Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Martin Basti]

On 19.08.2016 15:26, Alexander Bokovoy wrote:

On Fri, 19 Aug 2016, Martin Basti wrote:



On 19.08.2016 11:43, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Petr Vobornik wrote:

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for 
FreeIPA

framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) 
files from

it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa 
are
used during install and upgrade. This leads to a failure to 
install IPA

server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will 
fail to
be inserted into LDAP store due to references to missing 
attributes and

object classes.

The patch adds a directory to be installed and a helper utility 
that
loads files from the directory and adds them to the list of 
schema files

used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)



I'll assume that we want to target 4.4.x therefore it can be 
pushed to

master, right? I.e. no need for creating ipa-4-4 branch atm.

Right.


Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

Sounds good to me. FleetCommander (which is one of drivers behind the
patches) is targeting F25 as well.

Can we get the patch reviewed?


ACK

However ticket is in future releases, so we have to branch master and 
ipa 4.4 before push

Why? We agreed above to get the patch into 4.4. Moving ticket to 4.4.1
milestone is certainly possible and does not require branching.


OK, you agreed but nobody changed milestone of ticket

Pushed to master: 7bec8a246d6712f749ec331f5bf066e3357c4ce7

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

On Fri, 19 Aug 2016, Martin Basti wrote:



On 19.08.2016 11:43, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Petr Vobornik wrote:

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins 
for FreeIPA

framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema 
(*.ldif) files from

it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to 
install IPA

server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which 
will fail to
be inserted into LDAP store due to references to missing 
attributes and

object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of 
schema files

used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)



I'll assume that we want to target 4.4.x therefore it can be pushed to
master, right? I.e. no need for creating ipa-4-4 branch atm.

Right.


Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

Sounds good to me. FleetCommander (which is one of drivers behind the
patches) is targeting F25 as well.

Can we get the patch reviewed?


ACK

However ticket is in future releases, so we have to branch master and 
ipa 4.4 before push

Why? We agreed above to get the patch into 4.4. Moving ticket to 4.4.1
milestone is certainly possible and does not require branching.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Martin Basti]

On 19.08.2016 11:43, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Petr Vobornik wrote:

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for 
FreeIPA

framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) 
files from

it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to 
install IPA

server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will 
fail to
be inserted into LDAP store due to references to missing 
attributes and

object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema 
files

used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)



I'll assume that we want to target 4.4.x therefore it can be pushed to
master, right? I.e. no need for creating ipa-4-4 branch atm.

Right.


Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

Sounds good to me. FleetCommander (which is one of drivers behind the
patches) is targeting F25 as well.

Can we get the patch reviewed?


ACK

However ticket is in future releases, so we have to branch master and 
ipa 4.4 before push


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Petr Vobornik wrote:

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to install IPA
server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will fail to
be inserted into LDAP store due to references to missing attributes and
object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema files
used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)



I'll assume that we want to target 4.4.x therefore it can be pushed to
master, right? I.e. no need for creating ipa-4-4 branch atm.

Right.


Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

Sounds good to me. FleetCommander (which is one of drivers behind the
patches) is targeting F25 as well.

Can we get the patch reviewed?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

On Mon, 08 Aug 2016, Petr Vobornik wrote:

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to install IPA
server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will fail to
be inserted into LDAP store due to references to missing attributes and
object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema files
used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)



I'll assume that we want to target 4.4.x therefore it can be pushed to
master, right? I.e. no need for creating ipa-4-4 branch atm.

Right.


Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

Sounds good to me. FleetCommander (which is one of drivers behind the
patches) is targeting F25 as well.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Petr Vobornik]

On 08/08/2016 12:26 PM, Alexander Bokovoy wrote:
> On Mon, 08 Aug 2016, Alexander Bokovoy wrote:
>> Hi!
>>
>> Attached patch is what is needed to allow external plugins for FreeIPA
>> framework to be functional if they need to extend a schema.
>>
>> The idea is that we would have a separate directory as
>> /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
>> it and its subdirectories during install and upgrade stages.
>>
>> Without the patch only selected schema files from /usr/share/ipa are
>> used during install and upgrade. This leads to a failure to install IPA
>> server (or upgrade it) if a new plugin is added. If plugin defines
>> managed permissions, upgrade tool will generate ACIs which will fail to
>> be inserted into LDAP store due to references to missing attributes and
>> object classes.
>>
>> The patch adds a directory to be installed and a helper utility that
>> loads files from the directory and adds them to the list of schema files
>> used during update of dsinstance and upgrade of the server.
>>
>> With this patch I'm successfully managed to make FleetCommander
>> integration plugin completely independent of FreeIPA.
> Patch attached now. ;)
> 

I'll assume that we want to target 4.4.x therefore it can be pushed to
master, right? I.e. no need for creating ipa-4-4 branch atm.

Reasoning is that currently F24 has 4.3.x. F25 will most likely have
4.4.x because 4.5 is still in planning.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

On Mon, 08 Aug 2016, Petr Spacek wrote:

On 8.8.2016 11:34, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to install IPA
server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will fail to
be inserted into LDAP store due to references to missing attributes and
object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema files
used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.


1. I cannot see a patch attached to this e-mail :-)

See my other email. ;)


2. Needless to say that ticket in appropriate milestone is going to be required.

Sure. Moving ticket from one milestone to another is a simple act. I
wanted to show that it is actually an almost trivial patch to enable
external plugin development and argue by that fact we could have it
added, thus raising the ticket to a better milestone.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Petr Spacek]

On 8.8.2016 11:34, Alexander Bokovoy wrote:
> Hi!
> 
> Attached patch is what is needed to allow external plugins for FreeIPA
> framework to be functional if they need to extend a schema.
> 
> The idea is that we would have a separate directory as
> /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
> it and its subdirectories during install and upgrade stages.
> 
> Without the patch only selected schema files from /usr/share/ipa are
> used during install and upgrade. This leads to a failure to install IPA
> server (or upgrade it) if a new plugin is added. If plugin defines
> managed permissions, upgrade tool will generate ACIs which will fail to
> be inserted into LDAP store due to references to missing attributes and
> object classes.
> 
> The patch adds a directory to be installed and a helper utility that
> loads files from the directory and adds them to the list of schema files
> used during update of dsinstance and upgrade of the server.
> 
> With this patch I'm successfully managed to make FleetCommander
> integration plugin completely independent of FreeIPA.

1. I cannot see a patch attached to this e-mail :-)

2. Needless to say that ticket in appropriate milestone is going to be required.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

On Mon, 08 Aug 2016, Alexander Bokovoy wrote:

Hi!

Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to install IPA
server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will fail to
be inserted into LDAP store due to references to missing attributes and
object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema files
used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

Patch attached now. ;)

--
/ Alexander Bokovoy
From 045c7b38c387c362358d1ac2aa19a6fe07d18be5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 5 Aug 2016 13:04:19 +0300
Subject: [PATCH 3/5] support schema files from third-party plugins

Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
---
 freeipa.spec.in |  5 -
 install/configure.ac|  1 +
 install/share/Makefile.am   |  1 +
 install/share/schema.d/Makefile.am  | 16 
 install/share/schema.d/README   | 14 ++
 ipaplatform/base/paths.py   |  1 +
 ipaserver/install/dsinstance.py | 15 ++-
 ipaserver/install/server/upgrade.py |  3 +++
 8 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 install/share/schema.d/Makefile.am
 create mode 100644 install/share/schema.d/README

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c9..8acb3fc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -871,6 +871,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia
 
+mkdir -p %{buildroot}%{_usr}/share/ipa/schema.d
+
 %endif # ONLY_CLIENT
 
 
@@ -1248,7 +1250,8 @@ fi
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
-
+%dir %{_usr}/share/ipa/schema.d
+%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
 
 %files server-dns
 %defattr(-,root,root,-)
diff --git a/install/configure.ac b/install/configure.ac
index b5f77bf..81f17b9 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -88,6 +88,7 @@ AC_CONFIG_FILES([
 share/advise/Makefile
 share/advise/legacy/Makefile
 share/profiles/Makefile
+share/schema.d/Makefile
 ui/Makefile
 ui/css/Makefile
 ui/src/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index cd1c164..d8845ee 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 SUBDIRS =  \
advise  \
profiles\
+   schema.d\
$(NULL)
 
 appdir = $(IPA_DATA_DIR)
diff --git a/install/share/schema.d/Makefile.am 
b/install/share/schema.d/Makefile.am
new file mode 100644
index 000..0fef87f
--- /dev/null
+++ b/install/share/schema.d/Makefile.am
@@ -0,0 +1,16 @@
+NULL =
+
+SUBDIRS =  \
+   $(NULL)
+
+appdir = $(IPA_DATA_DIR)/schema.d
+app_DATA = README  \
+   $(NULL)
+
+EXTRA_DIST =   \
+   $(app_DATA) \
+   $(NULL)
+
+MAINTAINERCLEANFILES = \
+   *~  \
+   Makefile.in
diff --git a/install/share/schema.d/README b/install/share/schema.d/README
new file mode 100644
index 000..19e3e68
--- /dev/null
+++ b/install/share/schema.d/README
@@ -0,0 +1,14 @@
+This directory is indended to store schema files for 3rd-party plugins.
+
+Each schema file should be named NN-description.ldif where NN is a number 
00..90.
+
+The schema files from this directory are merged together with the core IPA
+schema files during the run of ipa-server-upgrade utility. Therefore, they are
+also installed when upgrade happens within the process of ipa-server-install.
+
+The directory is installed as /usr/share/ipa/schema.d and is owned by a
+freeipa-server-common package. Therefore, a 3rd-party plugin would need to
+depend on the 

[Freeipa-devel] [PATCH 0214] Support schema files for external plugins

[Alexander Bokovoy]

Hi!

Attached patch is what is needed to allow external plugins for FreeIPA
framework to be functional if they need to extend a schema.

The idea is that we would have a separate directory as
/usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from
it and its subdirectories during install and upgrade stages.

Without the patch only selected schema files from /usr/share/ipa are
used during install and upgrade. This leads to a failure to install IPA
server (or upgrade it) if a new plugin is added. If plugin defines
managed permissions, upgrade tool will generate ACIs which will fail to
be inserted into LDAP store due to references to missing attributes and
object classes.

The patch adds a directory to be installed and a helper utility that
loads files from the directory and adds them to the list of schema files
used during update of dsinstance and upgrade of the server.

With this patch I'm successfully managed to make FleetCommander
integration plugin completely independent of FreeIPA.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code