date:20131022

[Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

2013-10-22 Thread Tomas Babej


Hi,

Adds support for host definition by a environment variables of the
following form:

KEYWORDHOST__envX, where X is the number of the environment
for which host referenced by a keyword should be defined.

You can also optionally use KEYWORDHOST__IP_envX to define
the IP address directly, otherwise the framework will try to resolve
the hostname.

Adds a required_keyword_hosts attribute to the IntegrationTest class,
which can test developer use to specify the keyword hosts that this
particular test requires. If not all required keyword hosts are
available, the test will be skipped.

All keyword hosts are accessible to the IntegrationTests via the
keyword_hosts attribute, which contains a dictionary keyed by the
keywords.

Part of: https://fedorahosted.org/freeipa/ticket/3833

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org


From 5c3527b3008fb0512e93b985c8cb486087c8a9e4 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 16 Oct 2013 13:54:26 +0200
Subject: [PATCH] ipatests: Add support for hosts referenced by a keyword

Adds support for host definition by a environment variables of the
following form:

KEYWORDHOST_keyword_envX, where X is the number of the environment
for which host referenced by a keyword keyword should be defined.

You can also optionally use KEYWORDHOST_keyword_IP_envX to define
the IP address directly, otherwise the framework will try to resolve
the hostname.

Adds a required_keyword_hosts attribute to the IntegrationTest class,
which can test developer use to specify the keyword hosts that this
particular test requires. If not all required keyword hosts are
available, the test will be skipped.

All keyword hosts are accessible to the IntegrationTests via the
keyword_hosts attribute, which contains a dictionary keyed by the
keywords.

Part of: https://fedorahosted.org/freeipa/ticket/3833
---
 ipatests/ipa-test-config| 19 +++--
 ipatests/man/ipa-test-config.1  | 17 +++
 ipatests/test_integration/base.py   | 16 ++-
 ipatests/test_integration/config.py | 57 +
 ipatests/test_integration/host.py   | 22 +-
 5 files changed, 116 insertions(+), 15 deletions(-)

diff --git a/ipatests/ipa-test-config b/ipatests/ipa-test-config
index 538ae3530d5b3959dd4516ac78f5a85d6f2bfaf4..288dbeeae1fa40a51010e091dacbf8b184e60788 100755
--- a/ipatests/ipa-test-config
+++ b/ipatests/ipa-test-config
@@ -55,6 +55,9 @@ def main(argv):
 parser.add_argument('--client', type=int,
 help='Print config for the client with this number')
 
+parser.add_argument('--keyword', type=str,
+help='Print config for machine with this keyword')
+
 parser.add_argument('--no-simple', dest='simple', action='store_false',
 help='Do not print Simple Vars '
  '(normally included backwards-compatibility)')
@@ -121,18 +124,30 @@ def get_object(conf, args):
 
 if args.master:
 return domain.master
+
 elif args.replica:
 num = int(args.replica) - 1
 try:
 return domain.replicas[args.replica]
 except LookupError:
-exit('Domain %s not found in domain %s' % (args.replica, domain.name))
+exit('Domain %s not found in domain %s' % (args.replica,
+   domain.name))
+
 elif args.client:
 num = int(args.client) - 1
 try:
 return domain.replicas[args.client]
 except LookupError:
-exit('Client %s not found in domain %s' % (args.client, domain.name))
+exit('Client %s not found in domain %s' % (args.client,
+   domain.name))
+
+elif args.keyword:
+try:
+return domain.keyword_hosts[args.keyword]
+except LookupError:
+exit('Keyword host %s not found in domain %s' % (args.keyword,
+ domain.name))
+
 else:
 return domain
 
diff --git a/ipatests/man/ipa-test-config.1 b/ipatests/man/ipa-test-config.1
index c0fad910326b0aa897336ac3fdf530461ce2c4e8..893a72bad4a41ddc8f5a1391a9df4fa6ed22521c 100644
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -65,6 +65,9 @@ Output configuration for the replica with the given number
 \fB\-\-replica\fR
 Output configuration for the client with the given number
 .TP
+\fB\-\-keyword\fR
+Output configuration for the host with the given keyword.
+.TP
 \fB\-\-no\-simple\fR
 Do not output Simple Vars.
 These are normally included for backwards compatibility.
@@ -95,6 +98,20 @@ Host configuration:
 \fB$BEAKER\fRrolenum\fB_IP_env\fRe, e.g.

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

2013-10-22 Thread Petr Viktorin


On 10/22/2013 09:20 AM, Tomas Babej wrote:

Hi,

Adds support for host definition by a environment variables of the
following form:

KEYWORDHOST__envX, where X is the number of the environment
for which host referenced by a keyword should be defined.

You can also optionally use KEYWORDHOST__IP_envX to define
the IP address directly, otherwise the framework will try to resolve
the hostname.

Adds a required_keyword_hosts attribute to the IntegrationTest class,
which can test developer use to specify the keyword hosts that this
particular test requires. If not all required keyword hosts are
available, the test will be skipped.

All keyword hosts are accessible to the IntegrationTests via the
keyword_hosts attribute, which contains a dictionary keyed by the
keywords.



Why is this necessary?
What's wrong with just extending the current scheme with more roles?


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

2013-10-22 Thread Tomas Babej


On 10/22/2013 09:54 AM, Petr Viktorin wrote:

On 10/22/2013 09:20 AM, Tomas Babej wrote:

Hi,

Adds support for host definition by a environment variables of the
following form:

KEYWORDHOST__envX, where X is the number of the environment
for which host referenced by a keyword should be defined.

You can also optionally use KEYWORDHOST__IP_envX to define
the IP address directly, otherwise the framework will try to resolve
the hostname.

Adds a required_keyword_hosts attribute to the IntegrationTest class,
which can test developer use to specify the keyword hosts that this
particular test requires. If not all required keyword hosts are
available, the test will be skipped.

All keyword hosts are accessible to the IntegrationTests via the
keyword_hosts attribute, which contains a dictionary keyed by the
keywords.



Why is this necessary?
What's wrong with just extending the current scheme with more roles?




The need for keyword hosts arised with the implementation of the legacy 
client test suite.


As each of these tests needs a precise type (pre-defined and 
pre-configured) of VM, and not a generic client, you need to restrict 
the test case to specific host type.


One test might be restricted to RHEL 5.10 with nss-pam-ldapd, another to 
FreeBSD, next one to CentOS with nss-pam-ldapd, next to CentOS with old 
version of SSSD...


Each testcase that needs a new type of preconfigured host, we would need 
to introduce a new role, which would need to be integrated in the 
framework. In such implementation, we would lose loose coupling between 
the test framework and the test themselves, and make them less pluggable.


HTH,

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

2013-10-22 Thread Petr Viktorin


Replying to one part only:

On 10/21/2013 04:50 PM, Tomas Babej wrote:

On 10/16/2013 03:44 PM, Petr Viktorin wrote:


I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).

But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].


I would rather not join IPA and AD domains as they even cannot be in the
same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.


You're right that they should never share the same domain. But you 
should never say never, especially in testing -- what if we'll want to, 
in the future, test that the records *do* clash, or that IPA refuses to 
install in an AD domain?


Another problem is that they are now separate namespaces. In all code 
that deals with domains you have to deal separately with the list of AD 
domains and separately with IPA domains. This makes every piece of code 
that doesn't care much about what type of domain it's dealing with 
(configuration, listing, possible automation scripts for turning on the 
VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite hard, 
especially after more code is written with this split in mind.


Do keep the domain type, though. tl;dr I'd really prefer domain 1 
(IPA); domain 2 (AD) rather than IPA domain 1; AD domain 1.


If needed we can have a special check that would reject IPA masters in 
AD domains and vice versa, if that really turns out to be necessary.



As we already pass ad_domain flag to Domain.from_env, I did incorporate
code that joins the machines to the domain depending on the their role.
Is that a viable solution for you?


Sorry. I think this design is less sustainable than having a shared 
namespace for the domains.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

2013-10-22 Thread Martin Kosek

On 10/22/2013 02:41 AM, Dean Hunter wrote:
 This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
 Guide currently has a procedure carried over from the 2.2 User Guide.
 And the procedure will be different, again, for the 3.4 User Guide. The
 procedure is based on
 http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
 
 https://fedorahosted.org/freeipa/ticket/3756

Hi Dean,

Thanks for the patch! I have few comments though.

1) ipa-client-install in the first paragraph should be in code. I also think
there should be a short introduction of the section instead of directly jumping
to editing configs.

I think that a modification of the previous one would work. Something like that:
~~~
Actually implementing sudo policies is more complicated than simply creating
the rules in FreeIPA. Those rules need to be applied to every local machine,
which means that each system in the FreeIPA domain has to be configured to
refer to FreeIPA for its policies.

This example specifically configures a Fedora client for sudo rules. The sudo
on client is configured to use SSSD as a source of the policies:
...
~~~

2) I see that in the configuration examples you already pasted executable
scripts from your automation.

However, I think that the echo and sed like examples will not bring enough
clarity for the users. I would rather prefer the standard examples (as in other
places in the guide) showing how the file should look like and leave the
automation on user (if he needs it), i.e.

~~~
vim /etc/nsswitch.conf

sudoers:  files ldap
~~~
instead of

~~~
[root@ipaclient] ~]# echo sudoers:files sss /etc/nsswitch.conf
~~~

or

~~~
[domain/example.com]
krb5_server = ipa.example.com
ldap_sasl_authid = host/hostname.example.com
ldap_sasl_mech = GSSAPI
ldap_sasl_realm = EXAMPLE.COM
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_uri = ldap://ipa.example.com
sudo_provider = ldap
~~~

instead of

~~~
[root@ipaclient] ~]# sed /^\[domain\/example.com\]/ a\\
 krb5_server = ipa.example.com\\
 ldap_sasl_authid = host/hostname.example.com\\
 ldap_sasl_mech = GSSAPI\\
 ldap_sasl_realm = EXAMPLE.COM\\
 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
 ldap_uri = ldap://ipa.example.com\\
 sudo_provider = ldap /etc/sssd/sssd.conf
~~~

etc.

This will make the examples easier to read and consistent with the rest of the
guide.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

2013-10-22 Thread Petr Viktorin


On 10/22/2013 10:09 AM, Tomas Babej wrote:

On 10/22/2013 09:54 AM, Petr Viktorin wrote:

On 10/22/2013 09:20 AM, Tomas Babej wrote:

Hi,

Adds support for host definition by a environment variables of the
following form:

KEYWORDHOST__envX, where X is the number of the environment
for which host referenced by a keyword should be defined.

You can also optionally use KEYWORDHOST__IP_envX to define
the IP address directly, otherwise the framework will try to resolve
the hostname.

Adds a required_keyword_hosts attribute to the IntegrationTest class,
which can test developer use to specify the keyword hosts that this
particular test requires. If not all required keyword hosts are
available, the test will be skipped.

All keyword hosts are accessible to the IntegrationTests via the
keyword_hosts attribute, which contains a dictionary keyed by the
keywords.



Why is this necessary?
What's wrong with just extending the current scheme with more roles?




The need for keyword hosts arised with the implementation of the legacy
client test suite.

As each of these tests needs a precise type (pre-defined and
pre-configured) of VM, and not a generic client, you need to restrict
the test case to specific host type.

One test might be restricted to RHEL 5.10 with nss-pam-ldapd, another to
FreeBSD, next one to CentOS with nss-pam-ldapd, next to CentOS with old
version of SSSD...

Each testcase that needs a new type of preconfigured host, we would need
to introduce a new role, which would need to be integrated in the
framework. In such implementation, we would lose loose coupling between
the test framework and the test themselves, and make them less pluggable.


The framework itself (excluding the configuration part) should be able 
to handle this nicely using the existing role mechanism. It's true that 
in some places it's currently hard-wired to just a few roles, but 
supporting completely custom roles shouldn't be a problem.
I'd prefer if this system was used, rather than basically adding a 
second role system, which we'd have to support even if we get rid of the 
current config part.


The envvar-based configuration is not as flexible, but I'd rather make 
this part somewhat unpleasant than making the framework complex. We plan 
to move to a simpler configuration method anyway.
That said, you can basically keep the variable name scheme you use in 
this patch; just maybe use TESTHOST rather than KEYWORDHOST.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

2013-10-22 Thread Martin Basti

On Tue, 2013-10-22 at 10:39 +0200, Martin Kosek wrote:
 On 10/22/2013 02:41 AM, Dean Hunter wrote:
  This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
  Guide currently has a procedure carried over from the 2.2 User Guide.
  And the procedure will be different, again, for the 3.4 User Guide. The
  procedure is based on
  http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
  
  https://fedorahosted.org/freeipa/ticket/3756
 
 Hi Dean,
 
 Thanks for the patch! I have few comments though.
 
 1) ipa-client-install in the first paragraph should be in code. I also think
 there should be a short introduction of the section instead of directly 
 jumping
 to editing configs.
 
I suggest to use commandipa-client-install/command.

 I think that a modification of the previous one would work. Something like 
 that:
 ~~~
 Actually implementing sudo policies is more complicated than simply creating
 the rules in FreeIPA. Those rules need to be applied to every local machine,
 which means that each system in the FreeIPA domain has to be configured to
 refer to FreeIPA for its policies.
 
 This example specifically configures a Fedora client for sudo rules. The sudo
 on client is configured to use SSSD as a source of the policies:
 ...
 ~~~
Here is something from SSSD presentation which can helps you too:
The SSSD works as a middleman between sudo command and the FreeIPA server.
The SSSD caches sudo rules for a period of time, what makes sudo works even if 
the network is offline.

 2) I see that in the configuration examples you already pasted executable
 scripts from your automation.
 
 However, I think that the echo and sed like examples will not bring enough
 clarity for the users. I would rather prefer the standard examples (as in 
 other
 places in the guide) showing how the file should look like and leave the
 automation on user (if he needs it), i.e.
 
 ~~~
 vim /etc/nsswitch.conf
 
 sudoers:  files ldap
 ~~~
 instead of
 
 ~~~
 [root@ipaclient] ~]# echo sudoers:files sss /etc/nsswitch.conf
 ~~~
 
 or
 
 ~~~
 [domain/example.com]
 krb5_server = ipa.example.com
 ldap_sasl_authid = host/hostname.example.com
 ldap_sasl_mech = GSSAPI
 ldap_sasl_realm = EXAMPLE.COM
 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
 ldap_uri = ldap://ipa.example.com
 sudo_provider = ldap
 ~~~
 
 instead of
 
 ~~~
 [root@ipaclient] ~]# sed /^\[domain\/example.com\]/ a\\
  krb5_server = ipa.example.com\\
  ldap_sasl_authid = host/hostname.example.com\\
  ldap_sasl_mech = GSSAPI\\
  ldap_sasl_realm = EXAMPLE.COM\\
  ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
  ldap_uri = ldap://ipa.example.com\\
  sudo_provider = ldap /etc/sssd/sssd.conf
 ~~~
 
 etc.
 
 This will make the examples easier to read and consistent with the rest of the
 guide.
 
 Martin
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

2013-10-22 Thread Tomas Babej


On 10/22/2013 10:37 AM, Petr Viktorin wrote:

Replying to one part only:

On 10/21/2013 04:50 PM, Tomas Babej wrote:

On 10/16/2013 03:44 PM, Petr Viktorin wrote:


I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).

But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].


I would rather not join IPA and AD domains as they even cannot be in the
same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.


You're right that they should never share the same domain. But you 
should never say never, especially in testing -- what if we'll want 
to, in the future, test that the records *do* clash, or that IPA 
refuses to install in an AD domain?




You could still set AD_env1 and MASTER_env1 to have the same domain.

Another problem is that they are now separate namespaces. In all code 
that deals with domains you have to deal separately with the list of 
AD domains and separately with IPA domains. This makes every piece of 
code that doesn't care much about what type of domain it's dealing 
with (configuration, listing, possible automation scripts for turning 
on the VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite hard, 
especially after more code is written with this split in mind.


Do keep the domain type, though. tl;dr I'd really prefer domain 1 
(IPA); domain 2 (AD) rather than IPA domain 1; AD domain 1.


This will, however, require filtering the domains depending on the fact 
whether they contain AD or not. If a testcase wants to access an AD 
domain, it will still need to loop over the list of domains to see which 
ones are of AD type.


Any code that does not care what domain type it's dealing with, can 
easily access all the domains by chaining the respective iterables. We 
could have a wrapper in the Config class for that, along the lines of 
get_all_domains().


So what I see here is that we're trading one complexity over another.

I think we can agree on your approach since it hides the complexity from 
the user, especially in the ipa-test-config, which I admit is getting 
rather ugly, as we need to introduce new option there and that causes 
splitting.




If needed we can have a special check that would reject IPA masters in 
AD domains and vice versa, if that really turns out to be necessary.




With this check we should be fine.


As we already pass ad_domain flag to Domain.from_env, I did incorporate
code that joins the machines to the domain depending on the their role.
Is that a viable solution for you?


Sorry. I think this design is less sustainable than having a shared 
namespace for the domains.




I'll send revised patchset soon.


--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

2013-10-22 Thread Dean Hunter

On Tue, 2013-10-22 at 10:39 +0200, Martin Kosek wrote:

 On 10/22/2013 02:41 AM, Dean Hunter wrote:
  This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
  Guide currently has a procedure carried over from the 2.2 User Guide.
  And the procedure will be different, again, for the 3.4 User Guide. The
  procedure is based on
  http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
  
  https://fedorahosted.org/freeipa/ticket/3756
 
 Hi Dean,
 
 Thanks for the patch! I have few comments though.
 
 1) ipa-client-install in the first paragraph should be in code. I also think
 there should be a short introduction of the section instead of directly 
 jumping
 to editing configs.
 
 I think that a modification of the previous one would work. Something like 
 that:
 ~~~
 Actually implementing sudo policies is more complicated than simply creating
 the rules in FreeIPA. Those rules need to be applied to every local machine,
 which means that each system in the FreeIPA domain has to be configured to
 refer to FreeIPA for its policies.
 
 This example specifically configures a Fedora client for sudo rules. The sudo
 on client is configured to use SSSD as a source of the policies:
 ...
 ~~~


For this reason I considered moving the entire section to chapter 3,
Setting up Systems as FreeIPA Clients.


 2) I see that in the configuration examples you already pasted executable
 scripts from your automation.
 
 However, I think that the echo and sed like examples will not bring enough
 clarity for the users. I would rather prefer the standard examples (as in 
 other
 places in the guide) showing how the file should look like and leave the
 automation on user (if he needs it), i.e.
 
 ~~~
 vim /etc/nsswitch.conf
 
 sudoers:  files ldap
 ~~~
 instead of
 
 ~~~
 [root@ipaclient] ~]# echo sudoers:files sss /etc/nsswitch.conf
 ~~~
 
 or
 
 ~~~
 [domain/example.com]
 krb5_server = ipa.example.com
 ldap_sasl_authid = host/hostname.example.com
 ldap_sasl_mech = GSSAPI
 ldap_sasl_realm = EXAMPLE.COM
 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
 ldap_uri = ldap://ipa.example.com
 sudo_provider = ldap
 ~~~
 
 instead of
 
 ~~~
 [root@ipaclient] ~]# sed /^\[domain\/example.com\]/ a\\
  krb5_server = ipa.example.com\\
  ldap_sasl_authid = host/hostname.example.com\\
  ldap_sasl_mech = GSSAPI\\
  ldap_sasl_realm = EXAMPLE.COM\\
  ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
  ldap_uri = ldap://ipa.example.com\\
  sudo_provider = ldap /etc/sssd/sssd.conf
 ~~~
 
 etc.
 
 This will make the examples easier to read and consistent with the rest of the
 guide.



What instead of How, got it. So even vim /etc/nsswitch.conf should
not be specified, just list the changed lines of the affected file.


 Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

2013-10-22 Thread Tomas Babej


On 10/22/2013 12:27 PM, Tomas Babej wrote:

On 10/22/2013 10:37 AM, Petr Viktorin wrote:

Replying to one part only:

On 10/21/2013 04:50 PM, Tomas Babej wrote:

On 10/16/2013 03:44 PM, Petr Viktorin wrote:


I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).

But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].


I would rather not join IPA and AD domains as they even cannot be in 
the

same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.


You're right that they should never share the same domain. But you 
should never say never, especially in testing -- what if we'll want 
to, in the future, test that the records *do* clash, or that IPA 
refuses to install in an AD domain?




You could still set AD_env1 and MASTER_env1 to have the same domain.

Another problem is that they are now separate namespaces. In all code 
that deals with domains you have to deal separately with the list of 
AD domains and separately with IPA domains. This makes every piece of 
code that doesn't care much about what type of domain it's dealing 
with (configuration, listing, possible automation scripts for turning 
on the VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite 
hard, especially after more code is written with this split in mind.


Do keep the domain type, though. tl;dr I'd really prefer domain 1 
(IPA); domain 2 (AD) rather than IPA domain 1; AD domain 1.


This will, however, require filtering the domains depending on the 
fact whether they contain AD or not. If a testcase wants to access an 
AD domain, it will still need to loop over the list of domains to see 
which ones are of AD type.


Any code that does not care what domain type it's dealing with, can 
easily access all the domains by chaining the respective iterables. We 
could have a wrapper in the Config class for that, along the lines of 
get_all_domains().


So what I see here is that we're trading one complexity over another.

I think we can agree on your approach since it hides the complexity 
from the user, especially in the ipa-test-config, which I admit is 
getting rather ugly, as we need to introduce new option there and that 
causes splitting.




If needed we can have a special check that would reject IPA masters 
in AD domains and vice versa, if that really turns out to be necessary.




With this check we should be fine.


As we already pass ad_domain flag to Domain.from_env, I did incorporate
code that joins the machines to the domain depending on the their role.
Is that a viable solution for you?


Sorry. I think this design is less sustainable than having a shared 
namespace for the domains.




I'll send revised patchset soon.



Updated patchset attached.


--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From a23c379a865d5005539b7eb0ada76e36768b0f53 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 14 Oct 2013 16:37:55 +0200
Subject: [PATCH 106/107] ipatests: Add AD integration test case

Part of: https://fedorahosted.org/freeipa/ticket/3834
---
 ipatests/test_integration/test_trust.py | 182 
 1 file changed, 182 insertions(+)
 create mode 100644 ipatests/test_integration/test_trust.py

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
new file mode 100644
index ..343c9785b0bd74b891638443e9699268e1366254
--- /dev/null
+++ b/ipatests/test_integration/test_trust.py
@@ -0,0 +1,182 @@
+# Authors:
+#   Tomas Babej tba...@redhat.com
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see http://www.gnu.org/licenses/.
+
+import re
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+from ipatests.test_integration import util
+
+
+class ADTrustBase(IntegrationTest):
+Provides common checks for the AD trust integration testing.
+
+topology = 'line'
+

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

2013-10-22 Thread Tomas Babej


On 10/22/2013 02:15 PM, Tomas Babej wrote:

On 10/22/2013 12:27 PM, Tomas Babej wrote:

On 10/22/2013 10:37 AM, Petr Viktorin wrote:

Replying to one part only:

On 10/21/2013 04:50 PM, Tomas Babej wrote:

On 10/16/2013 03:44 PM, Petr Viktorin wrote:


I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).

But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].


I would rather not join IPA and AD domains as they even cannot be 
in the

same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.


You're right that they should never share the same domain. But you 
should never say never, especially in testing -- what if we'll want 
to, in the future, test that the records *do* clash, or that IPA 
refuses to install in an AD domain?




You could still set AD_env1 and MASTER_env1 to have the same domain.

Another problem is that they are now separate namespaces. In all 
code that deals with domains you have to deal separately with the 
list of AD domains and separately with IPA domains. This makes every 
piece of code that doesn't care much about what type of domain it's 
dealing with (configuration, listing, possible automation scripts 
for turning on the VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite 
hard, especially after more code is written with this split in mind.


Do keep the domain type, though. tl;dr I'd really prefer domain 1 
(IPA); domain 2 (AD) rather than IPA domain 1; AD domain 1.


This will, however, require filtering the domains depending on the 
fact whether they contain AD or not. If a testcase wants to access an 
AD domain, it will still need to loop over the list of domains to see 
which ones are of AD type.


Any code that does not care what domain type it's dealing with, can 
easily access all the domains by chaining the respective iterables. 
We could have a wrapper in the Config class for that, along the lines 
of get_all_domains().


So what I see here is that we're trading one complexity over another.

I think we can agree on your approach since it hides the complexity 
from the user, especially in the ipa-test-config, which I admit is 
getting rather ugly, as we need to introduce new option there and 
that causes splitting.




If needed we can have a special check that would reject IPA masters 
in AD domains and vice versa, if that really turns out to be necessary.




With this check we should be fine.

As we already pass ad_domain flag to Domain.from_env, I did 
incorporate
code that joins the machines to the domain depending on the their 
role.

Is that a viable solution for you?


Sorry. I think this design is less sustainable than having a shared 
namespace for the domains.




I'll send revised patchset soon.



Updated patchset attached.




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Attaching the patch 100 I missed.

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

From 6f2dc306542540f0db1c27f4efc301574bfdcf60 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 4 Sep 2013 14:12:28 +0200
Subject: [PATCH 100/107] ipatests: Add Active Directory support to
 configuration

Part of: https://fedorahosted.org/freeipa/ticket/3834
---
 ipatests/man/ipa-test-config.1  | 20 +++-
 ipatests/test_integration/config.py | 30 --
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/ipatests/man/ipa-test-config.1 b/ipatests/man/ipa-test-config.1
index 4b998adb4f65265f4b0cfc49cac2979740562db5..a2fa96b57129b5adad3c15cfe7e97b8a6c9724d0 100644
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -69,6 +69,11 @@ These are normally included for backwards compatibility.
 .SH ENVIRONMENT VARIABLES
 
 .TP
+Domain configuration:
+Domain is implicitly defined by _envX suffix of the environment variables,
+if either AD_envX or MASTER_envX is defined.
+
+.TP
 Host configuration:
 
 .TP
@@ -81,9 +86,14 @@ Host configuration:
 \fB$CLIENT\fR
 FQDNs of IPA clients (space-separated)
 .TP
-\fB$MASTER_env2\fR, \fB$REPLICA_env2\fR, \fB$CLIENT_env2\fR, \fB$MASTER_env3\fR, ...
+\fB$MASTER_env2\fR, \fB$REPLICA_env2\fR, \fB$CLIENT_env2\fR, \fB$MASTER_env3\fR, \fB$AD_env4\fR,...
 can be used for additional domains when needed
 .TP
+\fB$AD_env1\fR, \fB$AD_env2\fR, \fB$AD_env3\fR, \fB$AD_env4\fR, ...
+can be used to define Active Directory domains. Please note that these
+domains are not separate from the IPA domains, so please

[Freeipa-devel] FreeIPA.org/Documentation improvements: request for comments

2013-10-22 Thread Petr Spacek


Hello list,

here is never-ending discussion about freeipa.org wiki and documentation. Any 
opinions are more than welcome! (Each participating user will receive 
e-thank-you e-mail, I promise! :-D)


We started the discussion privately and then realized that we should move it 
to mailing list, so some ideas are on the table. This doesn't mean that we 
have to stick with any of current proposals! Bring you ideas!


On 22.10.2013 15:00, Simo Sorce wrote:

On Tue, 2013-10-22 at 13:29 +0200, Martin Kosek wrote:

On 10/21/2013 06:14 PM, Petr Spacek wrote:

On 21.10.2013 16:24, Martin Kosek wrote:

On 10/21/2013 03:54 PM, Dmitri Pal wrote:

On 10/21/2013 04:28 AM, Petr Spacek wrote:

[snip]

http://www.freeipa.org/page/Documentation needs significant
improvement, I agree.

[snip]


Sure. Though I am already tracking this page. Since summer, I have been
continuously working on merging the documentation on FreeIPA (like some obscure
Tips or three different FAQ sections), obsoleting information that is obsolete
and adding warnings or moving v1/v2 development-specific documentation to
specific name spaces to avoid them interfering with standard doc and other
changes.

I think the Documentation page is easier to digest already, compared to what
was there before:

http://www.freeipa.org/index.php?title=Documentationdiff=6912oldid=6203

So instead of FreeIPA.org wiki is wrong, awful and eats little puppies I
would prefer to see some concrete ideas for improvements or better UX so that I
can follow up on them and continue driving it to be better.


Sure :-) Here are my proposals:


Thank you!


- move Developer Documentation away from /Documentation to separate page


Why? It will make it less visible. I think that it contain a lot of useful
information, even for users/power-users.


I agree this will plunge us back to the old wiki which was bad.


I don't belive that regular users search/read design docs. Is the design 
valueable for normal user? Then

a) relevant information should be extracted to a article for users
AND/OR
b) the design page should be linked directly from Components/FAQ/how-to


- move section By Component to the end of the page - it is mostly empty ...
(of course, we can move it back to the beginning after some time!)


Can be done, though it would be even better to simply add the component
documentation - otherwise we are just hiding a missing doc, not fixing it.


Indeed, my aim in creating the section was to highlight what people
would like to see and entice some of us in producing more content. It is
time we do. If we do it right we'll have great value for our users.

And right is not hard, perhaps a bit tedious, but it is just about
describing with medium level details the various components with
particular care in describing how they interact with others (9bonus
point if links between the various pages are provided when we mention
interactions.

Seem a good project for a new engineer that needs to go through and
understand what is going on. By writing these pages he'll have to ask
the right questions to older engineers and put them into words, I found
it is an invaluable way to actually get to understand the big picture.


My point is that the wiki should expose useful information *at the beginning*.

I definitelly agree that filling the wiki with information is much better than 
hidding empty pages, but this great idea doesn't help to users looking for 
help right now.


I propose to move Components to the end (or before Devel docs) for now - 
simply to make more valuable sections more visible.


My intention is to make the /Documentation page more useful right now and I 
belive that this trivial re-ordering will help with that.


Sure, we can move Components back as soon as it will contain some useful 
information.


Does it explain my intention?


- merge Additional Resources section with FreeIPA Training Series section
and Public Presentations section


How FAQ or HOWTOs relate to Training Series or Public Presentations? Or you
just meant placing them close together?


I also failed to understand this, they are completely different
categories.

The videos and presentations are for people that want generic info. The
HowTo/Faqs are for peopl that have a specific problem and are looking
for a solution.


Exactly. That is what I proposed below - separate sections 'marketing' (high 
level stuff) and 'get your hands dirty' (the useful stuff). See below.



- pull all how-tos to /Documentation


I am not sure that placing all these articles directly to /Documentation would
make it simpler. I understand /Documentation rather as a focal point of all
documentation, which can lead you directly to the information you seek.


I can see you point. The reply to this matter continues at the end of e-mail, 
I noticed that you wrote some other points about how-tos there.



They should be in a Troubleshooting section at most, but they are
clearly Documentation.


I'm not following you. How is How to

[Freeipa-devel] [PATCH] 0076 Add test for external CA installation

2013-10-22 Thread Ana Krivokapic

Hello,

This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3819

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From 0bc373fe9a8d6f7ed1cc2cd82bf9a69f0a8613d5 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Tue, 22 Oct 2013 20:00:18 +0200
Subject: [PATCH] Add test for external CA installation

https://fedorahosted.org/freeipa/ticket/3819
---
 ipatests/test_integration/test_external_ca.py | 107 ++
 1 file changed, 107 insertions(+)
 create mode 100644 ipatests/test_integration/test_external_ca.py

diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
new file mode 100644
index ..747990cff5d93a481a8032ed0e7be13cdb6f8d55
--- /dev/null
+++ b/ipatests/test_integration/test_external_ca.py
@@ -0,0 +1,107 @@
+# Authors:
+#   Ana Krivokapic akriv...@redhat.com
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see http://www.gnu.org/licenses/.
+import os
+
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+
+
+class TestExternalCA(IntegrationTest):
+
+Test of FreeIPA server installation with exernal CA
+
+def test_external_ca(self):
+# Step 1 of ipa-server-install
+self.master.run_command([
+'ipa-server-install', '-U',
+'-a', self.master.config.admin_password,
+'-p', self.master.config.dirman_password,
+'--setup-dns', '--no-forwarders',
+'-r', self.master.domain.name,
+'--external-ca'
+])
+
+nss_db = os.path.join(self.master.config.test_dir, 'testdb')
+external_cert_file = os.path.join(nss_db, 'ipa.crt')
+external_ca_file = os.path.join(nss_db, 'ca.crt')
+noisefile = os.path.join(self.master.config.test_dir, 'noise.txt')
+pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt')
+
+# Create noise and password files for NSS database
+self.master.run_command('date | sha256sum  %s' % noisefile)
+self.master.run_command('echo %s  %s' %
+(self.master.config.admin_password, pwdfile))
+
+# Create NSS database
+self.master.run_command(['mkdir', nss_db])
+self.master.run_command([
+'certutil', '-N',
+'-d', nss_db,
+'-f', pwdfile
+])
+
+# Create external CA
+self.master.run_command([
+'certutil', '-S',
+'-d', nss_db,
+'-f', pwdfile,
+'-n', 'external',
+'-s', 'CN=External CA, O=%s' % self.master.domain.name,
+'-x',
+'-t', 'CTu,CTu,CTu',
+'-g', '2048',
+'-m', '0',
+'-v', '60',
+'-z', noisefile,
+'-2', '-1', '-5'
+], stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n')
+
+# Sign IPA cert request using the external CA
+self.master.run_command([
+'certutil', '-C',
+'-d', nss_db,
+'-f', pwdfile,
+'-c', 'external',
+'-m', '1',
+'-v', '60',
+'-2', '-1', '-5',
+'-i', '/root/ipa.csr',
+'-o', external_cert_file,
+'-a'
+], stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n')
+
+# Export external CA file
+self.master.run_command(
+'certutil -L -d %s -n external -a  %s' %
+(nss_db, external_ca_file)
+)
+
+# Step 2 of ipa-server-install
+self.master.run_command([
+'ipa-server-install',
+'-a', self.master.config.admin_password,
+'-p', self.master.config.dirman_password,
+'--external_cert_file', external_cert_file,
+'--external_ca_file', external_ca_file
+])
+
+# Make sure IPA server is working properly
+tasks.kinit_admin(self.master)
+result = self.master.run_command(['ipa', 'user-show', 'admin'])
+assert 'User login: admin' in result.stdout_text
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Re: [Freeipa-devel] [PATCH 0121] ipatests: Add support for hosts referenced by a keyword

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

Re: [Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

Re: [Freeipa-devel] [PATCHES 100-106] Initial implementation of AD integration tests

[Freeipa-devel] FreeIPA.org/Documentation improvements: request for comments

[Freeipa-devel] [PATCH] 0076 Add test for external CA installation

13 matches

Site Navigation

Mail list logo

Footer information