Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10/13/2014 12:14 PM, Petr Vobornik wrote: On 10.10.2014 17:56, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: One more update for patch 0161, Petr noticed we need to call super post_callback() too. idoverrideuser_find callback causes internal error. I've attached new version of the patch which fixes it. Basically it's this change: If you are OK with it, then ACK for patches 160, 161-3, 162-1, 164 and 165. I'm fine with your patch, copy/paste error, thanks for fixing it. also ACK for 163. patch 159 still needs review. pushed to: master: * 63be2ee9f0296e1366c77258929c7ce2dad53154 Support overridding user shell in ID views * ca42d3469a6f83376d33b08d7bb4b43c2e93d604 Allow user overrides to specify SSH public keys * b50524b10c82ed7931a2e84dbb029e8909aa8f3f Allow user overrides to specify GID of the user * 5ec23ccb5f1d21c6e6c56650c18d1b4296d59ac9 Allow override of gecos field in ID views * 6637449ad2d8885f6df43b4098f09289c7405129 Update API version for ID views support * 9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 Require slapi-nis 0.54 or later for ID views support ipa-4-1: * 8a8d2e71f384bfa50477042cb8e82f14237caa7c Support overridding user shell in ID views * ad6d019b4784853c59fb2a38c5de149b02640841 Allow user overrides to specify SSH public keys * 240d93bd80a3fdc9f67640f74380eb74843c Allow user overrides to specify GID of the user * aa0f5d35c5221e1d8ae270d354ff21d173b3194e Allow override of gecos field in ID views * 79c0b31c72a8d8db676f3a621371983e5d9cdf53 Update API version for ID views support * a4798c78372a66545d338b809afb45b5f9ada94d Require slapi-nis 0.54 or later for ID views support ACK for 159, works fine in my testing. Pushed to: master: bd98ab035665e9ed913b9c0efd11c7685f2034f3 ipa-4-1: 50f46fdeddc7f6d8529e2342614fa569b8d4d541 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10.10.2014 17:56, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: One more update for patch 0161, Petr noticed we need to call super post_callback() too. idoverrideuser_find callback causes internal error. I've attached new version of the patch which fixes it. Basically it's this change: If you are OK with it, then ACK for patches 160, 161-3, 162-1, 164 and 165. I'm fine with your patch, copy/paste error, thanks for fixing it. also ACK for 163. patch 159 still needs review. pushed to: master: * 63be2ee9f0296e1366c77258929c7ce2dad53154 Support overridding user shell in ID views * ca42d3469a6f83376d33b08d7bb4b43c2e93d604 Allow user overrides to specify SSH public keys * b50524b10c82ed7931a2e84dbb029e8909aa8f3f Allow user overrides to specify GID of the user * 5ec23ccb5f1d21c6e6c56650c18d1b4296d59ac9 Allow override of gecos field in ID views * 6637449ad2d8885f6df43b4098f09289c7405129 Update API version for ID views support * 9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 Require slapi-nis 0.54 or later for ID views support ipa-4-1: * 8a8d2e71f384bfa50477042cb8e82f14237caa7c Support overridding user shell in ID views * ad6d019b4784853c59fb2a38c5de149b02640841 Allow user overrides to specify SSH public keys * 240d93bd80a3fdc9f67640f74380eb74843c Allow user overrides to specify GID of the user * aa0f5d35c5221e1d8ae270d354ff21d173b3194e Allow override of gecos field in ID views * 79c0b31c72a8d8db676f3a621371983e5d9cdf53 Update API version for ID views support * a4798c78372a66545d338b809afb45b5f9ada94d Require slapi-nis 0.54 or later for ID views support -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. -- / Alexander Bokovoy From f28587d5c736600682f4b7dcf3e1158940fd5797 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 30 Sep 2014 14:54:50 +0300 Subject: [PATCH 2/6] Support idviews in compat tree --- ACI.txt | 6 ++ install/share/71idviews.ldif| 1 + install/share/schema_compat.uldif | 8 install/updates/10-schema_compat.update | 12 ipalib/plugins/group.py | 10 ++ ipalib/plugins/user.py | 11 +++ ipaserver/install/plugins/update_managed_permissions.py | 11 +++ 7 files changed, 59 insertions(+) diff --git a/ACI.txt b/ACI.txt index cebdc2c..87c057e 100644 --- a/ACI.txt +++ b/ACI.txt @@ -54,6 +54,8 @@ dn: dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass)(target = ldap:///cn=groups,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Group Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example aci: (targetattr = member || memberhost || memberof || memberuid || memberuser)(targetfilter = (|(objectclass=ipausergroup)(objectclass=posixgroup)))(version 3.0;acl permission:System: Read Group Membership;allow (compare,read,search) userdn = ldap:///all;;) +dn: dc=ipa,dc=example +aci: (targetattr = cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass)(target = ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Group Views Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example aci: (targetattr = businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso)(targetfilter = (|(objectclass=ipausergroup)(objectclass=posixgroup)))(version 3.0;acl permission:System: Read Groups;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example @@ -256,6 +258,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = memberof)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Read User Membership;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Read User Standard Attributes;allow (compare,read,search) userdn = ldap:///anyone;;) +dn: dc=ipa,dc=example +aci: (targetattr = cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber)(target = ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read User Views Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Remove Users;allow (delete) groupdn = ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=users,cn=accounts,dc=ipa,dc=example @@ -264,6 +268,8 @@ dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example aci: (target = ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example)(targetfilter = (objectclass=pkiuser))(version 3.0;acl permission:System: Add CA Certificate For Renewal;allow (add) groupdn = ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Add Certificate Store Entry;allow (add) groupdn = ldap:///cn=System: Add
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On Fri, 10 Oct 2014, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. slapi-nis patches now committed to slapi-nis git repository, version 0.54 is released. Packages for rawhide are built. Fedora 21 update is https://admin.fedoraproject.org/updates/slapi-nis-0.54-1.fc21 -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) Patch 161: 2. idoverrideuser_show and _find should have post_callback with convert_sshpubkey_post as well - to be consistent. 3. Add blank line before new methods - both post_callbacks 4. I have created a helper method for adding object classes in patch 761 (currently on review) - add_missing_object_class. Would be nice fit, but also I don't want to block this patch with mine. Patch 162: Is it good to have different CLI option name in this and user plugin for the same attribute: --gid vs --gidnumber ? That said, it's sad that --gid was not used in user plugin since the beginning. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10/10/2014 03:12 PM, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) Patch 161: 2. idoverrideuser_show and _find should have post_callback with convert_sshpubkey_post as well - to be consistent. 3. Add blank line before new methods - both post_callbacks 4. I have created a helper method for adding object classes in patch 761 (currently on review) - add_missing_object_class. Would be nice fit, but also I don't want to block this patch with mine. Patch 162: Is it good to have different CLI option name in this and user plugin for the same attribute: --gid vs --gidnumber ? That said, it's sad that --gid was not used in user plugin since the beginning. Also, we will need to have slapi-nis version in the spec file bumped. I already fired a build of slapi-nis to FreeIPA Copr. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? I'll add another patch for that. Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) I wonder if I should bump it in a separate patch that would be the last one in the series, to avoid proliferation of API version numbers? :) Patch 161: 2. idoverrideuser_show and _find should have post_callback with convert_sshpubkey_post as well - to be consistent. 3. Add blank line before new methods - both post_callbacks 4. I have created a helper method for adding object classes in patch 761 (currently on review) - add_missing_object_class. Would be nice fit, but also I don't want to block this patch with mine. Patch 162: Is it good to have different CLI option name in this and user plugin for the same attribute: --gid vs --gidnumber ? That said, it's sad that --gid was not used in user plugin since the beginning. I'll fix these. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On Fri, 10 Oct 2014, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? I'll add another patch for that. Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) I wonder if I should bump it in a separate patch that would be the last one in the series, to avoid proliferation of API version numbers? :) Patch 161: 2. idoverrideuser_show and _find should have post_callback with convert_sshpubkey_post as well - to be consistent. 3. Add blank line before new methods - both post_callbacks 4. I have created a helper method for adding object classes in patch 761 (currently on review) - add_missing_object_class. Would be nice fit, but also I don't want to block this patch with mine. Patch 162: Is it good to have different CLI option name in this and user plugin for the same attribute: --gid vs --gidnumber ? That said, it's sad that --gid was not used in user plugin since the beginning. I'll fix these. Fixed patches attached, with three more: patch 0163 -- support GECOS patch 0164 -- increase API patch 0165 -- require slapi-nis 0.54 -- / Alexander Bokovoy From f28587d5c736600682f4b7dcf3e1158940fd5797 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 30 Sep 2014 14:54:50 +0300 Subject: [PATCH 2/6] Support idviews in compat tree --- ACI.txt | 6 ++ install/share/71idviews.ldif| 1 + install/share/schema_compat.uldif | 8 install/updates/10-schema_compat.update | 12 ipalib/plugins/group.py | 10 ++ ipalib/plugins/user.py | 11 +++ ipaserver/install/plugins/update_managed_permissions.py | 11 +++ 7 files changed, 59 insertions(+) diff --git a/ACI.txt b/ACI.txt index cebdc2c..87c057e 100644 --- a/ACI.txt +++ b/ACI.txt @@ -54,6 +54,8 @@ dn: dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass)(target = ldap:///cn=groups,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Group Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example aci: (targetattr = member || memberhost || memberof || memberuid || memberuser)(targetfilter = (|(objectclass=ipausergroup)(objectclass=posixgroup)))(version 3.0;acl permission:System: Read Group Membership;allow (compare,read,search) userdn = ldap:///all;;) +dn: dc=ipa,dc=example +aci: (targetattr = cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass)(target = ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Group Views Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example aci: (targetattr = businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso)(targetfilter = (|(objectclass=ipausergroup)(objectclass=posixgroup)))(version 3.0;acl permission:System: Read Groups;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=groups,cn=accounts,dc=ipa,dc=example @@ -256,6 +258,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = memberof)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Read User Membership;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber)(targetfilter = (objectclass=posixaccount))(version 3.0;acl permission:System: Read User
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10.10.2014 15:36, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? I'll add another patch for that. Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) I wonder if I should bump it in a separate patch that would be the last one in the series, to avoid proliferation of API version numbers? :) IMHO it should be sufficient. Same outcome as if the patches were squashed. Patch 161: 2. idoverrideuser_show and _find should have post_callback with convert_sshpubkey_post as well - to be consistent. 3. Add blank line before new methods - both post_callbacks 4. I have created a helper method for adding object classes in patch 761 (currently on review) - add_missing_object_class. Would be nice fit, but also I don't want to block this patch with mine. Patch 162: Is it good to have different CLI option name in this and user plugin for the same attribute: --gid vs --gidnumber ? That said, it's sad that --gid was not used in user plugin since the beginning. I'll fix these. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 15:36, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? I'll add another patch for that. Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) I wonder if I should bump it in a separate patch that would be the last one in the series, to avoid proliferation of API version numbers? :) IMHO it should be sufficient. Same outcome as if the patches were squashed. Yep. One more update for patch 0161, Petr noticed we need to call super post_callback() too. -- / Alexander Bokovoy From bc7eb4c53424412b5488068b49a80f2922f078ab Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 10 Oct 2014 09:26:13 +0300 Subject: [PATCH 4/9] Allow user overrides to specify SSH public keys Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 --- API.txt | 6 -- ipalib/plugins/idviews.py | 43 +++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 41b852b..5316ac2 100644 --- a/API.txt +++ b/API.txt @@ -2104,7 +2104,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: idoverrideuser_add -args: 2,11,3 +args: 2,12,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2112,6 +2112,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False) option: Str('ipaoriginaluid', attribute=True, cli_name='ipaoriginaluid', multivalue=False, required=False) +option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -2152,7 +2153,7 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('truncated', type 'bool', None) command: idoverrideuser_mod -args: 2,14,3 +args: 2,15,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2161,6 +2162,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) option: Str('homedirectory', attribute=True, autofill=False, cli_name='homedir', multivalue=False, required=False) option: Str('ipaoriginaluid', attribute=True, autofill=False, cli_name='ipaoriginaluid', multivalue=False, required=False) +option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('rename', cli_name='rename', multivalue=False, primary_key=True,
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On 10.10.2014 16:38, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 15:36, Alexander Bokovoy wrote: On Fri, 10 Oct 2014, Petr Vobornik wrote: On 10.10.2014 10:39, Alexander Bokovoy wrote: Hi! I'm resending patches 0159 and 0160, and adding two more: 0161 -- support user SSH public keys in ID view user overrides 0162 -- support gidNumber in ID view user override SSH public keys to work require support from SSSD and that one is currently missing. At least, one add/remove the keys to/from the override objects. Compat tree does not support exporting SSH keys. When accessing the tree anonymously, the entry will be filtered out by ACIs but for authenticated users we need to explicitly ignore ipaSshPubKey attribute in the override, so I'm resending updated slapi-nis patch that only adds one more attribute to filter out. I'm going to prepare Web UI for, 160, 161, 162. Q: ipaUserOverride object class contains also 'gecos' attribute. Will it be handled be CLI and Web UI as well? I'll add another patch for that. Comments for these 3 patches: 1. VERSION was not bumped Patch 160: Apart form #1, is OK (not sure if #1 is needed for ACK) I wonder if I should bump it in a separate patch that would be the last one in the series, to avoid proliferation of API version numbers? :) IMHO it should be sufficient. Same outcome as if the patches were squashed. Yep. One more update for patch 0161, Petr noticed we need to call super post_callback() too. idoverrideuser_find callback causes internal error. I've attached new version of the patch which fixes it. Basically it's this change: diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 25b9bcf..bfa8675 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -831,11 +831,12 @@ class idoverrideuser_find(baseidoverride_find): msg_summary = ngettext('%(count)d User ID override matched', '%(count)d User ID overrides matched', 0) -def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -dn = super(idoverrideuser_find, self).post_callback(ldap, dn, - entry_attrs, *keys, **options) -convert_sshpubkey_post(ldap, dn, entry_attrs) -return dn +def post_callback(self, ldap, entries, truncated, *args, **options): +truncated = super(idoverrideuser_find, self).post_callback( +ldap, entries, truncated, *args, **options) +for entry in entries: +convert_sshpubkey_post(ldap, entry.dn, entry) +return truncated If you are OK with it, then ACK for patches 160, 161-3, 162-1, 164 and 165. Patch 159 should be reviewed by somebody more versed in Compat tree. Btw. 10-schema_compat.update contains whitespace warning(git am) - additional blank line at the end of file. -- Petr Vobornik From fb1a6a6481d853d3e374ece5dc8cf013fef44863 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 10 Oct 2014 09:26:13 +0300 Subject: [PATCH] Allow user overrides to specify SSH public keys Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 --- API.txt | 6 -- ipalib/plugins/idviews.py | 44 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 226809e9e22c7e8ab851727b12bf0b93b4e5dcce..60fa32123d5e69c0cb63ed087f30fd9e03c7fa3e 100644 --- a/API.txt +++ b/API.txt @@ -2130,7 +2130,7 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: idoverrideuser_add -args: 2,11,3 +args: 2,12,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2138,6 +2138,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False) option: Str('ipaoriginaluid', attribute=True, cli_name='ipaoriginaluid', multivalue=False, required=False) +option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*',
Re: [Freeipa-devel] [PATCH] 0159-0162 ID views in compat tree: ACIs, support for shell, gidNumber, and SSH keys
On Fri, 10 Oct 2014, Petr Vobornik wrote: One more update for patch 0161, Petr noticed we need to call super post_callback() too. idoverrideuser_find callback causes internal error. I've attached new version of the patch which fixes it. Basically it's this change: diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 25b9bcf..bfa8675 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -831,11 +831,12 @@ class idoverrideuser_find(baseidoverride_find): msg_summary = ngettext('%(count)d User ID override matched', '%(count)d User ID overrides matched', 0) -def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -dn = super(idoverrideuser_find, self).post_callback(ldap, dn, - entry_attrs, *keys, **options) -convert_sshpubkey_post(ldap, dn, entry_attrs) -return dn +def post_callback(self, ldap, entries, truncated, *args, **options): +truncated = super(idoverrideuser_find, self).post_callback( +ldap, entries, truncated, *args, **options) +for entry in entries: +convert_sshpubkey_post(ldap, entry.dn, entry) +return truncated If you are OK with it, then ACK for patches 160, 161-3, 162-1, 164 and 165. I'm fine with your patch, copy/paste error, thanks for fixing it. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel