Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11.11.2014 12:13, Tomas Babej wrote: On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. +1 https://fedorahosted.org/freeipa/ticket/4714 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. -- Petr Vobornik From d4aab791db8349da45711d8c6dcba724b752a03b Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Mon, 13 Oct 2014 14:57:45 +0200 Subject: [PATCH] ranges: prohibit setting --rid-base with ipa-trust-ad-posix type We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. https://fedorahosted.org/freeipa/ticket/4221 --- ipalib/plugins/idrange.py | 61 --- 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 9e0481e94048c465f9a86112378a47390de0d494..6c3be6e69595127e346969e41703dc98e783282e 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -248,6 +248,12 @@ class idrange(LDAPObject): if not options.get('all', False) or options.get('pkey_only', False): entry_attrs.pop('objectclass', None) +def handle_ipabaserid(self, entry_attrs, options): +if any((options.get('pkey_only', False), options.get('raw', False))): +return +if entry_attrs['iparangetype'][0] == u'ipa-ad-trust-posix': +entry_attrs.pop('ipabaserid', None) + def check_ids_in_modified_range(self, old_base, old_size, new_base, new_size): if new_base is None and new_size is None: @@ -414,6 +420,7 @@ class idrange_add(LDAPCreate): rid_base = kw.get('ipabaserid', None) secondary_rid_base = kw.get('ipasecondarybaserid', None) +range_type = kw.get('iparangetype', None) def set_from_prompt(param): value = self.prompt_param(self.params[param]) @@ -424,7 +431,7 @@ class idrange_add(LDAPCreate): # This is a trusted range # Prompt for RID base if domain SID / name was given -if rid_base is None: +if rid_base is None and range_type != u'ipa-ad-trust-posix': set_from_prompt('ipabaserid') else: @@ -486,23 +493,33 @@ class idrange_add(LDAPCreate): if not is_set('iparangetype'): entry_attrs['iparangetype'] = u'ipa-ad-trust' -if entry_attrs['iparangetype'] not in (u'ipa-ad-trust', - u'ipa-ad-trust-posix'): +if entry_attrs['iparangetype'] == u'ipa-ad-trust': +if not is_set('ipabaserid'): +raise errors.ValidationError( +name='ID Range setup', +error=_('Options dom-sid/dom-name and rid-base must ' +'be used together') +) +elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix': +if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0: +raise errors.ValidationError( +name='ID Range setup', +error=_('Option rid-base must not be used when IPA ' +'range type is ipa-ad-trust-posix') +) +else: +entry_attrs['ipabaserid'] = 0 +else: raise errors.ValidationError(name='ID Range setup', error=_('IPA Range type must be one of ipa-ad-trust ' 'or ipa-ad-trust-posix when SID of the trusted ' -'domain is specified.')) +'domain is specified')) if is_set('ipasecondarybaserid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid/dom-name and secondary-rid-base ' 'cannot be used together')) -if not is_set('ipabaserid'): -raise errors.ValidationError(name='ID Range setup', -error=_('Options dom-sid/dom-name and rid-base must ' -'be used together')) - # Validate SID as the one of trusted domains self.obj.validate_trusted_domain_sid( entry_attrs['ipanttrusteddomainsid']) @@ -557,6 +574,7 @@ class idrange_add(LDAPCreate): def post_callback(self, ldap, dn,
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 23.10.2014 10:39, Martin Kosek wrote: On 10/22/2014 07:39 PM, Tomas Babej wrote: Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. Fixed snip == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. I also saw you did not update Makefile.am. Because I did not add a new file. updated patches attached (only 773-775 are changed) -- Petr Vobornik From 7be769b432984dbd54d14309dde465ce6ea24ab0 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 3 Sep 2014 17:23:33 +0200 Subject: [PATCH 5/5] webui: prohibit setting rid base with ipa-trust-ad-posix type Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 --- install/ui/src/freeipa/idrange.js | 77 ++- 1 file changed, 60 insertions(+), 17 deletions(-) diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644 --- a/install/ui/src/freeipa/idrange.js +++ b/install/ui/src/freeipa/idrange.js @@ -54,6 +54,11 @@ return { 'cn', 'iparangetype', { +name: 'iparangetyperaw', +read_only: true, +visible: false +}, +{ name: 'ipabaseid', label: '@i18n:objects.idrange.ipabaseid', title: '@mo-param:idrange:ipabaseid:label' @@ -80,6 +85,9 @@ return { } ] } +], +policies: [ +exp.idrange_policy ] } ], @@ -89,21 +97,6 @@ return { name: 'cn' }, { -name: 'ipabaseid', -label: '@i18n:objects.idrange.ipabaseid', -title: '@mo-param:idrange:ipabaseid:label' -}, -{ -name: 'ipaidrangesize', -label: '@i18n:objects.idrange.ipaidrangesize', -title: '@mo-param:idrange:ipaidrangesize:label' -}, -{ -name: 'ipabaserid', -label: '@i18n:objects.idrange.ipabaserid', -title: '@mo-param:idrange:ipabaserid:label' -}, -{ name: 'iparangetype', $type: 'radio', label: '@i18n:objects.idrange.type', @@ -125,6 +118,21 @@ return { ] }, { +name: 'ipabaseid', +label:
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 10/22/2014 07:39 PM, Tomas Babej wrote: Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. I also saw you did not update Makefile.am. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 -- Petr Vobornik From 1bda87528855aaf4ad9b18a31479c8b2a353bd92 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 3 Sep 2014 17:23:33 +0200 Subject: [PATCH] webui: prohibit setting rid base with ipa-trust-ad-posix type Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible https://fedorahosted.org/freeipa/ticket/4221 --- install/ui/src/freeipa/idrange.js | 77 ++- 1 file changed, 60 insertions(+), 17 deletions(-) diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644 --- a/install/ui/src/freeipa/idrange.js +++ b/install/ui/src/freeipa/idrange.js @@ -54,6 +54,11 @@ return { 'cn', 'iparangetype', { +name: 'iparangetyperaw', +read_only: true, +visible: false +}, +{ name: 'ipabaseid', label: '@i18n:objects.idrange.ipabaseid', title: '@mo-param:idrange:ipabaseid:label' @@ -80,6 +85,9 @@ return { } ] } +], +policies: [ +exp.idrange_policy ] } ], @@ -89,21 +97,6 @@ return { name: 'cn' }, { -name: 'ipabaseid', -label: '@i18n:objects.idrange.ipabaseid', -title: '@mo-param:idrange:ipabaseid:label' -}, -{ -name: 'ipaidrangesize', -label: '@i18n:objects.idrange.ipaidrangesize', -title: '@mo-param:idrange:ipaidrangesize:label' -}, -{ -name: 'ipabaserid', -label: '@i18n:objects.idrange.ipabaserid', -title: '@mo-param:idrange:ipabaserid:label' -}, -{ name: 'iparangetype', $type: 'radio', label: '@i18n:objects.idrange.type', @@ -125,6 +118,21 @@ return { ] }, { +name: 'ipabaseid', +label: '@i18n:objects.idrange.ipabaseid', +title: '@mo-param:idrange:ipabaseid:label' +}, +{ +name: 'ipaidrangesize', +label: '@i18n:objects.idrange.ipaidrangesize', +title: '@mo-param:idrange:ipaidrangesize:label' +}, +{ +name: 'ipabaserid', +label: '@i18n:objects.idrange.ipabaserid', +title: '@mo-param:idrange:ipabaserid:label' +}, +{ name: 'ipasecondarybaserid', label: '@i18n:objects.idrange.ipasecondarybaserid', title: '@mo-param:idrange:ipasecondarybaserid:label' @@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) { The logic for