Re: [Freeipa-devel] [PATCHES 0024, 0025, 0027] Classless support for reverse domains
text omitted Pushed both patches to master, but just the first to ipa-3-3 as the test updating patch did not apply (a lot). Martin, you will need to check if DNS tests pass in ipa-3-3, I assume there are changes required. Martin Patch for ipa-3-3 tests attached. -- Martin^2 Basti From ef3dda520faafce4fc9c62cef1597f68630a835c Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 31 Jan 2014 15:52:35 +0100 Subject: [PATCH] DNS tests for classless reverse domains Ticket: https://fedorahosted.org/freeipa/ticket/4143 Backport for IPA-3-3 Conflicts: ipatests/test_xmlrpc/test_dns_plugin.py ipatests/test_xmlrpc/test_radiusproxy_plugin.py --- ipatests/test_xmlrpc/test_dns_plugin.py | 309 +-- ipatests/test_xmlrpc/test_netgroup_plugin.py | 8 +- ipatests/test_xmlrpc/test_sudorule_plugin.py | 4 +- 3 files changed, 302 insertions(+), 19 deletions(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 1bfaee71e2e069616c3f2f58ad4d72f541cff694..9a14e3c32296922d680a2dd080b1d085e85b00d7 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -57,6 +57,95 @@ dnsrescname_dn = DN(('idnsname',dnsrescname), dnszone1_dn) dnsresdname = u'testdns-dname' dnsresdname_dn = DN(('idnsname',dnsresdname), dnszone1_dn) +zone1 = u'dnszone.test' +zone1_ip = u'172.16.29.111' +zone1_dn = DN(('idnsname',zone1), api.env.container_dns, api.env.basedn) +zone1_ns = u'ns1.%s.' % zone1 +zone1_ns_dn = DN(('idnsname','ns1'), zone1_dn) +zone1_rname = u'root.%s.' % zone1 +zone1_permission = u'Manage DNS zone %s' % zone1 +zone1_permission_dn = DN(('cn',zone1_permission), +api.env.container_permission,api.env.basedn) + +zone1_txtrec_dn = DN(('idnsname', '_kerberos'), zone1_dn) + +zone2 = u'zone2.test' +zone2_dn = DN(('idnsname', zone2), api.env.container_dns, api.env.basedn) +zone2_ns = u'ns1.%s.' % zone2 +zone2_rname = u'root.%s.' % zone2 + +zone3 = u'zone3.test' +zone3_ip = u'192.168.1.1' +zone3_ip2 = u'192.168.1.129' +zone3_dn = DN(('idnsname', zone3), api.env.container_dns, api.env.basedn) +zone3_ns = u'ns1.%s.' % zone3 +zone3_ns2 = u'ns2.%s.' % zone3 +zone3_rname = u'root.%s.' % zone3 + +zone3_ns2_arec = u'ns2' +zone3_ns2_arec_dn = DN(('idnsname',zone3_ns2_arec), zone3_dn) + +revzone1 = u'31.16.172.in-addr.arpa.' +revzone1_ip = u'172.16.31.0' +revzone1_ipprefix = u'172.16.31.' +revzone1_dn = DN(('idnsname', revzone1), api.env.container_dns, api.env.basedn) + +revzone2 = u'30.15.172.in-addr.arpa.' +revzone2_ip = u'172.15.30.0/24' +revzone2_dn = DN(('idnsname',revzone2), api.env.container_dns, api.env.basedn) + +revzone3_classless1 = u'1.168.192.in-addr.arpa.' +revzone3_classless1_ip = u'192.168.1.0' +revzone3_classless1_ipprefix = u'192.168.1.' +revzone3_classless1_dn = DN(('idnsname', revzone3_classless1), api.env.container_dns, api.env.basedn) + +revzone3_classless2 = u'128/25.1.168.192.in-addr.arpa.' +revzone3_classless2_ip = u'192.168.1.128' +revzone3_classless2_ipprefix = u'192.168.1.' +revzone3_classless2_dn = DN(('idnsname', revzone3_classless2), api.env.container_dns, api.env.basedn) + +name1 = u'testdnsres' +name1_dn = DN(('idnsname',name1), zone1_dn) +name1_renamed = u'testdnsres-renamed' + +revname1 = u'80' +revname1_ip = revzone1_ipprefix + revname1 +revname1_dn = DN(('idnsname',revname1), revzone1_dn) + +revname2 = u'81' +revname2_ip = revzone1_ipprefix + revname2 +revname2_dn = DN(('idnsname',revname2), revzone1_dn) + +cname = u'testcnamerec' +cname_dn = DN(('idnsname',cname), zone1_dn) + +dname = u'testdns-dname' +dname_dn = DN(('idnsname',dname), zone1_dn) + +nsrev = u'128/25' +nsrev_dn = DN(('idnsname',nsrev), revzone3_classless1_dn) + +cnamerev = u'129' +cnamerev_dn = DN(('idnsname',cnamerev), revzone3_classless1_dn) +cnamerev_hostname = u'129.128/25.1.168.192.in-addr.arpa.' + +ptr_revzone3 = u'129' +ptr_revzone3_dn = DN(('idnsname',cnamerev), revzone3_classless2_dn) +ptr_revzone3_hostname = zone3_ns2; + +relnxname = u'does-not-exist-test' +absnxname = u'does.not.exist.test.' + +arec1 = u'172.16.29.111' +arec2 = u'172.31.254.222' +arec3 = u'172.16.250.123' + +fwd_ip = u'172.16.31.80' +allowtransfer_tofwd = u'%s;' % fwd_ip + +allowquery_restricted_in = u'!192.0.2/24;any;' +allowquery_restricted_out = u'!192.0.2.0/24;any;' + class test_dns(Declarative): @classmethod @@ -78,7 +167,9 @@ class test_dns(Declarative): pass cleanup_commands = [ -('dnszone_del', [dnszone1, dnszone2, revdnszone1, revdnszone2], +('dnszone_del', [dnszone1, dnszone2, revdnszone1, revdnszone2, + zone1, zone2, zone3, revzone1, revzone2, + revzone3_classless1, revzone3_classless2], {'continue': True}), ('dnsconfig_mod', [], {'idnsforwarders' : None, 'idnsforwardpolicy' : None, @@ -123,8 +214,8 @@ class
Re: [Freeipa-devel] [PATCHES] 0460-0463 - Fixes in project files
On 02/11/2014 05:18 PM, Petr Viktorin wrote: Hello, I have a cold and a headache today, so I could't concentrate on anything complicated today :( Instead I did some small changes to our project files. 0460: .mailmap This fixes and deduplicates the output of `git shortlog -se`. It also puts proper diacritics in people's names if they don't use those in commits. The changes only appear in the shortlog. It might be a bit controversial, I'm not insisting it needs to go in, but I'll be using it so I'm sharing. Makes sense to me, some fixes would be needed though: 1) I see both Endi S. Dewata and Endi Sukma Dewata 2) If we want to do proper diacritics, then: s/Basti/Bašti/ s/Zuna/Zůna/ s/Slebodnik/Slebodník/ 0461: Contributors.txt Jenny changed her last name. OK. 0462: README BUILD.txt Update README with current info from http://www.freeipa.org/page/Leaflet, fix broken links, refresh build instructions. I miss some note about the AD integration, we can build it on this sentence in the leaflet: Seamless integration into Active Directory Environment via cross-realm Kerberos trust or user synchronization 0463: Remove TODO This file was just ancient cruft. We have trac for this. OK. I am surprised this file lasted that long :) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0460-0463 - Fixes in project files
On 11.2.2014 17:18, Petr Viktorin wrote: Hello, I have a cold and a headache today, so I could't concentrate on anything complicated today :( Instead I did some small changes to our project files. 0460: .mailmap This fixes and deduplicates the output of `git shortlog -se`. It also puts proper diacritics in people's names if they don't use those in commits. The changes only appear in the shortlog. It might be a bit controversial, I'm not insisting it needs to go in, but I'll be using it so I'm sharing. Kyle's mail is kybaker at redhat, not kbaker at redhat. kbaker is a different person. 0461: Contributors.txt Jenny changed her last name. 0462: README BUILD.txt Update README with current info from http://www.freeipa.org/page/Leaflet, fix broken links, refresh build instructions. 0463: Remove TODO This file was just ancient cruft. We have trac for this. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024, 0025, 0027] Classless support for reverse domains
On 02/12/2014 11:05 AM, Martin Basti wrote: text omitted Pushed both patches to master, but just the first to ipa-3-3 as the test updating patch did not apply (a lot). Martin, you will need to check if DNS tests pass in ipa-3-3, I assume there are changes required. Martin Patch for ipa-3-3 tests attached. NACK. I see one more failure: == FAIL: test_host[38]: host_add: Test that validation is enabled on adds -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 283, in lambda func = lambda: self.check(nice, **test) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 297, in check self.check_exception(nice, cmd, args, options, expected) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 323, in check_exception assert_deepequal(expected.strerror, e.strerror) File /root/freeipa-master/ipatests/util.py, line 352, in assert_deepequal VALUE % (doc, expected, got, stack) AssertionError: assert_deepequal: expected != got. expected = uinvalid 'hostname': invalid domain-name: only letters, numbers, and - are allowed. DNS label may not start or end with - got = uinvalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' path = () Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0460-0463 - Fixes in project files
On 02/12/2014 11:11 AM, Martin Kosek wrote: On 02/11/2014 05:18 PM, Petr Viktorin wrote: Hello, I have a cold and a headache today, so I could't concentrate on anything complicated today :( Instead I did some small changes to our project files. 0460: .mailmap This fixes and deduplicates the output of `git shortlog -se`. It also puts proper diacritics in people's names if they don't use those in commits. The changes only appear in the shortlog. It might be a bit controversial, I'm not insisting it needs to go in, but I'll be using it so I'm sharing. Makes sense to me, some fixes would be needed though: 1) I see both Endi S. Dewata and Endi Sukma Dewata 2) If we want to do proper diacritics, then: s/Basti/Bašti/ s/Zuna/Zůna/ s/Slebodnik/Slebodník/ Zůna? I never knew. The rest is sloppiness on my part, apologies. Fixed, along with the issue Petr noticed (s/kbaker/kybaker/) 0461: Contributors.txt Jenny changed her last name. OK. 0462: README BUILD.txt Update README with current info from http://www.freeipa.org/page/Leaflet, fix broken links, refresh build instructions. I miss some note about the AD integration, we can build it on this sentence in the leaflet: Seamless integration into Active Directory Environment via cross-realm Kerberos trust or user synchronization Added. 0463: Remove TODO This file was just ancient cruft. We have trac for this. OK. I am surprised this file lasted that long :) Martin Thanks for the review! Please leave pushing to me if this is ACKed, I want to test a new patch-pushing tool. -- Petr³ From 032fbcae3c8ee36f40ac23ab578d5c012ad76e11 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 11 Feb 2014 12:10:04 +0100 Subject: [PATCH] Add a .mailmap file This makes `git shortlog` report correct and consistent names and addresses, even for past commits where the author information is not ideal. See git-shortlog(1) --- .mailmap | 50 ++ 1 file changed, 50 insertions(+) create mode 100644 .mailmap diff --git a/.mailmap b/.mailmap new file mode 100644 index ..6684a61cabfe6efd6cba11fd9251c89034734b05 --- /dev/null +++ b/.mailmap @@ -0,0 +1,50 @@ +Ana KrivokapiÄ akriv...@redhat.com Ana Krivokapic akriv...@redhat.com +Endi Sukma Dewata edew...@redhat.com System Administrator r...@dhcp-100-3-211.bos.redhat.com +Endi Sukma Dewata edew...@redhat.com +Jan Zelený jzel...@redhat.com +Jim Meyeringmeyer...@redhat.com j...@meyering.net +John Dennis jden...@redhat.com jdennis@VAIO +Jr Aquino jr.aqu...@citrix.com +Jr Aquino jr.aqu...@citrix.com jr.aqu...@citrix.com +Jr Aquino jr.aqu...@citrix.com jr.aqu...@citrixonline.com +Karl MacMillan kmacm...@redhat.com kmacmil...@mentalrootkit.com +Karl MacMillan kmacm...@redhat.com kmacmil...@redhat.com +Karl MacMillan kmacm...@redhat.com kmcmil...@redhat.com +Karl MacMillan kmacm...@redhat.com kmcmil...@redhat.com +Karl MacMillan kmcmil...@redhat.com kmacm...@speckledhen.hosted.redhat.com +Kevin McCarthy kmcca...@redhat.com +Kevin McCarthy kmcca...@redhat.com kmcca...@dhcp-172-16-25-136.sfbay.redhat.com +Kevin McCarthy kmcca...@redhat.com kmccar...@redhat.com +Kyle Baker kyba...@redhat.com kba...@redhat.com +Kyle Baker kyba...@redhat.com kyleba...@dhcp-100-2-212.bos.redhat.com +Kyle Baker kyba...@redhat.com root@Kyle-Bakers-MacBook-Pro.local +LubomÃr Rintel lubo.rin...@gooddata.com Lubomir Rintel lubo.rin...@gooddata.com +Lukáš SlebodnÃk lsleb...@redhat.com +Martin BaÅ¡timba...@redhat.com +Martin KoÅ¡ekmko...@redhat.com +Martin Nagy mn...@redhat.com mnagy@notas.(none) +Nalin Dahyabhai na...@redhat.com na...@dahyabhai.net +Nalin Dahyabhai na...@redhat.com nalin.dahyab...@pobox.com +Nikolai Kondrashov nkondras...@redhat.com nikolai.kondras...@redhat.com +OndÅej Hamada oham...@redhat.com +Pavel Zůna pz...@redhat.com +Pavel Zůna pz...@redhat.com root@testbox.pzuna +Pavel Zůna pz...@redhat.com root@testbox.winry +Pavel Zůna pz...@redhat.com root@webui.pzuna +Petr Å paÄek pspa...@redhat.com +Petr VobornÃk pvobo...@redhat.com +Rich Megginson rmegg...@redhat.com rich@localhost.localdomain +Rob Crittenden rcrit...@redhat.com +Rob Crittenden rcrit...@redhat.com rc...@ike.greyoak.com +Rob Crittenden rcrit...@redhat.com rc...@ipa.greyoak.com +Rob Crittenden rcrit...@redhat.com rc...@moon.greyoak.com +Rob Crittenden rcrit...@redhat.com rc...@rhel1.greyoak.com +Rob Crittenden rcrit...@redhat.com rcritten devnull@localhost +Rob Crittenden rcrit...@redhat.com rc...@thor.greyoak.com +Rob Crittenden rcrit...@redhat.com rc...@tove.greyoak.com +Simo Sorce sso...@redhat.coms...@redhat.com +Sumit Bose sb...@redhat.com sbose@ipa17-devel.ipa17.devel +Sumit Bose sb...@redhat.com sbose@ipa18-devel.ipa18.devel +Tomáš Babej
Re: [Freeipa-devel] [PATCHES] 0460-0463 - Fixes in project files
On 02/12/2014 01:34 PM, Petr Viktorin wrote: On 02/12/2014 11:11 AM, Martin Kosek wrote: On 02/11/2014 05:18 PM, Petr Viktorin wrote: Hello, I have a cold and a headache today, so I could't concentrate on anything complicated today :( Instead I did some small changes to our project files. 0460: .mailmap This fixes and deduplicates the output of `git shortlog -se`. It also puts proper diacritics in people's names if they don't use those in commits. The changes only appear in the shortlog. It might be a bit controversial, I'm not insisting it needs to go in, but I'll be using it so I'm sharing. Makes sense to me, some fixes would be needed though: 1) I see both Endi S. Dewata and Endi Sukma Dewata 2) If we want to do proper diacritics, then: s/Basti/Bašti/ s/Zuna/Zůna/ s/Slebodnik/Slebodník/ Zůna? I never knew. The rest is sloppiness on my part, apologies. Fixed, along with the issue Petr noticed (s/kbaker/kybaker/) 0461: Contributors.txt Jenny changed her last name. OK. 0462: README BUILD.txt Update README with current info from http://www.freeipa.org/page/Leaflet, fix broken links, refresh build instructions. I miss some note about the AD integration, we can build it on this sentence in the leaflet: Seamless integration into Active Directory Environment via cross-realm Kerberos trust or user synchronization Added. 0463: Remove TODO This file was just ancient cruft. We have trac for this. OK. I am surprised this file lasted that long :) Martin Thanks for the review! Please leave pushing to me if this is ACKed, I want to test a new patch-pushing tool. Looks good to me, ACK to all! Make sure the new patch-pushing tool properly fills Reviewed-By tag ;-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024, 0025, 0027, 0028] Classless support for reverse domains
On Wed, 2014-02-12 at 13:12 +0100, Martin Kosek wrote: On 02/12/2014 11:05 AM, Martin Basti wrote: text omitted Pushed both patches to master, but just the first to ipa-3-3 as the test updating patch did not apply (a lot). Martin, you will need to check if DNS tests pass in ipa-3-3, I assume there are changes required. Martin Patch for ipa-3-3 tests attached. NACK. I see one more failure: == FAIL: test_host[38]: host_add: Test that validation is enabled on adds -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 283, in lambda func = lambda: self.check(nice, **test) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 297, in check self.check_exception(nice, cmd, args, options, expected) File /root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py, line 323, in check_exception assert_deepequal(expected.strerror, e.strerror) File /root/freeipa-master/ipatests/util.py, line 352, in assert_deepequal VALUE % (doc, expected, got, stack) AssertionError: assert_deepequal: expected != got. expected = uinvalid 'hostname': invalid domain-name: only letters, numbers, and - are allowed. DNS label may not start or end with - got = uinvalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' path = () Martin Sorry for that, patch 0028 fix it. Patch 0028 should be applied after 0027 to ipa-3-3 branch. Patch 0028 should be applied to master branch too. Patches attached. -- Martin^2 Basti From 71208ce44fac25c146a7e205e722cd2b63b055fa Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 12 Feb 2014 13:37:14 +0100 Subject: [PATCH] FIX test_host_plugin for DNS Classless Reverse zones Ticket: https://fedorahosted.org/freeipa/ticket/4143 --- ipatests/test_xmlrpc/test_host_plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index 7b64398fadd236b9b06723ef561cb19d61bca6d5..300e1c25e47d76d92534577e591cda174dc4fed8 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -767,8 +767,8 @@ class test_host(Declarative): desc='Test that validation is enabled on adds', command=('host_add', [invalidfqdn1], {}), expected=errors.ValidationError(name='hostname', -error=u'invalid domain-name: only letters, numbers, and - ' + -u'are allowed. DNS label may not start or end with -'), +error=uinvalid domain-name: only letters, numbers, '-' + +uare allowed. DNS label may not start or end with '-'), ), -- 1.8.3.1 From ef3dda520faafce4fc9c62cef1597f68630a835c Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 31 Jan 2014 15:52:35 +0100 Subject: [PATCH] DNS tests for classless reverse domains Ticket: https://fedorahosted.org/freeipa/ticket/4143 Backport for IPA-3-3 Conflicts: ipatests/test_xmlrpc/test_dns_plugin.py ipatests/test_xmlrpc/test_radiusproxy_plugin.py --- ipatests/test_xmlrpc/test_dns_plugin.py | 309 +-- ipatests/test_xmlrpc/test_netgroup_plugin.py | 8 +- ipatests/test_xmlrpc/test_sudorule_plugin.py | 4 +- 3 files changed, 302 insertions(+), 19 deletions(-) diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 1bfaee71e2e069616c3f2f58ad4d72f541cff694..9a14e3c32296922d680a2dd080b1d085e85b00d7 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -57,6 +57,95 @@ dnsrescname_dn = DN(('idnsname',dnsrescname), dnszone1_dn) dnsresdname = u'testdns-dname' dnsresdname_dn = DN(('idnsname',dnsresdname), dnszone1_dn) +zone1 = u'dnszone.test' +zone1_ip = u'172.16.29.111' +zone1_dn = DN(('idnsname',zone1), api.env.container_dns, api.env.basedn) +zone1_ns = u'ns1.%s.' % zone1 +zone1_ns_dn = DN(('idnsname','ns1'), zone1_dn) +zone1_rname = u'root.%s.' % zone1 +zone1_permission = u'Manage DNS zone %s' % zone1 +zone1_permission_dn = DN(('cn',zone1_permission), +api.env.container_permission,api.env.basedn) + +zone1_txtrec_dn = DN(('idnsname', '_kerberos'), zone1_dn) + +zone2 = u'zone2.test' +zone2_dn = DN(('idnsname', zone2), api.env.container_dns, api.env.basedn) +zone2_ns = u'ns1.%s.' % zone2 +zone2_rname = u'root.%s.' % zone2 + +zone3 = u'zone3.test' +zone3_ip = u'192.168.1.1' +zone3_ip2 = u'192.168.1.129' +zone3_dn = DN(('idnsname', zone3), api.env.container_dns, api.env.basedn) +zone3_ns = u'ns1.%s.'
Re: [Freeipa-devel] [PATCHES] 0460-0463 - Fixes in project files
On 02/12/2014 01:44 PM, Martin Kosek wrote: On 02/12/2014 01:34 PM, Petr Viktorin wrote: On 02/12/2014 11:11 AM, Martin Kosek wrote: On 02/11/2014 05:18 PM, Petr Viktorin wrote: Hello, I have a cold and a headache today, so I could't concentrate on anything complicated today :( Instead I did some small changes to our project files. 0460: .mailmap This fixes and deduplicates the output of `git shortlog -se`. It also puts proper diacritics in people's names if they don't use those in commits. The changes only appear in the shortlog. It might be a bit controversial, I'm not insisting it needs to go in, but I'll be using it so I'm sharing. Makes sense to me, some fixes would be needed though: 1) I see both Endi S. Dewata and Endi Sukma Dewata 2) If we want to do proper diacritics, then: s/Basti/Bašti/ s/Zuna/Zůna/ s/Slebodnik/Slebodník/ Zůna? I never knew. The rest is sloppiness on my part, apologies. Fixed, along with the issue Petr noticed (s/kbaker/kybaker/) 0461: Contributors.txt Jenny changed her last name. OK. 0462: README BUILD.txt Update README with current info from http://www.freeipa.org/page/Leaflet, fix broken links, refresh build instructions. I miss some note about the AD integration, we can build it on this sentence in the leaflet: Seamless integration into Active Directory Environment via cross-realm Kerberos trust or user synchronization Added. 0463: Remove TODO This file was just ancient cruft. We have trac for this. OK. I am surprised this file lasted that long :) Martin Thanks for the review! Please leave pushing to me if this is ACKed, I want to test a new patch-pushing tool. Looks good to me, ACK to all! Make sure the new patch-pushing tool properly fills Reviewed-By tag ;-) Martin Thank you! Pushed to master: 9ae2696a858e9b928436ea68180e1234ffd44ff0 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Using the Reviewed-by git tag
On 02/10/2014 01:59 PM, Martin Kosek wrote: On 02/10/2014 01:55 PM, Petr Viktorin wrote: [...] I'll use some time this week to write a better patch-pushing helper that'll incorporate this. (For the record, now we usually use https://github.com/mkosek/ipa-tools/blob/master/pushpatch.py) That may be the best option for the short term. I would envision something like: $ pushpatch.py freeipa-somebody-1-great.patch ... Reviewed by: 0) Me 1) Petr Vobornik 2) Martin Kosek 3) Petr Viktorin 4) ... 99) Others: Reviewed-By choice [0]: _ Since the time I tried using `certutil -R` from a script, I like to provide command line options instead, and limit interactivity to a [y/n] question at the end. Martin The tool is available for beta-testing at: git clone https://github.com/encukou/ipa-tools.git (pushpatches.py) or: https://raw.github.com/encukou/ipa-tools/master/pushpatches.py Please check the output before answering yes :) It has a few futuristic dependencies: sudo yum install python3-docopt python3-PyYAML python3-blessings You need a config file in ~/.ipa/pushpatch.yaml; `pushpatches.py --help` has an example one. My workflow is to add patches to a designated to-apply directory (mentioned in the config file), and then run something like: dev/ipa-tools/pushpatches.py --reviewer mkosek --branch={master,ipa-3-3} You can of course specify patches on the command line instead. If you leave --branches out, it'll try to get the branches from ticket milestones. Please double-check if you use this. It will also divine Bugzilla URLs from Trac tickets. It doesn't auto-open the tickets in a browser, but hopefully nowadays most terminal emulators make URLs clickable. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Using the Reviewed-by git tag
On 02/12/2014 02:36 PM, Petr Viktorin wrote: On 02/10/2014 01:59 PM, Martin Kosek wrote: On 02/10/2014 01:55 PM, Petr Viktorin wrote: [...] I'll use some time this week to write a better patch-pushing helper that'll incorporate this. (For the record, now we usually use https://github.com/mkosek/ipa-tools/blob/master/pushpatch.py) That may be the best option for the short term. I would envision something like: $ pushpatch.py freeipa-somebody-1-great.patch ... Reviewed by: 0) Me 1) Petr Vobornik 2) Martin Kosek 3) Petr Viktorin 4) ... 99) Others: Reviewed-By choice [0]: _ Since the time I tried using `certutil -R` from a script, I like to provide command line options instead, and limit interactivity to a [y/n] question at the end. Martin The tool is available for beta-testing at: git clone https://github.com/encukou/ipa-tools.git (pushpatches.py) or: https://raw.github.com/encukou/ipa-tools/master/pushpatches.py Please check the output before answering yes :) It has a few futuristic dependencies: sudo yum install python3-docopt python3-PyYAML python3-blessings Note: python3-docopt is only in updates-testing ATM. Update: The tool now approximates reviewer names in ASCII (basically, it removes any diacritics). This adds a new dependency: python3-unidecode. You need a config file in ~/.ipa/pushpatch.yaml; `pushpatches.py --help` has an example one. My workflow is to add patches to a designated to-apply directory (mentioned in the config file), and then run something like: dev/ipa-tools/pushpatches.py --reviewer mkosek --branch={master,ipa-3-3} You can of course specify patches on the command line instead. If you leave --branches out, it'll try to get the branches from ticket milestones. Please double-check if you use this. It will also divine Bugzilla URLs from Trac tickets. It doesn't auto-open the tickets in a browser, but hopefully nowadays most terminal emulators make URLs clickable. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0455-0459 Add support for managed permissions
On 02/10/2014 04:53 PM, Petr Viktorin wrote: On 01/31/2014 01:43 PM, Martin Kosek wrote: On 01/24/2014 04:48 PM, Petr Viktorin wrote: On 01/23/2014 02:42 PM, Simo Sorce wrote: On Thu, 2014-01-23 at 13:23 +0100, Petr Viktorin wrote: On 01/23/2014 12:24 PM, Martin Kosek wrote: On 01/22/2014 10:27 AM, Petr Viktorin wrote: On 01/08/2014 04:49 PM, Petr Viktorin wrote: Hello, This adds managed permissions, the framework that will make our default permissions merge IPA updates and user changes sanely. There is no updater yet, nor does this add any actual managed permissions, so there's no user-visible change (beyond help text and a disabled option). To test the patch you might need to touch LDAP directly. Ticket: https://fedorahosted.org/freeipa/ticket/4033 Design (no updater plugin changes yet): http://www.freeipa.org/page/V3/Managed_Read_permissions 0447 - Minor fixes. 0448 - Since you can't create managed permissions through the API, I needed to get creative with the declarative tests. The tests will need a custom function that adds a managed perm. 0449 - The change itself. ping; any thoughts on this one? 1) 449, the comment: +Deleting or renaming a managed permission, as well as changing its target, +is not supported. +) + _( I am not sure that the phrase not supported is the right one. It sounds to me like this is something we want to allow, just not implemented yet. IMO is not allowed would be better. Makes sense. 2) Can you add allow_mod_for_managed flag description to parameters.py? +flags={'no_create', 'allow_mod_for_managed'}, So far we try to add all flag descriptions there. OK 3) When I updated the test to not delete the testperm, I tried to show the managed permission and it is not entirely clear, see: # ipa permission-show testperm Permission name: testperm Permissions: write * Attributes: cn, o, sn * Excluded attributes: cn, sn Bind rule type: all Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user * Default attributes: l, o, cn * Effective attributes: l, o Well, this is a tradeoff between presenting what's stored in LDAP and what's in the ACI. The Attributes mean actually attributes explicitly allowed by user, but it is not obvious from the output. Maybe it would be better to return only Effective attributes by default and return the 3 source lists only when --all is passed. But this would require us to let Command override LDAPObject's default_attributes, which framework cannot do. Modifying default_attributes would not work because the 3 lists need to be loaded from LDAP to determine the effective attributes. It's possible to remove the extra attributes in the post_callback, postprocess_result already does similar output manipulation. Alternatively, we may choose to use the attributes differently with managed permissions: - we add the new attributeType ipaPermIncludedAttr. It would be used for the user-specified whitelist of attributes instead of ipaPermAllowedAttr - we do not use the ipaPermAllowedAttr with managed attributes at all or use it for the Effective attributes list My point is that the semantics of ipaPermAllowedAttr is different for managed and non-managed permission, so it may confuse people. Well, the semantics are always the same (effective = (default | allowed) - excluded). I agree that it can be confusing; perhaps I'm in too deep to judge how it looks from the outside. For example, you may want to search for all permissions that allow attribute sn: # ipa permission-find --attrs sn - 4 permissions matched - Permission name: anon Permissions: read Attributes: sn Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user ... Permission name: testperm Permissions: write Attributes: cn, o, sn Excluded attributes: cn, sn Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user Default attributes: l, o, cn Effective attributes: l, o ... As you see, it matched both testperm and anon even though testperm does not really allow sn as it excluded. Thoughts? Well, we could have default, included, excluded attributes stored in LDAP as now (using the name included instead of allowed), and make effective attributes (--attrs) into an updatable virtual attribute: when setting it, IPA would consult the default attributes and update included/excluded accordingly. (With non-managed permissions default is empty, so only included would be updated.) And searching on --attrs would construct an appropriate filter. I thought about this approach
Re: [Freeipa-devel] [PATCHES] 0455-0459 Add support for managed permissions
On 02/12/2014 04:57 PM, Martin Kosek wrote: On 02/10/2014 04:53 PM, Petr Viktorin wrote: On 01/31/2014 01:43 PM, Martin Kosek wrote: On 01/24/2014 04:48 PM, Petr Viktorin wrote: On 01/23/2014 02:42 PM, Simo Sorce wrote: On Thu, 2014-01-23 at 13:23 +0100, Petr Viktorin wrote: On 01/23/2014 12:24 PM, Martin Kosek wrote: On 01/22/2014 10:27 AM, Petr Viktorin wrote: On 01/08/2014 04:49 PM, Petr Viktorin wrote: Hello, This adds managed permissions, the framework that will make our default permissions merge IPA updates and user changes sanely. There is no updater yet, nor does this add any actual managed permissions, so there's no user-visible change (beyond help text and a disabled option). To test the patch you might need to touch LDAP directly. Ticket: https://fedorahosted.org/freeipa/ticket/4033 Design (no updater plugin changes yet): http://www.freeipa.org/page/V3/Managed_Read_permissions 0447 - Minor fixes. 0448 - Since you can't create managed permissions through the API, I needed to get creative with the declarative tests. The tests will need a custom function that adds a managed perm. 0449 - The change itself. ping; any thoughts on this one? 1) 449, the comment: +Deleting or renaming a managed permission, as well as changing its target, +is not supported. +) + _( I am not sure that the phrase not supported is the right one. It sounds to me like this is something we want to allow, just not implemented yet. IMO is not allowed would be better. Makes sense. 2) Can you add allow_mod_for_managed flag description to parameters.py? +flags={'no_create', 'allow_mod_for_managed'}, So far we try to add all flag descriptions there. OK 3) When I updated the test to not delete the testperm, I tried to show the managed permission and it is not entirely clear, see: # ipa permission-show testperm Permission name: testperm Permissions: write * Attributes: cn, o, sn * Excluded attributes: cn, sn Bind rule type: all Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user * Default attributes: l, o, cn * Effective attributes: l, o Well, this is a tradeoff between presenting what's stored in LDAP and what's in the ACI. The Attributes mean actually attributes explicitly allowed by user, but it is not obvious from the output. Maybe it would be better to return only Effective attributes by default and return the 3 source lists only when --all is passed. But this would require us to let Command override LDAPObject's default_attributes, which framework cannot do. Modifying default_attributes would not work because the 3 lists need to be loaded from LDAP to determine the effective attributes. It's possible to remove the extra attributes in the post_callback, postprocess_result already does similar output manipulation. Alternatively, we may choose to use the attributes differently with managed permissions: - we add the new attributeType ipaPermIncludedAttr. It would be used for the user-specified whitelist of attributes instead of ipaPermAllowedAttr - we do not use the ipaPermAllowedAttr with managed attributes at all or use it for the Effective attributes list My point is that the semantics of ipaPermAllowedAttr is different for managed and non-managed permission, so it may confuse people. Well, the semantics are always the same (effective = (default | allowed) - excluded). I agree that it can be confusing; perhaps I'm in too deep to judge how it looks from the outside. For example, you may want to search for all permissions that allow attribute sn: # ipa permission-find --attrs sn - 4 permissions matched - Permission name: anon Permissions: read Attributes: sn Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user ... Permission name: testperm Permissions: write Attributes: cn, o, sn Excluded attributes: cn, sn Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=example,dc=com ACI target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Type: user Default attributes: l, o, cn Effective attributes: l, o ... As you see, it matched both testperm and anon even though testperm does not really allow sn as it excluded. Thoughts? Well, we could have default, included, excluded attributes stored in LDAP as now (using the name included instead of allowed), and make effective attributes (--attrs) into an updatable virtual attribute: when setting it, IPA would consult the default attributes and update included/excluded accordingly. (With non-managed permissions default is empty, so only included would be updated.) And searching on --attrs would construct an appropriate filter. I thought about this approach earlier but thought that it obscured
Re: [Freeipa-devel] [Freeipa-users] SELinux user categories
On Feb 12, 2014, at 4:57 AM, Petr Viktorin pvikt...@redhat.com wrote: Moving to freeipa-devel since we're going rather deep. On 02/12/2014 10:02 AM, Martin Kosek wrote: On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob I am thinking you may be able to monkeypatch the validator in a custom plugin, like selinuxusermap-user.py which would: import ipalib.plugins.selinuxusermap( def custom_selinux_usermap_validator((ugettext, user): ... ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator Then upgrade would not destroy the change. But of course, things may break as well if for example we change the params of this function. Martin No, I don't think something like that will work; the validator is baked into the Param on creation. You'd have to replace `selinuxusermap.takes_params` with a copy that has a new `ipaselinuxuser` Param. I’m ok with the patch being removed on subsequent upgrades to the software. I only need the validator modified during the initial setup. After that the setting won’t need to be changed. -josh -- Petr³ ___ Freeipa-users mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Incompatible schema change in master
Hello, Commit 3db0822 (pushed yesterday) changes the schema in a way that will make schema upgrades from 445634d (2013-12-13) fail. If you have recently installed from git master, you will need to re-install IPA on that machine instead of upgrading. This does not affect any released versions of FreeIPA. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel