subject:"\[Freeipa\-devel\] \[PATCH\] 0003\-2 User life cycle\: new stageuser plugin with add verb"

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2015-02-19 Thread thierry bordaz


On 02/04/2015 05:14 PM, Jan Cholasta wrote:

Hi,

Dne 4.2.2015 v 15:25 David Kupka napsal(a):

On 02/03/2015 11:50 AM, thierry bordaz wrote:

On 09/17/2014 12:32 PM, thierry bordaz wrote:

On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add.
Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead
import the module itself and use e.g. `baseldap.LDAPObject`.

The stageuser help (docstring) is copied from the user plugin, and
discusses things like account lockout and disabling users. It should
rather explain what stageuser itself does. (And I don't very much
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user
or stageuser.

A lot of the code is copied and pasted over from the users plugin.
Don't do that. Either import things (e.g. validate_nsaccountlock)
from the users plugin, or move the reused code into a shared module.

For the `user` object, since so much is the same, it might be best to
create a common base class for user and stageuser; and similarly for
the Command plugins.

The default permissions need different names, and you don't need
another copy of the 'non_object' ones. Also, run the makeaci script.


Hello,

This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from accounts.
It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate active/stage
user managed permissions.

thanks
thierry






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Thanks David for the reviews. Here the last patches




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so
I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3
to keep them together).

The ULC feature is still WIP but these patches look good to me and don't
break anything as far as I tested.
We should push them now to avoid further rebases. Thierry can then
prepare other patches delivering the rest of ULC functionality.


Few comments from just reading the patches:

1) I would name the base class baseuser, account does not 
necessarily mean user account.


2) This is very wrong:

-class user_add(LDAPCreate):
+class user_add(user, LDAPCreate):

You are creating a plugin which is both an object and an command.

3) This is purely subjective, but I don't like the name deleteuser, 
as it has a verb in it. We usually don't do that and IMHO we shouldn't 
do that.


Honza



Thank you for the review. I am attaching the updates patches




From db08427b9d5f40fc5bccf73929726c568c2b2add Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 09:37:23 +0200
Subject: [PATCH 1/2] User Life Cycle: Exclude subtree for ipaUniqueID
 generation

IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'

Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'

https://fedorahosted.org/freeipa/ticket/3813
---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 93da0f15b8acfc02beddf4e884a735897a7513fe..ffade14672e8cd9e3f3e18d45a0a7095a6341d30 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -64,6 +64,7 @@
 #define IPAUUID_GENERATE ipaUuidMagicRegen
 #define IPAUUID_FILTER   ipaUuidFilter
 #define IPAUUID_SCOPEipaUuidScope
+#define IPAUUID_EXCLUDE_SUBTREE  ipaUuidExcludeSubtree
 #define IPAUUID_ENFORCE  ipaUuidEnforce
 
 #define IPAUUID_FEATURE_DESC  IPA UUID
@@ -91,6 +92,7 @@ struct configEntry {
 Slapi_Filter *slapi_filter;
 char *generate;
 char *scope;
+char *exclude_subtree;
 bool enforce;
 };
 
@@ -537,6 +539,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
 }
 LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope);
 
+value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE);
+entry-exclude_subtree = value;
+LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree);
+
 entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
 LOG_CONFIG(-- %s [%s]\n,

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2015-02-19 Thread Martin Basti


On 19/02/15 13:01, thierry bordaz wrote:

On 02/04/2015 05:14 PM, Jan Cholasta wrote:

Hi,

Dne 4.2.2015 v 15:25 David Kupka napsal(a):

On 02/03/2015 11:50 AM, thierry bordaz wrote:

On 09/17/2014 12:32 PM, thierry bordaz wrote:

On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add.
Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead
import the module itself and use e.g. `baseldap.LDAPObject`.

The stageuser help (docstring) is copied from the user plugin, and
discusses things like account lockout and disabling users. It should
rather explain what stageuser itself does. (And I don't very much
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user
or stageuser.

A lot of the code is copied and pasted over from the users plugin.
Don't do that. Either import things (e.g. validate_nsaccountlock)
from the users plugin, or move the reused code into a shared module.

For the `user` object, since so much is the same, it might be 
best to

create a common base class for user and stageuser; and similarly for
the Command plugins.

The default permissions need different names, and you don't need
another copy of the 'non_object' ones. Also, run the makeaci script.


Hello,

This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from 
accounts.

It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate 
active/stage

user managed permissions.

thanks
thierry






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Thanks David for the reviews. Here the last patches




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so
I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3
to keep them together).

The ULC feature is still WIP but these patches look good to me and 
don't

break anything as far as I tested.
We should push them now to avoid further rebases. Thierry can then
prepare other patches delivering the rest of ULC functionality.


Few comments from just reading the patches:

1) I would name the base class baseuser, account does not 
necessarily mean user account.


2) This is very wrong:

-class user_add(LDAPCreate):
+class user_add(user, LDAPCreate):

You are creating a plugin which is both an object and an command.

3) This is purely subjective, but I don't like the name deleteuser, 
as it has a verb in it. We usually don't do that and IMHO we 
shouldn't do that.


Honza



Thank you for the review. I am attaching the updates patches






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello,
I'm getting errors during make rpms:

if [  != yes ]; then \
./makeapi --validate; \
./makeaci --validate; \
fi

/root/freeipa/ipalib/plugins/baseuser.py:641 command baseuser_add doc 
is not internationalized
/root/freeipa/ipalib/plugins/baseuser.py:653 command baseuser_find doc 
is not internationalized
/root/freeipa/ipalib/plugins/baseuser.py:647 command baseuser_mod doc 
is not internationalized

0 commands without doc, 3 commands whose doc is not i18n
Command baseuser_add in ipalib, not in API
Command baseuser_find in ipalib, not in API
Command baseuser_mod in ipalib, not in API

There are one or more new commands defined.
Update API.txt and increment the minor version in VERSION.

There are one or more documentation problems.
You must fix these before preceeding

Issues probably caused by this:
1)
You should not use the register decorator, if this class is just for 
inheritance

@register()
class baseuser_add(LDAPCreate):

@register()
class baseuser_mod(LDAPUpdate):

@register()
class baseuser_find(LDAPSearch):

see dns.py plugin and DNSZoneBase and dnszone classes

2)
there might be an issue with
@register()
class baseuser(LDAPObject):

the register decorator should not be there, I was warned by Petr^3 to 
not use permission in parent class. The same permission should be 
specified only in one place (for example user class), (otherwise they 
will be generated twice??) I don't know more details about it.


--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2015-02-04 Thread Jan Cholasta


Hi,

Dne 4.2.2015 v 15:25 David Kupka napsal(a):

On 02/03/2015 11:50 AM, thierry bordaz wrote:

On 09/17/2014 12:32 PM, thierry bordaz wrote:

On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add.
Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead
import the module itself and use e.g. `baseldap.LDAPObject`.

The stageuser help (docstring) is copied from the user plugin, and
discusses things like account lockout and disabling users. It should
rather explain what stageuser itself does. (And I don't very much
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user
or stageuser.

A lot of the code is copied and pasted over from the users plugin.
Don't do that. Either import things (e.g. validate_nsaccountlock)
from the users plugin, or move the reused code into a shared module.

For the `user` object, since so much is the same, it might be best to
create a common base class for user and stageuser; and similarly for
the Command plugins.

The default permissions need different names, and you don't need
another copy of the 'non_object' ones. Also, run the makeaci script.


Hello,

This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from accounts.
It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate active/stage
user managed permissions.

thanks
thierry






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Thanks David for the reviews. Here the last patches




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so
I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3
to keep them together).

The ULC feature is still WIP but these patches look good to me and don't
break anything as far as I tested.
We should push them now to avoid further rebases. Thierry can then
prepare other patches delivering the rest of ULC functionality.


Few comments from just reading the patches:

1) I would name the base class baseuser, account does not 
necessarily mean user account.


2) This is very wrong:

-class user_add(LDAPCreate):
+class user_add(user, LDAPCreate):

You are creating a plugin which is both an object and an command.

3) This is purely subjective, but I don't like the name deleteuser, as 
it has a verb in it. We usually don't do that and IMHO we shouldn't do that.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2015-02-04 Thread David Kupka


On 02/03/2015 11:50 AM, thierry bordaz wrote:

On 09/17/2014 12:32 PM, thierry bordaz wrote:

On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add.
Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead
import the module itself and use e.g. `baseldap.LDAPObject`.

The stageuser help (docstring) is copied from the user plugin, and
discusses things like account lockout and disabling users. It should
rather explain what stageuser itself does. (And I don't very much
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user
or stageuser.

A lot of the code is copied and pasted over from the users plugin.
Don't do that. Either import things (e.g. validate_nsaccountlock)
from the users plugin, or move the reused code into a shared module.

For the `user` object, since so much is the same, it might be best to
create a common base class for user and stageuser; and similarly for
the Command plugins.

The default permissions need different names, and you don't need
another copy of the 'non_object' ones. Also, run the makeaci script.


Hello,

This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from accounts.
It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate active/stage
user managed permissions.

thanks
thierry






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



Thanks David for the reviews. Here the last patches




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so 
I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3 
to keep them together).


The ULC feature is still WIP but these patches look good to me and don't 
break anything as far as I tested.
We should push them now to avoid further rebases. Thierry can then 
prepare other patches delivering the rest of ULC functionality.


--
David Kupka
From 0aa8d71acfb6ae63c5cb9a8ab02ad67c7d15a430 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 09:37:23 +0200
Subject: [PATCH] User Life Cycle: Exclude subtree for ipaUniqueID generation

IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'

Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'

https://fedorahosted.org/freeipa/ticket/3813
---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 93da0f15b8acfc02beddf4e884a735897a7513fe..ffade14672e8cd9e3f3e18d45a0a7095a6341d30 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -64,6 +64,7 @@
 #define IPAUUID_GENERATE ipaUuidMagicRegen
 #define IPAUUID_FILTER   ipaUuidFilter
 #define IPAUUID_SCOPEipaUuidScope
+#define IPAUUID_EXCLUDE_SUBTREE  ipaUuidExcludeSubtree
 #define IPAUUID_ENFORCE  ipaUuidEnforce
 
 #define IPAUUID_FEATURE_DESC  IPA UUID
@@ -91,6 +92,7 @@ struct configEntry {
 Slapi_Filter *slapi_filter;
 char *generate;
 char *scope;
+char *exclude_subtree;
 bool enforce;
 };
 
@@ -537,6 +539,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
 }
 LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope);
 
+value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE);
+entry-exclude_subtree = value;
+LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree);
+
 entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
 LOG_CONFIG(-- %s [%s]\n,
IPAUUID_ENFORCE, entry-enforce ? True : False);
@@ -640,6 +646,10 @@ ipauuid_free_config_entry(struct configEntry **entry)
 slapi_ch_free_string(e-scope);
 }
 
+if (e-exclude_subtree) {
+slapi_ch_free_string(e-exclude_subtree);
+}
+
 slapi_ch_free((void **)entry);
 }
 
@@ -918,6 +928,12 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
 }
 }
 
+if (cfgentry-exclude_subtree) {
+if (slapi_dn_issuffix(dn, cfgentry-exclude_subtree)) {
+continue;
+}
+}
+
 /*

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2015-02-03 Thread thierry bordaz


On 09/17/2014 12:32 PM, thierry bordaz wrote:

On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add. 
Stage

user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead 
import the module itself and use e.g. `baseldap.LDAPObject`.


The stageuser help (docstring) is copied from the user plugin, and 
discusses things like account lockout and disabling users. It should 
rather explain what stageuser itself does. (And I don't very much 
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user 
or stageuser.


A lot of the code is copied and pasted over from the users plugin. 
Don't do that. Either import things (e.g. validate_nsaccountlock) 
from the users plugin, or move the reused code into a shared module.


For the `user` object, since so much is the same, it might be best to 
create a common base class for user and stageuser; and similarly for 
the Command plugins.


The default permissions need different names, and you don't need 
another copy of the 'non_object' ones. Also, run the makeaci script.



Hello,

This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from accounts.
It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate active/stage
user managed permissions.

thanks
thierry






___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Modified patches with David inputs.. thanks for the reviews



From 1a93acc98fdd584514d65751a7058b6395d58494 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 09:37:23 +0200
Subject: [PATCH] User Life Cycle: Exclude subtree for ipaUniqueID generation

IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'

Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'

https://fedorahosted.org/freeipa/ticket/3813

---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 2b07de45b63dab36a0b7167e3583e88ebd07f6f7..9a1eaede84426397387ef66e80b22b6e8dea88ed 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -64,6 +64,7 @@
 #define IPAUUID_GENERATE ipaUuidMagicRegen
 #define IPAUUID_FILTER   ipaUuidFilter
 #define IPAUUID_SCOPEipaUuidScope
+#define IPAUUID_EXCLUDE_SUBTREE  ipaUuidExcludeSubtree
 #define IPAUUID_ENFORCE  ipaUuidEnforce
 
 #define IPAUUID_FEATURE_DESC  IPA UUID
@@ -91,6 +92,7 @@ struct configEntry {
 Slapi_Filter *slapi_filter;
 char *generate;
 char *scope;
+char *exclude_subtree;
 bool enforce;
 };
 
@@ -536,6 +538,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
 goto bail;
 }
 LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope);
+
+value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE);
+entry-exclude_subtree = value;
+LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree);
 
 entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
 LOG_CONFIG(-- %s [%s]\n,
@@ -639,6 +645,10 @@ ipauuid_free_config_entry(struct configEntry **entry)
 if (e-scope) {
 slapi_ch_free_string(e-scope);
 }
+
+if (e-exclude_subtree) {
+slapi_ch_free_string(e-exclude_subtree);
+}
 
 slapi_ch_free((void **)entry);
 }
@@ -917,6 +927,12 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
 continue;
 }
 }
+
+if (cfgentry-exclude_subtree) {
+if (slapi_dn_issuffix(dn, cfgentry-exclude_subtree)) {
+continue;
+}
+}
 
 /* does the entry match the filter? */
 if (cfgentry-slapi_filter) {
-- 
1.7.11.7

From 85a4754d8e419c0766860b1dab0f0e1ca595e753 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 14:14:36 +0200
Subject: [PATCH] User life cycle: stageuser-add verb

Add a accounts plugin (accounts class) that defines
variables and methods common to 'users' and 'stageuser'.
accounts is a superclass of users/stageuser

Add the stageuser plugin, with support of stageuser-add verb.

https://fedorahosted.org/freeipa/ticket/3813
---
 ACI.txt

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

2014-09-17 Thread thierry bordaz


On 09/01/2014 01:08 PM, Petr Viktorin wrote:

On 08/08/2014 03:54 PM, thierry bordaz wrote:

Hi,

The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)

It creates a stageuser plugin with a first function stageuser-add. Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.

Thanks
thierry


Avoid `from ipalib.plugins.baseldap import *` in new code; instead 
import the module itself and use e.g. `baseldap.LDAPObject`.


The stageuser help (docstring) is copied from the user plugin, and 
discusses things like account lockout and disabling users. It should 
rather explain what stageuser itself does. (And I don't very much like 
the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user 
or stageuser.


A lot of the code is copied and pasted over from the users plugin. 
Don't do that. Either import things (e.g. validate_nsaccountlock) from 
the users plugin, or move the reused code into a shared module.


For the `user` object, since so much is the same, it might be best to 
create a common base class for user and stageuser; and similarly for 
the Command plugins.


The default permissions need different names, and you don't need 
another copy of the 'non_object' ones. Also, run the makeaci script.



Hello,

   This modified patch is mainly moving common base class into a new
   plugin: accounts.py. user/stageuser plugin inherits from accounts.
   It also creates a better description of what are stage user, how to
   add a new stage user, updates ACI.txt and separate active/stage user
   managed permissions.

thanks
thierry




From 2f17126270838a4ee33bfccd32a66fd48b6202a0 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 14:14:36 +0200
Subject: [PATCH] User life cycle: stageuser-add verb

	Add a accounts plugin (accounts class) that defines
	variables and methods common to 'users' and 'stageuser'.
	accounts is a superclass of users/stageuser

	Add the stageuser plugin, with support of stageuser-add verb.

Reviewed by: Petr Viktorin

https://fedorahosted.org/freeipa/ticket/3813
---
 ACI.txt|  90 +
 API.txt|  49 +++
 install/updates/30-provisioning.update |  29 +-
 ipalib/constants.py|   2 +
 ipalib/plugins/accounts.py | 627 
 ipalib/plugins/stageuser.py| 303 
 ipalib/plugins/user.py | 631 +++--
 7 files changed, 1134 insertions(+), 597 deletions(-)
 create mode 100644 ipalib/plugins/accounts.py
 create mode 100644 ipalib/plugins/stageuser.py

diff --git a/ACI.txt b/ACI.txt
index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..9a552b5fdcf3f2cb965537597de23c7d315312c1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -254,6 +254,96 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Remove Users;allow (delete) groupdn = ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = krblastadminunlock || krbloginfailedcount || nsaccountlock)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Unlock User;allow (write) groupdn = ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = member)(target = ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add User to default group;allow (write) groupdn = ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Add Users;allow (add) groupdn = ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword)(targetfilter = ((!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount)))(version 3.0;acl permission:System: Change User password;allow (write) groupdn = ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Manage User SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone ||

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb

6 matches

Site Navigation

Mail list logo

Footer information