,
+ filterstr='(objectClass=posixGroup)',
+ attrlist=['gidNumber'])
+
highest = cfg.CONF.wmfhooks.minimum_gid_number
- for group in _all_groups(ds):
- if 'gidNumber' in group[1]:
- number = int(group[1]['gidNumber'][0])
+ for record in allrecords:
+ if 'gidNumber' in record[1]:
+ number = int(record[1]['gidNumber'][0])
if number > highest:
highest = number
@@ -180,9 +179,9 @@
try:
ds.add_s(dn, modlist)
break
- except ldap.LDAPError:
- LOG.warning("Failed to create group, attempt number %s: %s" %
- (i, modlist))
+ except ldap.LDAPError as exc:
+ LOG.warning("Failed to create group %s, attempt number %s: %s
%s" %
+ (dn, i, exc, modlist))
def create_sudo_defaults(project_id):
diff --git
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
index c31cdbc..09cab25 100644
---
a/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
+++
b/modules/openstack/files/mitaka/keystone/wmfkeystonehooks/wmfkeystonehooks.py
@@ -59,6 +59,9 @@
cfg.StrOpt('admin_role_name',
default='projectadmin',
help='Name of project-local admin role'),
+ cfg.StrOpt('ldap_base_dn',
+ default='dc=wikimedia,dc=org',
+ help='ldap dn for posix groups'),
cfg.StrOpt('ldap_group_base_dn',
default='ou=groups,dc=wikimedia,dc=org',
help='ldap dn for posix groups'),
--
To view, visit https://gerrit.wikimedia.org/r/348105
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I733a3665f5fe9b295a0780267d8e31f8a2523ab2
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
