Re: [Freeipa-devel] [PATCH] 1031 run cleanallruv task
On Thu, 2012-09-06 at 17:17 -0400, Rob Crittenden wrote: Martin Kosek wrote: On 09/06/2012 05:55 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On 09/05/2012 08:06 PM, Rob Crittenden wrote: Rob Crittenden wrote: Martin Kosek wrote: On 07/05/2012 08:39 PM, Rob Crittenden wrote: Martin Kosek wrote: On 07/03/2012 04:41 PM, Rob Crittenden wrote: Deleting a replica can leave a replication vector (RUV) on the other servers. This can confuse things if the replica is re-added, and it also causes the server to calculate changes against a server that may no longer exist. 389-ds-base provides a new task that self-propogates itself to all available replicas to clean this RUV data. This patch will create this task at deletion time to hopefully clean things up. It isn't perfect. If any replica is down or unavailable at the time the cleanruv task fires, and then comes back up, the old RUV data may be re-propogated around. To make things easier in this case I've added two new commands to ipa-replica-manage. The first lists the replication ids of all the servers we have a RUV for. Using this you can call clean_ruv with the replication id of a server that no longer exists to try the cleanallruv step again. This is quite dangerous though. If you run cleanruv against a replica id that does exist it can cause a loss of data. I believe I've put in enough scary warnings about this. rob Good work there, this should make cleaning RUVs much easier than with the previous version. This is what I found during review: 1) list_ruv and clean_ruv command help in man is quite lost. I think it would help if we for example have all info for commands indented. This way user could simply over-look the new commands in the man page. 2) I would rename new commands to clean-ruv and list-ruv to make them consistent with the rest of the commands (re-initialize, force-sync). 3) It would be nice to be able to run clean_ruv command in an unattended way (for better testing), i.e. respect --force option as we already do for ipa-replica-manage del. This fix would aid test automation in the future. 4) (minor) The new question (and the del too) does not react too well for CTRL+D: # ipa-replica-manage clean_ruv 3 --force Clean the Replication Update Vector for vm-055.idm.lab.bos.redhat.com:389 Cleaning the wrong replica ID will cause that server to no longer replicate so it may miss updates while the process is running. It would need to be re-initialized to maintain consistency. Be very careful. Continue to clean? [no]: unexpected error: 5) Help for clean_ruv command without a required parameter is quite confusing as it reports that command is wrong and not the parameter: # ipa-replica-manage clean_ruv Usage: ipa-replica-manage [options] ipa-replica-manage: error: must provide a command [clean_ruv | force-sync | disconnect | connect | del | re-initialize | list | list_ruv] It seems you just forgot to specify the error message in the command definition 6) When the remote replica is down, the clean_ruv command fails with an unexpected error: [root@vm-086 ~]# ipa-replica-manage clean_ruv 5 Clean the Replication Update Vector for vm-055.idm.lab.bos.redhat.com:389 Cleaning the wrong replica ID will cause that server to no longer replicate so it may miss updates while the process is running. It would need to be re-initialized to maintain consistency. Be very careful. Continue to clean? [no]: y unexpected error: {'desc': 'Operations error'} /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors: [04/Jul/2012:06:28:16 -0400] NSMMReplicationPlugin - cleanAllRUV_task: failed to connect to replagreement connection (cn=meTovm-055.idm.lab.bos.redhat.com,cn=replica, cn=dc\3Didm\2Cdc\3Dlab\2Cdc\3Dbos\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config), error 105 [04/Jul/2012:06:28:16 -0400] NSMMReplicationPlugin - cleanAllRUV_task: replica (cn=meTovm-055.idm.lab. bos.redhat.com,cn=replica,cn=dc\3Didm\2Cdc\3Dlab\2Cdc\3Dbos\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree, cn=config) has not been cleaned. You will need to rerun the CLEANALLRUV task on this replica. [04/Jul/2012:06:28:16 -0400] NSMMReplicationPlugin - cleanAllRUV_task: Task failed (1) In this case I think we should inform user that the command failed, possibly because of disconnected replicas and that they could enable the replicas and try again. 7) (minor) pass is now redundant in replication.py: +except ldap.INSUFFICIENT_ACCESS: +# We can't make the server we're removing read-only but +# this isn't a show-stopper +root_logger.debug(No permission to switch replica to read-only, continuing anyway)
Re: [Freeipa-devel] [PATCH] 1050 prevent replica orphans
On Thu, 2012-09-06 at 17:22 -0400, Rob Crittenden wrote: Martin Kosek wrote: On 08/31/2012 07:40 PM, Rob Crittenden wrote: Rob Crittenden wrote: It was possible use ipa-replica-manage connect/disconnect/del to end up orphaning or or more IPA masters. This is an attempt to catch and prevent that case. I tested with this topology, trying to delete B. A - B - C I got here by creating B and C from A, connecting B to C then deleting the link from A to B, so it went from A - B and A - C to the above. What I do is look up the servers that the delete candidate host has connections to and see if we're the last link. I added an escape clause if there are only two masters. rob Oh, this relies on my cleanruv patch 1031. rob 1) When I run ipa-replica-manage del --force to an already uninstalled host, the new code will prevent me the deletation because it cannot connect to it. It also crashes with UnboundLocalError: # ipa-replica-manage del vm-055.idm.lab.bos.redhat.com --force Unable to connect to replica vm-055.idm.lab.bos.redhat.com, forcing removal Traceback (most recent call last): File /sbin/ipa-replica-manage, line 708, in module main() File /sbin/ipa-replica-manage, line 677, in main del_master(realm, args[1], options) File /sbin/ipa-replica-manage, line 476, in del_master sys.exit(Failed read master data from '%s': %s % (delrepl.hostname, str(e))) UnboundLocalError: local variable 'delrepl' referenced before assignment Fixed. I also hit this error when removing a winsync replica. Fixed. 2) As I wrote before, I think having --force option override the user inquiries would benefit test automation: +if not ipautil.user_input(Continue to delete?, False): +sys.exit(Aborted) Fixed. 3) I don't think this code won't cover this topology: A - B - C - D - E It would allow you deleting a replica C even though it would separate A-B and D-E. Though we may not want to cover this situation now, what you got is definitely helping. I think you may be right. I only tested with 4 servers. With this B and D would both still have 2 agreements so wouldn't be covered by the last link test. Everything looks good now, so ACK. We just need to push it along with CLEANALLRUV patch. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1052 add version to prepared replica files
On Fri, 2012-08-31 at 13:49 -0400, Rob Crittenden wrote: When installing a replica in an upgrade situation we want to be sure we install the same version or higher. This will have to bake a bit until the next full version of IPA but the idea is to prevent installing a newer replica file on an older server. To test this you need to rip apart a prepared file and tweak the version forward or backward. To do this, do something like: # gpg -d replica-info-pitbull.example.com.gpg | tar xf - # edit realm_info/realm_info # tar cf replica-info-pitbull.example.com realm_info # gpg --batch --homedir `pwd`/.gnupg --passphrase-fd 0 --yes --no-tty -o replica-info-pitbull.example.com.gpg -c replica-info-pitbull.example.com type in DM password rob Works fine. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 305 Update DNS zone allow-query validation test
On Thu, 2012-09-06 at 14:00 +0200, Martin Kosek wrote: On 09/06/2012 01:35 PM, Petr Vobornik wrote: On 09/06/2012 11:51 AM, Martin Kosek wrote: Loopback address, localhost and localnets ACIs are no longer an issue for bind-dyndb-ldap. Allow them in our validators. Martin's patch works and looks good - ACK. Attaching patch for Web UI part. Web UI validator works fine too, ACK. Pushed both patches to master, ipa-3-0. Martin I forgot to fix one DNS zone unit test. Fixed (patch attached) and pushed as a one(two)-liner. Martin From adeb23af6feb6bee8fe28644c8e16888bc98b7ea Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 7 Sep 2012 13:49:15 +0200 Subject: [PATCH] Update DNS zone allow-query validation test localhost and localnets ACIs are now allowed. Update the respective unit test. --- tests/test_xmlrpc/test_dns_plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index e5c8a7c03c5faf88607576ff32a6a6866d8f8c4f..e8c0b241cc56261061de3cf4397ec097683f10a9 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -1038,9 +1038,9 @@ class test_dns(Declarative): dict( desc='Try to add invalid allow-query to zone %r' % dnszone1, -command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'localhost'}), +command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'foo'}), expected=errors.ValidationError(name='allow_query', -error=u'ACL name localhost is not supported'), +error=ufailed to detect a valid IP address from u'foo'), ), dict( -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 211 Prevent opening of multiple dirty dialogs on navigation
Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog. Assuming that calling dirty dialog's callback can be evaluated as dirty state is gone, we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet. https://fedorahosted.org/freeipa/ticket/2667 -- Petr Vobornik From 30f0c69ed718796806ccfc1dd1a4d9243980cb5f Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 7 Sep 2012 14:24:58 +0200 Subject: [PATCH] Prevent opening of multiple dirty dialogs on navigation Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog. Assuming that calling dirty dialog's callback can be evaluated as dirty state is gone, we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet. https://fedorahosted.org/freeipa/ticket/2667 --- install/ui/navigation.js | 5 + 1 file changed, 5 insertions(+) diff --git a/install/ui/navigation.js b/install/ui/navigation.js index 502b05490217e1c90b157ce4a242813e8e9968ab..deef37dd8a73128e5de2b3e9725e5161d5406b1c 100644 --- a/install/ui/navigation.js +++ b/install/ui/navigation.js @@ -134,6 +134,11 @@ IPA.navigation = function(spec) { }); dialog.callback = function() { + +// Some facet's might not call reset before this call but after +// so they are still dirty. Calling reset prevent's opening of +// dirty dialog again. +if (prev_facet.is_dirty()) prev_facet.reset(); $.bbq.pushState(params); }; -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 306 Cast DNS SOA serial maximum boundary to long
On Fri, 2012-09-07 at 09:38 -0400, Rob Crittenden wrote: Martin Kosek wrote: This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type. -- I verified that IPA now builds both on i386 and x86_64 platforms. Martin ACK Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 306 Cast DNS SOA serial maximum boundary to long
Martin Kosek wrote: This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type. -- I verified that IPA now builds both on i386 and x86_64 platforms. Martin ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys
Dne 6.9.2012 17:47, Jan Cholasta napsal(a): Dne 5.9.2012 22:57, Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, this patch changes the format of the sshpubkey parameter to the format used by OpenSSH (see sshd(8)). Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. Note that you need a SSSD build including https://fedorahosted.org/sssd/changeset/f130a609a840d4548c795ce5e63afb5891358e20/ (SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually work with OpenSSH-style public keys. https://fedorahosted.org/freeipa/ticket/2932 https://fedorahosted.org/freeipa/ticket/2935 Honza NACK. I think a bunch of tests are needed for this. Because you abstracted out the pubkey class it should be straightforward to add a bunch of class-based unit tests on it. There are also no user or host-based tests, either for adding or managing keys. Tests added. I tested backwards compatibility with 2.2 and the initial tests are mixed. I installed 2.2 and created a 3.0 clone from it, including your patch. Do people actually do that in real deployments? I added a user in 3.0 with a key and it added ok, but on the 2.2 side it returns the entire base64 encoded blob of key type, key and comment, which I presume is unusable. At least things don't blow up. The format of ipasshpubkey in LDAP has changed, so there's not much I can do about this. The reverse works fine. An old-style key added to 2.2 appears to work fine in 3.0, we just lack a comment. On the 2.2 server: $ ipa user-show tuser1 --all | grep -i ssh Base-64 encoded SSH public key: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20= $ python Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2 Type help, copyright, credits or license for more information. import base64 s = 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=' base64.b64decode(s) 'ssh-rsa B3NzaC1yc2EDAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ rc...@edsel.greyoak.com' Now show an old style key: $ ipa user-show tuser2 --all | grep -i ssh Base-64 encoded SSH public key: B3NzaC1yc2EDAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5 rob Updated patch attached. Honza Rebased patch attached. Honza -- Jan Cholasta From d1fdf351cf33346455d2cbc8bb7e907fac909c86 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 3 Sep 2012 09:33:30 -0400 Subject: [PATCH] Use OpenSSH-style public keys as the preferred format of SSH public keys. Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935 --- API.txt | 8 +- VERSION | 2 +-
Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts
Dne 24.8.2012 23:52, Rob Crittenden napsal(a): A couple of issues were found in the CA renewal scripts. The api wasn't being initialized so restart_dirsrv() didn't have access to api.env.startup_timeout() I believe it was I who mislead you into removing it when I reviewed the original CA renewal patch. Sorry :-) A cert was missing from our list of certs to translate into CS.cfg directives. rob ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts
Jan Cholasta wrote: Dne 24.8.2012 23:52, Rob Crittenden napsal(a): A couple of issues were found in the CA renewal scripts. The api wasn't being initialized so restart_dirsrv() didn't have access to api.env.startup_timeout() I believe it was I who mislead you into removing it when I reviewed the original CA renewal patch. Sorry :-) A cert was missing from our list of certs to translate into CS.cfg directives. rob ACK. Honza pushed to master and ipa-3-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 83 Use OpenSSH-style public keys as the preferred format of SSH public keys
Jan Cholasta wrote: Dne 6.9.2012 17:47, Jan Cholasta napsal(a): Dne 5.9.2012 22:57, Rob Crittenden napsal(a): Jan Cholasta wrote: Hi, this patch changes the format of the sshpubkey parameter to the format used by OpenSSH (see sshd(8)). Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. Note that you need a SSSD build including https://fedorahosted.org/sssd/changeset/f130a609a840d4548c795ce5e63afb5891358e20/ (SSSD 1.9.0beta7-to-be) in order to make OpenSSH integration actually work with OpenSSH-style public keys. https://fedorahosted.org/freeipa/ticket/2932 https://fedorahosted.org/freeipa/ticket/2935 Honza NACK. I think a bunch of tests are needed for this. Because you abstracted out the pubkey class it should be straightforward to add a bunch of class-based unit tests on it. There are also no user or host-based tests, either for adding or managing keys. Tests added. I tested backwards compatibility with 2.2 and the initial tests are mixed. I installed 2.2 and created a 3.0 clone from it, including your patch. Do people actually do that in real deployments? I added a user in 3.0 with a key and it added ok, but on the 2.2 side it returns the entire base64 encoded blob of key type, key and comment, which I presume is unusable. At least things don't blow up. The format of ipasshpubkey in LDAP has changed, so there's not much I can do about this. The reverse works fine. An old-style key added to 2.2 appears to work fine in 3.0, we just lack a comment. On the 2.2 server: $ ipa user-show tuser1 --all | grep -i ssh Base-64 encoded SSH public key: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20= $ python Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2 Type help, copyright, credits or license for more information. import base64 s = 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNUQyRTI2dHU5YXM2cHhlUVlSdUgzelYyUDUzMjFpR1U5aC9XNElpd0tGSGlOc2p5cXFyemhCUFB3am83dGlYRDlHbUo1M25KS21OTGd0K01XUnFTZEx2R0V3NjM3SkVTWEpGL0VWeUxvZEFWRGltdXFRVkNLWjBRcm1kYjErRUg1VGRrd3ByOExyd0g1a0RzMEVpcGc2c0xoRUZ5NzMvaXNjRkJqcmk0NGxSU1BZNXFHTWFLOVE0cjY1WFEyaytlZ1RDQnBNZnc0b0J6Mzh0ZHVEVVE2bW9XNFhQSnhZeWJ3MGFDMnRUK2RBOU42WndFSFZXREUzdzg0bHRHa0JRZFRaKzViRnBFdlladm9PbkZXdDlNZFIzYVd6UklnY1o5VDlySDFFT2Z3eE5zWVRCLzRjTmg3dS9adGxnMVV0Z1VteWN3TkpMTUYrMTNzNTl2OFFpSFogcmNyaXRAZWRzZWwuZ3JleW9hay5jb20=' base64.b64decode(s) 'ssh-rsa B3NzaC1yc2EDAQABAAABAQC5D2E26tu9as6pxeQYRuH3zV2P5321iGU9h/W4IiwKFHiNsjyqqrzhBPPwjo7tiXD9GmJ53nJKmNLgt+MWRqSdLvGEw637JESXJF/EVyLodAVDimuqQVCKZ0Qrmdb1+EH5Tdkwpr8LrwH5kDs0Eipg6sLhEFy73/iscFBjri44lRSPY5qGMaK9Q4r65XQ2k+egTCBpMfw4oBz38tduDUQ6moW4XPJxYybw0aC2tT+dA9N6ZwEHVWDE3w84ltGkBQdTZ+5bFpEvYZvoOnFWt9MdR3aWzRIgcZ9T9rH1EOfwxNsYTB/4cNh7u/Ztlg1UtgUmycwNJLMF+13s59v8QiHZ rc...@edsel.greyoak.com' Now show an old style key: $ ipa user-show tuser2 --all | grep -i ssh Base-64 encoded SSH public key: B3NzaC1yc2EDAQABAAABAQCbRLyizFGyfucNRnHpWdUG8dBD7W2PfvTQ42k+LmAdUFudTytO89oTRXcVEYMDL42OyRth12JRMUjYTEmFwo9a9Mb7cP8+bo7N2lV4iCB0CUybcZARF0MV6NeYhhWlC9DV40nkqs3Goe8X8tMPXn/HZn8Rz33703w8K/G6STnN0txhAT4tY7D3e0DA9UY87wNnpJ7dXoJqMXRv2dRgmUnGih/8cLHypyxBoLoL8qR9cWxAf/Cs+qQmsk15lzIGQUAJwwXBBjbnXKwykEeHjTHsvjd7zzC1cWtz5Zz/8aop7AsVwaBqb9u+5dVOMxdzLGD24NKTjhtG86ADU4Mpnlb5 rob Updated patch attached. Honza Rebased patch attached. Honza ACK. I merged in a change that adds e-mail to one test and pushed to master and ipa-3-0. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 205 Reflect API change of SSH store in Web UI
Endi Sukma Dewata wrote: On 9/5/2012 3:14 AM, Petr Vobornik wrote: Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in an object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989 Note: freeipa-jcholast-83-openssh-style-public-keys.patch should be applied ACK. Possible improvements: 1. Right now if you click 'Add' SSH public key you'd have to click 'Show/Set key' to enter the value. We probably could make it such that when you click 'Add' it will open the input dialog immediately. This way we can avoid an incomplete state where a slot for a new key is added but it's empty. 2. If we do #1 the 'New: key set/not set' label can be changed to 'New key'. The 'Modified' can be changed to 'Modified key'. 3. The 'Show/Set key' probably can be changed to 'View/Edit' to be more consistent with host/service certificate. pushed to ipa-3-0 and master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel