Re: [Freeipa-devel] [PATCH] 047 Add an address for a nameserver when a new zone is created during install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 04:15 AM, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Jan 31, 2011 at 05:52:08PM -0500, Simo Sorce wrote: On Mon, 31 Jan 2011 22:44:43 +0100 Jakub Hrozekjhro...@redhat.com wrote: https://fedorahosted.org/freeipa/ticket/881 We've run into a chicken-and-egg problem during installation. If the hostname of the IPA server is not resolvable with DNS during installation, we'd add it as a NS server for a zone in both the SOA entry and a NS record -- but no records from the new zone are resolvable until Bind is restarted, including the new A/ records for the nameserver. I tried restarting the named service during Bind instance creation but that didn't help..not exactly sure why. Anyway, attached is a patch that forces the NS record creation. Please note that the --force flag is available via XML-RPC only, it is completely hidden from the user otherwise. Minor issue but requires NACK. You changed the add_zone() signature to always require some parameters, but did not update it in ipa-replica-prepare Simo. Good catch, thank you! Attached is a new patch. I also found out that I don't have to require all the parameters as some (such as admin email) have nice defaults in the DNS plugin. This fixes it but I did have problems with overall approach. To test this I changed the host entry of my machine from slinky to spanky and ran the installer with --hostname=spanky.domain. This worked for the initial install and I was able to find the previous problem with ipa-replica-prepare. But I ran into other problems when testing this fix. The `hostname` of the machine is still slinky and very little actually worked. Restarting httpd failed and running ipa-replica-prepare failed because both were trying to contact the LDAP server on slinky, etc. Once I ran hostname spanky.domain everything worked fine. So ack for this bug but how should we handle these other problems? Oh, and I've pushed it to master. rob This makes me wonder if we tested the same setup as QE did - I was under the impression that before I introduced the NS must be resolvable constraint, their setup just worked even after installation. I think I tested a little differently, too - I just added a ipaserver.testdomain entry to /etc/hosts and ran ipa-server-install - --hostname ipaserver.testdomain --no-host-dns -r TESTDOMAIN -n TESTDOMAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1HzggACgkQHsardTLnvCWR2ACfUjcxyhByWq/p/Mj0h9uwfsMy p0EAnAz/rHVnN/GRz0d71jHWgaRk9n55 =5n7k -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 696 fix modifying delegation
On Mon, 2011-01-31 at 13:12 -0500, Rob Crittenden wrote: Modifying membergroup in a delegation was failing because of an inconsnstent use of the cli name and the attribute name and also because the aci plugin was not always treating memberof as a special kind of filter. ticket 869 rob ACK. This will fix ticket 870 too. (you may want to fix a type in commit message: 'inconsnstent') Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 021 Permission rename test failing
This patch fixes test for Permission plugin - mainly permission-mod part. Description field that the tests expected and which was removed in ticket 792 was removed from the tests. https://fedorahosted.org/freeipa/ticket/892 From 40fe8a1cf9151de25c655c4c985905d2895662bf Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 1 Feb 2011 12:31:54 +0100 Subject: [PATCH] Permission rename test failing This patch fixes test for Permission plugin - mainly permission-mod part. Description field that the tests expected and which was removed in ticket 792 was removed from the tests. https://fedorahosted.org/freeipa/ticket/892 --- tests/test_xmlrpc/test_permission_plugin.py | 14 +- 1 files changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index be5d2befbb809229b496d27930202637a012c2db..4ee466b6552e0d3d931a63bb8cdb06fd86361c16 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -332,8 +332,7 @@ class test_permission(Declarative): permission2), command=( 'permission_mod', [permission1], dict(rename=permission2, - description=uRenamed Desc, - permissions=u'read',) + permissions=u'all',) ), expected=errors.DuplicateEntry(), ), @@ -348,10 +347,9 @@ class test_permission(Declarative): result={ 'dn': permission1_dn, 'cn': [permission1], -'description': [u'New desc 1'], 'member_privilege': [privilege1], 'type': u'user', -'permissions': [u'write'], +'permissions': [u'read'], }, ), ), @@ -362,8 +360,7 @@ class test_permission(Declarative): permission1_renamed), command=( 'permission_mod', [permission1], dict(rename=permission1_renamed, - description=uRenamed Desc, - permissions= u'read',) + permissions= u'all',) ), expected=dict( value=permission1, @@ -371,10 +368,9 @@ class test_permission(Declarative): result={ 'dn': permission1_renamed_dn, 'cn': [permission1_renamed], -'description': [u'Renamed Desc'], 'member_privilege': [privilege1], 'type': u'user', -'permissions': [u'read'], +'permissions': [u'all'], }, ), ), @@ -407,7 +403,7 @@ class test_permission(Declarative): dict( desc='Try to update non-existent %r' % permission1, -command=('permission_mod', [permission1], dict(description=u'Foo')), +command=('permission_mod', [permission1], dict(rename=u'Foo')), expected=errors.NotFound(reason='no such entry'), ), -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica
On Mon, 31 Jan 2011 23:07:24 -0500 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Mon, 31 Jan 2011 18:38:47 -0500 Simo Sorcesso...@redhat.com wrote: See also ticket #887 Simo. With a patch file it works better I guess :-) Simo. I wasn't entirely sure how to test this so I use ipa-replica-manage re-initialize --from=master.example.com It seemed to work, not sure how I can really tell. I did notice this in my 389-ds error log: [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. Processed 159 entries in 4 seconds. (39.75 entries/sec) [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=example,dc=com is coming online; enabling replication [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=example,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. rob I changed force-sync not re-inititialize :-) And the actual real change happend in ipa-replica-install So the way to test it would be to install a replica and make sure it works (I tested it on my side and it did). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Added undo for permission rights.
On 02/01/2011 12:02 AM, Endi Sukma Dewata wrote: On 1/31/2011 8:53 PM, Adam Young wrote: On 01/31/2011 08:48 PM, Endi Sukma Dewata wrote: https://fedorahosted.org/freeipa/ticket/884 NACK is_dirty is broken now on permissions. Could you describe which one is broken? I tried a number of things on permission and delegation but so far everything seems to be working just fine. Can't reproduce now what I was seeing, so it is likely it was just the product of a tired mind. Code works well . A lot of code is gone from aci.js. Is that intentional? Yes, the IPA.rights_widget now inherits from IPA.checkboxes_widget which works the same way. The only thing left is custom html generation. I added IPA.widget.create_undo() to generate standardized undo butt ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
On Mon, 2011-01-31 at 22:18 -0500, Rob Crittenden wrote: Rob Crittenden wrote: There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case READONLY. ticket 853 rob I goofed on the schema, updated patch attached. rob NACK (but a small one) The patch is fine, I have found only 2 minor issues and a question: 1) Permission tests got broken. You may want to apply my [PATCH] 021 Permission rename test failing before fixing that - so that Permission test suite is clean. 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make 'ipa help' localizable.
On 02/01/2011 03:08 PM, John Dennis wrote: On 02/01/2011 08:16 AM, Pavel Zuna wrote: For a long time, I was trying to find a way to localize python docstrings, that we use to generate the built-in documentation system. Unfortunately, python docstrings aren't meant to be localized and therefore I had to use a dirty trick: setting the __doc__ variable manually to a gettext instance. There is one major disadvantage: tools that generate developer documentation (like epydoc) won't display docstrings set like this. One solution would be to have docstrings twice in each module: once normally and once set using __doc__, but that would be very ugly. This patch doesn't update .po files, because it's already big as it is. They are regenerated automatically anyway. Ticket #179 Pavel Hi Pavel: I'm not sure this is the right approach. What we really want is to be able to extract the docstrings and put them in a pot file. Normally xgettext is used to xtract translatable strings but I don't think the python parser in xgettext is docstring aware (we should probably confirm that). However pygettext in the python-tools package is docstring aware. From it's help text: -D --docstrings Extract module, class, method, and function docstrings. These do not need to be wrapped in _() markers, and in fact cannot be for Python to consider them docstrings. (See also the -X option). So rather than changing all the source code and making it non-standard I think we're better off using a more appropriate tool when building the pot file. Use of pygettext is discussed and documented in this Python documentation link: http://docs.python.org/library/gettext.html#internationalizing-your-programs-and-modules You can find an interesting discussion of the docstring extraction issue in this thread: http://mail.python.org/pipermail/i18n-sig/2001-August/001292.html BTW, Barry Warsaw is the man behind Mailman and is one of the Python community luminaries. Thanks for the tips! I'll see what I can do. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: Martin Kosek wrote: 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 664 entitlement support
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2011 04:29 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2011 04:38 PM, Rob Crittenden wrote: This patch adds a plugin and tools for managing entitlements for host machines. Testing is rather complex so I've attached a script to help set up the Candlepin server. You'll need to ping me out of band for the backend data. This configures the Candlepin server with an in-memory database so any time tomcat6 is restarted you'll need to reload the data. You have to run candlepin.setup as root. This will configure your Fedora tomcat6 instance. Once your candlepin server is setup and IPA is installed do something like: $ ipa entitle-register admin (password is admin) $ ipa entitle-consume 25 $ ipa entitle-status (verify that it is 25) # ipa-compliance (should be 1 of 50) Our tools can consume only, not return entitlements. tickets 28, 79 and 278. rob can you rebase the patch so it applies cleanly on the current master? attached rob Functionally, the patch seems to be working fine -- great job!. I just have a couple of minor comments: * I think a recent change to delegation.ldif conflicts with the patch. I was able to do a 3-way merge, but please check it merges OK. * During build, rpm-build complains about /etc/cron.d/ipa-compliance being listed twice * the two commented lines in ipa-compliance that test Bind using DM and Bind using GSSAPI should be removed * I think that the ipa-compliance tool never deletes the directory with the ccache (tmpdir) * in ipa-compliance: +if not truncated: +hostcount = len(entries) +else: +# FIXME: raise an error +pass I'm not opposed to FIXMEs in the code, but maybe there should be a ticket so we don't forget them. Also, hostcount should be initialized in the else: branch, later on, the code accesses it and would blow up. * In the entitlement plugin, the 'hidden' attributes could have flags=['no_option', 'no_output'] so they don't show up in the UI * If I consume all the entitlements with ipa entitle-consume and ask for more, I get an internal server error - we should probably catch the RestlibException from candlepin * when I started testing I made a typo in the candlepin instance hostname. ipa entitle-register then blew up.. The traceback looks like it comes from rhsm. I don't think we absolutely need to fix it now, but we should at least track it in a ticket. Here is a diff of the changes you suggested, I think they cover all the bases. rob diff --git a/freeipa.spec.in b/freeipa.spec.in index 1190fff..7e91c42 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -406,7 +406,6 @@ fi %dir %{_localstatedir}/cache/ipa %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions %attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd -%{_sysconfdir}/cron.d/ipa-compliance %{_mandir}/man1/ipa-replica-install.1.gz %{_mandir}/man1/ipa-replica-manage.1.gz %{_mandir}/man1/ipa-replica-prepare.1.gz diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance index 5c21336..6c91ef4 100644 --- a/install/tools/ipa-compliance +++ b/install/tools/ipa-compliance @@ -29,6 +29,7 @@ try: import tempfile import krbV import base64 +import shutil from rhsm.certificate import EntitlementCertificate @@ -69,7 +70,7 @@ def parse_options(): options, args = parser.parse_args() return options, args -def check_compliance(debug=False): +def check_compliance(tmpdir, debug=False): cfg = dict( context='cli', in_server=False, @@ -85,7 +86,6 @@ def check_compliance(debug=False): try: # Create a new credentials cache for this tool. This executes # using the systems host principal. -tmpdir = tempfile.mkdtemp(prefix = tmp-) ccache_file = 'FILE:%s/ccache' % tmpdir krbcontext = krbV.default_context() principal = str('host/%s@%s' % (api.env.host, api.env.realm)) @@ -109,17 +109,10 @@ def check_compliance(debug=False): ldapuri = 'ldap://%s' % api.env.host conn = ldap2(shared_instance=False, ldap_uri=ldapuri) -# Pick one of these bind methods - -# Bind using DM -#conn.connect(bind_dn='cn=directory manager', bind_pw='password') - # Bind using GSSAPI -#conn.connect(ccache='FILE:/tmp/krb5cc_500') - -# Bind anonymously -conn.connect() +conn.connect(ccache=ccache_file) +hostcount = 0 # Get the hosts first try: (entries, truncated) = conn.find_entries('(krblastpwdchange=*)', ['dn'], @@ -127,13 +120,17 @@ def check_compliance(debug=False): conn.SCOPE_ONELEVEL, size_limit = -1) except errors.NotFound: - hostcount = 0 + # No hosts + pass if not truncated: hostcount = len(entries) else: -# FIXME:
Re: [Freeipa-devel] [PATCH] 0080 Sync in both direction before changing replication agreement in replica
On 01/31/2011 09:07 PM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 31 Jan 2011 18:38:47 -0500 Simo Sorcesso...@redhat.com wrote: See also ticket #887 Simo. With a patch file it works better I guess :-) Simo. I wasn't entirely sure how to test this so I use ipa-replica-manage re-initialize --from=master.example.com It seemed to work, not sure how I can really tell. I did notice this in my 389-ds error log: [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. Processed 159 entries in 4 seconds. (39.75 entries/sec) [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=example,dc=com is coming online; enabling replication [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=example,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. This should be ok. This basically means hey, your database has just be reloaded. The server should wipe out the changelog and create a new one. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Changelog error after re-initialize. [WAS [PATCH] 0080 ..]
On 02/01/2011 09:14 AM, Simo Sorce wrote: On Tue, 01 Feb 2011 09:07:58 -0700 Rich Megginsonrmegg...@redhat.com wrote: On 01/31/2011 09:07 PM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 31 Jan 2011 18:38:47 -0500 Simo Sorcesso...@redhat.com wrote: See also ticket #887 Simo. With a patch file it works better I guess :-) Simo. I wasn't entirely sure how to test this so I use ipa-replica-manage re-initialize --from=master.example.com It seemed to work, not sure how I can really tell. I did notice this in my 389-ds error log: [31/Jan/2011:23:05:59 -0500] - import userRoot: Import complete. Processed 159 entries in 4 seconds. (39.75 entries/sec) [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=example,dc=com is coming online; enabling replication [31/Jan/2011:23:06:00 -0500] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=example,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. This should be ok. This basically means hey, your database has just be reloaded. The server should wipe out the changelog and create a new one. Is this something the server will do automatically? Yes. Or is it an action we need to add to our scripts ? No. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Martin Kosek wrote: On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: Martin Kosek wrote: 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin I think I got everything. Simo suggested using SYSTEM instead of READONLY so I switched to that. I also renamed the attribute to ipapermissiontype and added enforcement over mod/del. rob From bd324e4ea06f40b9721d6d05415ef4d0855427c3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 1 Feb 2011 11:57:18 -0500 Subject: [PATCH] Add new schema to store information about permissions. There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853 --- install/share/60basev2.ldif |2 + install/share/delegation.ldif | 49 + ipalib/plugins/permission.py | 30 +++- 3 files changed, 79 insertions(+), 2 deletions(-) diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 7eb346b..f5f7a65 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2') objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) @@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags'
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 When reviewing, please pay attention to line 39 of the patch (detection of the 'webui' in param.excludes). I think this is the right approach, but I'm not 100% sure. Thanks Jan nack. I'm sending updated patch. Few comments: The argument should be a Str, not Bytes. Should I change it in class help then? That's where I copied this from. I think so. This will blow up as expected in the FIXME if an unknown command is passed in. Fixed, thanks. Not to be pedantic but I think it should return a non-zero error code too on error. ipa show-mappings user-show returns just 'rights' If it was the acting correctly, it shouldn't be displayed at all, because it is not LDAP based (and user-show doesn't take any other LDAP-based arguments/options). I'm just not sure how to do this with minimal changes. One option is to create new flag denoting whether parameter is LDAP based or not and for each parameter set it appropriately, but that is just too much effort for something that is not that important. That's why I use the 'webui' flag to filter things at least a little bit. You should have the object Params list available, right? Can you use that to show at least some attributes? Should it take a second arg or an option to lookup a specific attribute/option pair? Frankly I don't see any real benefit. I thought about it when Dmitri suggested it, but commands don't take that many options - IMO it's not a problem to find one in a list of ten. Ok, that's true rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 696 fix modifying delegation
Martin Kosek wrote: On Mon, 2011-01-31 at 13:12 -0500, Rob Crittenden wrote: Modifying membergroup in a delegation was failing because of an inconsnstent use of the cli name and the attribute name and also because the aci plugin was not always treating memberof as a special kind of filter. ticket 869 rob ACK. This will fix ticket 870 too. (you may want to fix a type in commit message: 'inconsnstent') Martin thanks, pushed to master (and yes, I forgot to fix the typo :-( ) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 664 entitlement support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 04:15 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2011 04:29 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2011 04:38 PM, Rob Crittenden wrote: This patch adds a plugin and tools for managing entitlements for host machines. Testing is rather complex so I've attached a script to help set up the Candlepin server. You'll need to ping me out of band for the backend data. This configures the Candlepin server with an in-memory database so any time tomcat6 is restarted you'll need to reload the data. You have to run candlepin.setup as root. This will configure your Fedora tomcat6 instance. Once your candlepin server is setup and IPA is installed do something like: $ ipa entitle-register admin (password is admin) $ ipa entitle-consume 25 $ ipa entitle-status (verify that it is 25) # ipa-compliance (should be 1 of 50) Our tools can consume only, not return entitlements. tickets 28, 79 and 278. rob can you rebase the patch so it applies cleanly on the current master? attached rob Functionally, the patch seems to be working fine -- great job!. I just have a couple of minor comments: * I think a recent change to delegation.ldif conflicts with the patch. I was able to do a 3-way merge, but please check it merges OK. * During build, rpm-build complains about /etc/cron.d/ipa-compliance being listed twice * the two commented lines in ipa-compliance that test Bind using DM and Bind using GSSAPI should be removed * I think that the ipa-compliance tool never deletes the directory with the ccache (tmpdir) * in ipa-compliance: +if not truncated: +hostcount = len(entries) +else: +# FIXME: raise an error +pass I'm not opposed to FIXMEs in the code, but maybe there should be a ticket so we don't forget them. Also, hostcount should be initialized in the else: branch, later on, the code accesses it and would blow up. * In the entitlement plugin, the 'hidden' attributes could have flags=['no_option', 'no_output'] so they don't show up in the UI * If I consume all the entitlements with ipa entitle-consume and ask for more, I get an internal server error - we should probably catch the RestlibException from candlepin * when I started testing I made a typo in the candlepin instance hostname. ipa entitle-register then blew up.. The traceback looks like it comes from rhsm. I don't think we absolutely need to fix it now, but we should at least track it in a ticket. Here is a diff of the changes you suggested, I think they cover all the bases. rob Looks good, thank you. If you can send a new patch with these squashed in, I'll just run a couple of quick tests and ack. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W CtkAoKmz9r+b6bVck0Cviul4eiyskc0D =6Jh9 -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 048 IPv6 enhancements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attached is a patch that fixes the remaining IPv6 problems. Many were testable on a v4 installation, like the host plugin changes. I only verified the v6 reverse zone creation in bindinstance with ldapsearch so far. https://fedorahosted.org/freeipa/ticket/398 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1IVpEACgkQHsardTLnvCU6zgCfbGIORjtpz85kJN/BXU/YwLvO ueAAoN/hkGEA8hBZj6IR3iZ6tv96oarm =u6DS -END PGP SIGNATURE- From e9752923ee27bed10b5075cb83be165ff9f72c59 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Mon, 31 Jan 2011 15:30:43 +0100 Subject: [PATCH] IPv6 enhancements * Make host-add, host-del and reverse zone creation IPv6 aware * Make Bind listen on IPv6 interfaces, too https://fedorahosted.org/freeipa/ticket/398 --- install/share/bind.named.conf.template |3 ++ ipalib/plugins/host.py | 61 +++- ipaserver/install/bindinstance.py | 33 +++-- ipaserver/install/installutils.py |4 +- 4 files changed, 62 insertions(+), 39 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 447c50c..71facba 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -1,4 +1,7 @@ options { + // turns on IPv6 for port 53, IPv4 is on by default for all ifaces + listen-on-v6 {any;}; + // Put files that named is allowed to write in the data/ directory: directory /var/named; // the default dump-file data/cache_dump.db; diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index d5c5174..9c49f25 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -85,6 +85,7 @@ from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate from ipalib.plugins.dns import dns_container_exists, _record_types +from ipalib.plugins.dns import add_forward_record from ipalib import _, ngettext from ipalib import x509 from ipapython.ipautil import ipa_generate_password @@ -103,6 +104,32 @@ def validate_host(ugettext, fqdn): return _('Fully-qualified hostname required') return None +def is_forward_record(zone, str_address): +addr = netaddr.IPAddress(str_address) +if addr.version == 4: +result = api.Command['dnsrecord_find'](zone, arecord=str_address) +elif addr.version == 6: +result = api.Command['dnsrecord_find'](zone, aaarecord=str_address) +else: +raise ValueError('Invalid address family') + +return result['count'] 0 + +def remove_fwd_ptr(ipaddr, host, domain, recordtype): +api.log.debug('deleting ipaddr %s' % ipaddr) +revzone, revname = get_reverse_zone(ipaddr) +try: +delkw = { 'ptrrecord' : %s.%s. % (host, domain) } +api.Command['dnsrecord_del'](revzone, revname, **delkw) +except errors.NotFound: +pass + +try: +delkw = { recordtype : ipaddr } +api.Command['dnsrecord_del'](domain, host, **delkw) +except errors.NotFound: +pass + host_output_params = ( Flag('has_keytab', label=_('Keytab'), @@ -309,8 +336,7 @@ class host_add(LDAPCreate): except errors.NotFound: pass else: -result = api.Command['dnsrecord_find'](domain, arecord=options['ip_address']) -if result['count'] 0: +if is_forward_record(domain, options['ip_address']): raise errors.DuplicateEntry(message=u'This IP address is already assigned.') if not options.get('force', False) and not 'ip_address' in options: util.validate_host_dns(self.log, keys[-1]) @@ -347,15 +373,8 @@ class host_add(LDAPCreate): if 'ip_address' in options and dns_container_exists(ldap): parts = keys[-1].split('.') domain = unicode('.'.join(parts[1:])) -if ':' in options['ip_address']: -addkw = { 'record' : options['ip_address'] } -else: -addkw = { 'arecord' : options['ip_address'] } -try: -api.Command['dnsrecord_add'](domain, parts[0], **addkw) -except errors.EmptyModlist: -# the entry already exists and matches -pass + +add_forward_record(domain, parts[0], options['ip_address']) if not options.get('no_reverse', False): revzone, revname = get_reverse_zone(options['ip_address']) @@ -444,24 +463,16 @@ class host_del(LDAPDelete): records = api.Command['dnsrecord_find'](domain, idnsname=parts[0])['result'] for record in records: if 'arecord'
Re: [Freeipa-devel] [PATCH] 664 entitlement support
Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 04:15 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2011 04:29 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2011 04:38 PM, Rob Crittenden wrote: This patch adds a plugin and tools for managing entitlements for host machines. Testing is rather complex so I've attached a script to help set up the Candlepin server. You'll need to ping me out of band for the backend data. This configures the Candlepin server with an in-memory database so any time tomcat6 is restarted you'll need to reload the data. You have to run candlepin.setup as root. This will configure your Fedora tomcat6 instance. Once your candlepin server is setup and IPA is installed do something like: $ ipa entitle-register admin (password is admin) $ ipa entitle-consume 25 $ ipa entitle-status (verify that it is 25) # ipa-compliance (should be 1 of 50) Our tools can consume only, not return entitlements. tickets 28, 79 and 278. rob can you rebase the patch so it applies cleanly on the current master? attached rob Functionally, the patch seems to be working fine -- great job!. I just have a couple of minor comments: * I think a recent change to delegation.ldif conflicts with the patch. I was able to do a 3-way merge, but please check it merges OK. * During build, rpm-build complains about /etc/cron.d/ipa-compliance being listed twice * the two commented lines in ipa-compliance that test Bind using DM and Bind using GSSAPI should be removed * I think that the ipa-compliance tool never deletes the directory with the ccache (tmpdir) * in ipa-compliance: +if not truncated: +hostcount = len(entries) +else: +# FIXME: raise an error +pass I'm not opposed to FIXMEs in the code, but maybe there should be a ticket so we don't forget them. Also, hostcount should be initialized in the else: branch, later on, the code accesses it and would blow up. * In the entitlement plugin, the 'hidden' attributes could have flags=['no_option', 'no_output'] so they don't show up in the UI * If I consume all the entitlements with ipa entitle-consume and ask for more, I get an internal server error - we should probably catch the RestlibException from candlepin * when I started testing I made a typo in the candlepin instance hostname. ipa entitle-register then blew up.. The traceback looks like it comes from rhsm. I don't think we absolutely need to fix it now, but we should at least track it in a ticket. Here is a diff of the changes you suggested, I think they cover all the bases. rob Looks good, thank you. If you can send a new patch with these squashed in, I'll just run a couple of quick tests and ack. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W CtkAoKmz9r+b6bVck0Cviul4eiyskc0D =6Jh9 -END PGP SIGNATURE- attached From 7b17cacefc503b7d27820941b35281f922edd6e1 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 1 Feb 2011 14:24:46 -0500 Subject: [PATCH] Add support for tracking and counting entitlements Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278 --- freeipa.spec.in|5 + install/share/60basev2.ldif|2 + install/share/default-aci.ldif |2 +- install/share/delegation.ldif | 60 ++- install/tools/Makefile.am |1 + install/tools/ipa-compliance | 193 + install/tools/man/Makefile.am |3 +- install/tools/man/ipa-compliance.1 | 45 +++ ipa-compliance.cron|5 + ipalib/cli.py | 14 +- ipalib/constants.py|1 + ipalib/errors.py | 41 ++- ipalib/plugins/entitle.py | 749 ipalib/plugins/service.py |5 + ipaserver/plugins/ldap2.py | 14 + 15 files changed, 1114 insertions(+), 26 deletions(-) create mode 100644 install/tools/ipa-compliance create mode 100644 install/tools/man/ipa-compliance.1 create mode 100644 ipa-compliance.cron create mode 100644 ipalib/plugins/entitle.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e35f337..7e91c42 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -266,6 +266,8 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore %if ! %{ONLY_CLIENT}
[Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget
From fc3537dbeb41dedbcaa3a9a26663e3ea26259c81 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 1 Feb 2011 14:55:55 -0500 Subject: [PATCH] undo entity widget adds line level undo for the entity-select-widget https://fedorahosted.org/freeipa/ticket/886 --- install/ui/widget.js | 12 +++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index b5c02ee33314ff175223ab01ed8c5407d57414d2..b9244f07cd2bebe8db489eb1ec98e11199f86872 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1100,7 +1100,7 @@ IPA.entity_select_widget = function(spec){ that.entity_select = $('select/', { id: that.name + '-entity-select', change: function(){ - +that.show_undo(); } }).appendTo(dd); @@ -1124,10 +1124,20 @@ IPA.entity_select_widget = function(spec){ return false; } }).appendTo(dd); + +if (that.undo) { +that.create_undo(dd); +} +var undo = that.get_undo(); +undo.click(function() { +that.reset(); +}); + populate_select(); }; that.reset = function(){ that.entity_filter.val(that.values[0]); +that.hide_undo(); populate_select(that.values[0]); }; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 021 Permission rename test failing
Martin Kosek wrote: This patch fixes test for Permission plugin - mainly permission-mod part. Description field that the tests expected and which was removed in ticket 792 was removed from the tests. https://fedorahosted.org/freeipa/ticket/892 ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: Martin Kosek wrote: 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin I think I got everything. Simo suggested using SYSTEM instead of READONLY so I switched to that. I also renamed the attribute to ipapermissiontype and added enforcement over mod/del. rob Martin found a few more problems, here is another patch. rob From dbdfbc11aa1425005eb41a7d608f784364d9077d Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 1 Feb 2011 11:57:18 -0500 Subject: [PATCH] Add new schema to store information about permissions. There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853 --- install/share/60basev2.ldif|2 + install/share/delegation.ldif | 49 ipalib/plugins/permission.py | 30 - tests/test_xmlrpc/objectclasses.py |1 + 4 files changed, 80 insertions(+), 2 deletions(-) diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 7eb346b..f5f7a65 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2') objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) @@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX
Re: [Freeipa-devel] [PATCH] admiyo-0184-use-entity-select-widget-for-permissions
On 2/1/2011 12:08 PM, Adam Young wrote: ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget
On 02/01/2011 02:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NOw shows undo link if the filter changes From 419b755871b1de7256f7ca540bf6058ef5075f8f Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 1 Feb 2011 14:55:55 -0500 Subject: [PATCH] undo entity widget adds line level undo for the entity-select-widget now shows the undo link on filter change https://fedorahosted.org/freeipa/ticket/886 --- install/ui/widget.js | 13 - 1 files changed, 12 insertions(+), 1 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index b5c02ee33314ff175223ab01ed8c5407d57414d2..c3f179a9d8f1fabdb87a3ed9a88613021c1455b7 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1100,7 +1100,7 @@ IPA.entity_select_widget = function(spec){ that.entity_select = $('select/', { id: that.name + '-entity-select', change: function(){ - +that.show_undo(); } }).appendTo(dd); @@ -1112,6 +1112,7 @@ IPA.entity_select_widget = function(spec){ style: 'display: none;', keypress: function(){ populate_select(); +that.show_undo(); } }).appendTo(dd); @@ -1124,10 +1125,20 @@ IPA.entity_select_widget = function(spec){ return false; } }).appendTo(dd); + +if (that.undo) { +that.create_undo(dd); +} +var undo = that.get_undo(); +undo.click(function() { +that.reset(); +}); + populate_select(); }; that.reset = function(){ that.entity_filter.val(that.values[0]); +that.hide_undo(); populate_select(that.values[0]); }; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: Martin Kosek wrote: 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin I think I got everything. Simo suggested using SYSTEM instead of READONLY so I switched to that. I also renamed the attribute to ipapermissiontype and added enforcement over mod/del. rob Martin found a few more problems, here is another patch. rob ACK, all permission tests are OK. Good job. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Martin Kosek wrote: On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: Martin Kosek wrote: 2) In delegation.ldif: ipapermission object class is missing for removeentitlements and modifyentitlements (it has been added for addentitlements though) This was on purpose, I should have been clearer. Patch 664 makes major changes to these and I'm trying to make the merge easier. I'll fix them up when 664 gets pushed. I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. QUESTION: In this patch you add READONLY flag to Replica permissions. However it is not actually used and stays as just an informative flag. It won't prevent user from modifying/removing READONLY permissions. I guess enhancing permission-mod and permission-del of READONLY check will be a subject of another ticket? Ok, interesting point. I considered the aci itself to be read-only. The only thing a user could do is rename the permission, right? I think that would maintain consistency so it shouldn't be a problem. It would probably be easy to really make these read-only but that would have a UI impact as well, perhaps a problematic one. I suppose if they could handle any read-only exceptions we'd raise that would be adequate. rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin I think I got everything. Simo suggested using SYSTEM instead of READONLY so I switched to that. I also renamed the attribute to ipapermissiontype and added enforcement over mod/del. rob Martin found a few more problems, here is another patch. rob ACK, all permission tests are OK. Good job. Martin pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 664 entitlement support
On 02/01/2011 08:25 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 04:15 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2011 04:29 PM, Rob Crittenden wrote: Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2011 04:38 PM, Rob Crittenden wrote: This patch adds a plugin and tools for managing entitlements for host machines. Testing is rather complex so I've attached a script to help set up the Candlepin server. You'll need to ping me out of band for the backend data. This configures the Candlepin server with an in-memory database so any time tomcat6 is restarted you'll need to reload the data. You have to run candlepin.setup as root. This will configure your Fedora tomcat6 instance. Once your candlepin server is setup and IPA is installed do something like: $ ipa entitle-register admin (password is admin) $ ipa entitle-consume 25 $ ipa entitle-status (verify that it is 25) # ipa-compliance (should be 1 of 50) Our tools can consume only, not return entitlements. tickets 28, 79 and 278. rob can you rebase the patch so it applies cleanly on the current master? attached rob Functionally, the patch seems to be working fine -- great job!. I just have a couple of minor comments: * I think a recent change to delegation.ldif conflicts with the patch. I was able to do a 3-way merge, but please check it merges OK. * During build, rpm-build complains about /etc/cron.d/ipa-compliance being listed twice * the two commented lines in ipa-compliance that test Bind using DM and Bind using GSSAPI should be removed * I think that the ipa-compliance tool never deletes the directory with the ccache (tmpdir) * in ipa-compliance: + if not truncated: + hostcount = len(entries) + else: + # FIXME: raise an error + pass I'm not opposed to FIXMEs in the code, but maybe there should be a ticket so we don't forget them. Also, hostcount should be initialized in the else: branch, later on, the code accesses it and would blow up. * In the entitlement plugin, the 'hidden' attributes could have flags=['no_option', 'no_output'] so they don't show up in the UI * If I consume all the entitlements with ipa entitle-consume and ask for more, I get an internal server error - we should probably catch the RestlibException from candlepin * when I started testing I made a typo in the candlepin instance hostname. ipa entitle-register then blew up.. The traceback looks like it comes from rhsm. I don't think we absolutely need to fix it now, but we should at least track it in a ticket. Here is a diff of the changes you suggested, I think they cover all the bases. rob Looks good, thank you. If you can send a new patch with these squashed in, I'll just run a couple of quick tests and ack. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ISqEACgkQHsardTLnvCUQDgCfbHeiSCEhhyzepiEkr6Qp6S/W CtkAoKmz9r+b6bVck0Cviul4eiyskc0D =6Jh9 -END PGP SIGNATURE- attached Ack but please check that the 3-way rebase is OK and also please import socket in ipalib/plugins/entitle.py, currently it is an undefined symbol. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget
On 02/01/2011 03:49 PM, Adam Young wrote: On 02/01/2011 02:57 PM, Adam Young wrote: ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NOw shows undo link if the filter changes ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel edewata noticed that the the search wasn't working under the following sequence: double click to highlight all, then backspace to remove it: the undo shows up, but the list is not updated That was due to triggering the login on keyp[ress instead of key up From 4987ebe71f95aede5525f230af679b7f93573575 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Tue, 1 Feb 2011 14:55:55 -0500 Subject: [PATCH] undo entity widget adds line level undo for the entity-select-widget now shows the undo link on filter change does JSON queries on keyup instead of keypress https://fedorahosted.org/freeipa/ticket/886 --- install/ui/widget.js | 15 +-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/install/ui/widget.js b/install/ui/widget.js index b5c02ee33314ff175223ab01ed8c5407d57414d2..8c080787b11e40693946395ce7c21ca14dc254e9 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1100,7 +1100,7 @@ IPA.entity_select_widget = function(spec){ that.entity_select = $('select/', { id: that.name + '-entity-select', change: function(){ - +that.show_undo(); } }).appendTo(dd); @@ -1110,8 +1110,9 @@ IPA.entity_select_widget = function(spec){ type: 'text', id: 'entity_filter', style: 'display: none;', -keypress: function(){ +keyup: function(){ populate_select(); +that.show_undo(); } }).appendTo(dd); @@ -1124,10 +1125,20 @@ IPA.entity_select_widget = function(spec){ return false; } }).appendTo(dd); + +if (that.undo) { +that.create_undo(dd); +} +var undo = that.get_undo(); +undo.click(function() { +that.reset(); +}); + populate_select(); }; that.reset = function(){ that.entity_filter.val(that.values[0]); +that.hide_undo(); populate_select(that.values[0]); }; -- 1.7.3.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0185-undo-entity-widget
On 2/1/2011 3:25 PM, Adam Young wrote: NOw shows undo link if the filter changes edewata noticed that the the search wasn't working under the following sequence: double click to highlight all, then backspace to remove it: the undo shows up, but the list is not updated That was due to triggering the login on keyp[ress instead of key up ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden rcrit...@redhat.com wrote: Jan Zelený wrote: Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use filter for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob Rebased patch in attachment Jan From 0b7c6ddbc5e40e802357c01fb4d568965b77165e Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Thu, 13 Jan 2011 17:32:57 +0100 Subject: [PATCH] Changed dns permission types Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 --- ipalib/plugins/aci.py|5 +++-- ipalib/plugins/permission.py |2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 939fe535ab01bec9be0caa1952b4a36123bcc2db..d7765488fa1c48d618030564d652a90143bd0123 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -135,7 +135,7 @@ _type_map = { 'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn), 'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn), 'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn), -'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), +'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), } _valid_permissions_values = [ @@ -382,7 +382,7 @@ class aci(Object): cli_name='type', label=_('Type'), doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'), ), Str('memberof?', cli_name='memberof', diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 43bb2634d34cab8d2bb8ecbce883df8008c34645..182a02cc389c970962e93c4e1653cbbfeee3f30b 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -128,7 +128,7 @@ class permission(LDAPObject): cli_name='type', label=_('Type'), doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), -values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',), +values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord',), flags=('ask_create', 'ask_update'), ), Str('memberof?', -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Provide a way to display CLI-LDAP attribute relation
Ok, I'm sending updated patch in attachment Should I change it in class help then? That's where I copied this from. I think so. Ok, I'll send another patch, so me don't mix it together with this patch. I'll do a review of the code in cli.py, maybe the same issue is elsewhere as well. This will blow up as expected in the FIXME if an unknown command is passed in. Fixed, thanks. Not to be pedantic but I think it should return a non-zero error code too on error. Yep, replaced this with exception. ipa show-mappings user-show returns just 'rights' If it was the acting correctly, it shouldn't be displayed at all, because it is not LDAP based (and user-show doesn't take any other LDAP-based arguments/options). I'm just not sure how to do this with minimal changes. One option is to create new flag denoting whether parameter is LDAP based or not and for each parameter set it appropriately, but that is just too much effort for something that is not that important. That's why I use the 'webui' flag to filter things at least a little bit. You should have the object Params list available, right? Can you use that to show at least some attributes? I already thought of that, but that would add only primary key, since Params is a concatenation of Options and Args - in args there are usually only mandatory arguments (i.e. primary keys, uid in case of user-show) and options are already iterated over and printed out. I think adding this is too much effort. For one thing user-show takes no other options than --rights (and the purpose of the patch is to show mapping between CLI options and LDAP attributes) and user can always see real LDAP attributes of user object by using --raw. Jan From 5abec649ec6d9bfc82bc29290961cbcf9e8c94cb Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 26 Jan 2011 13:09:26 +0100 Subject: [PATCH] Provide a way to display CLI-LDAP relation Since some LDAP attributes have their cli_name value defined, so they can be more user friendly, it can be difficult for user to find out which attributes do the parameteres given to CLI really represent. This patch provides new command, which will take another IPA command as and argument and display attributes which given command takes and what LDAP attributes are they mapped to. https://fedorahosted.org/freeipa/ticket/447 --- ipalib/cli.py | 23 ++- 1 files changed, 22 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index 5543301c0c9039dc67b159c06526a0bdb3581c88..fa8d36d356076103c3310b7a30f5834ec23350bd 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -47,7 +47,7 @@ import plugable import util from errors import PublicError, CommandError, HelpError, InternalError, NoSuchNamespaceError, ValidationError, NotFound, NotConfiguredError from constants import CLI_TAB -from parameters import Password, Bytes, File +from parameters import Password, Bytes, File, Str from text import _ from ipapython.version import API_VERSION @@ -779,6 +779,26 @@ class help(frontend.Local): print ' %s %s' % (to_cli(c.name).ljust(mcl), c.summary) print \n +class show_mappings(frontend.Command): +takes_args = (Str('command_name'),) +has_output = tuple() + +def run(self, command_name): +command_name = from_cli(command_name) +if command_name not in self.Command: +raise CommandError(name=command_name) +params = self.Command[command_name].options +out = [('Parameter','LDAP attribute'), + ('=','==')] +mcl = len(out[0][0]) +for param in params(): +if param.exclude and 'webui' in param.exclude: +continue +out.append((param.cli_name, param.param_spec)) +mcl = max(mcl,len(param.cli_name)) +for item in out: +print to_cli(item[0]).ljust(mcl)+' : '+item[1] + class console(frontend.Command): Start the IPA interactive Python console. @@ -1047,6 +1067,7 @@ cli_plugins = ( textui, console, help, +show_mappings, ) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fixed type of argument in class help
At Rob's suggestion I changed the argument type in class help, this is only oneliner, I think it can be pushed directly. Jan From f7ca20a79bf06832c20262582f5ca83ec48ff056 Mon Sep 17 00:00:00 2001 From: Jan Zeleny jzel...@redhat.com Date: Wed, 2 Feb 2011 02:49:57 -0500 Subject: [PATCH] Fixed type of argument in class help --- ipalib/cli.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index fa8d36d356076103c3310b7a30f5834ec23350bd..1e61f667913472e26dd138d885cea113919cd04e 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -609,7 +609,7 @@ class help(frontend.Local): Display help for a command or topic. -takes_args = (Bytes('command?'),) +takes_args = (Str('command?'),) has_output = tuple() -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel