Re: [Freeipa-devel] [PATCH] Make the migration plugin more configurable
On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/22/2010 04:21 PM, Jakub Hrozek wrote:
On 11/22/2010 04:16 PM, Jakub Hrozek wrote:
The code handles it (I just ran a quick test with --schema=RFC2307bis).
It just iterates through all members of a group -- be it user member of
group member, it's just a DN for the plugin.
Jakub
Sorry, I found another bug in the plugin. I'll send a new patch shortly,
so please don't waste time reviewing this one.
New patch is attached. It fixes two more bugs of the original plugin -
determines whether a group member is a user or a nested group by
checking the DN, not just the RDN attribute name and does not hardcode
primary keys.
Will this blow up in convert_members_rfc2307bis() if a member isn't
contained in the users and groups containers? Should there be a
failsafe to skip over things that don't match (along with
appropriate reporting)?
It wouldn't blow up but add the original DN into the member attribute
which is probably worse. Thanks for catching this. I modified the patch
to log all migrated users and groups with info() and skip those that
don't match any of the containers while logging these entries with
error().
Or if one of users or groups search bases
isn't provided?
If one of them isn't provided, a default would be used.
It definitely doesn't like this:
# ipa migrate-ds --user-container=''
--group-container='cn=groups,cn=accounts' ldap://ds.example.com:389
When passed the right set of options it does seem to do the right thing.
Sorry, but I don't quite understand the --user-container='' switch.
Does it mean the users are rooted at the Base DN? Can you post the error
or relevant log info? Please note that the default objectclass is
person.
From 1b0f43c4449bd26ffe6c57a594f3eaf367cda2c4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Tue, 26 Oct 2010 16:10:42 -0400
Subject: [PATCH] Make the migration plugin more configurable
This patch adds new options to the migration plugin:
* the option to fine-tune the objectclass of users or groups being imported
* the option to select the LDAP schema (RFC2307 or RFC2307bis)
Also makes the logic that decides whether an entry is a nested group or user
(for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys
for migrated entries.
https://fedorahosted.org/freeipa/ticket/429
---
ipalib/plugins/migration.py | 136 ++-
1 files changed, 108 insertions(+), 28 deletions(-)
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 6dc9934..213c0ee 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -26,9 +26,10 @@ Example: Migrate users and groups from DS to IPA
import logging
import re
+import ldap as _ldap
from ipalib import api, errors, output
-from ipalib import Command, List, Password, Str, Flag
+from ipalib import Command, List, Password, Str, Flag, StrEnum
from ipalib.cli import to_cli
if api.env.in_server and api.env.context in ['lite', 'server']:
try:
@@ -44,8 +45,10 @@ from ipalib.text import Gettext # FIXME: remove once the
other Gettext FIXME is
_krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\'
to set it manually.')
_grp_err_msg = _('Failed to add user to the default group. Use \'ipa
group-add-member\' to add manually.')
+_supported_schemas = (u'RFC2307bis', u'RFC2307')
-def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx):
+
+def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx,
**kwargs):
# get default primary group for new users
if 'def_group_dn' not in ctx:
def_group = config.get('ipadefaultprimarygroup')
@@ -90,37 +93,80 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed,
config, ctx):
# GROUP MIGRATION CALLBACKS AND VARS
-def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx):
-def convert_members(member_attr, overwrite=False):
+def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx,
**kwargs):
+def convert_members_rfc2307bis(member_attr, search_bases, overwrite=False):
Convert DNs in member attributes to work in IPA.
new_members = []
entry_attrs.setdefault(member_attr, [])
for m in entry_attrs[member_attr]:
-col = m.find(',')
-if col == -1:
+try:
+# what str2dn returns looks like [[('cn', 'foo', 4)], [('dc',
'example', 1)], [('dc', 'com', 1)]]
+rdn = _ldap.dn.str2dn(m ,flags=_ldap.DN_FORMAT_LDAPV3)[0]
+rdnval = rdn[0][1]
+except IndexError:
+api.log.error('Malformed DN %s has no RDN?' % m)
+continue
+
+if m.lower().endswith(search_bases['user']):
+api.log.info('migrating user
Re: [Freeipa-devel] [PATCH] 621 drop install/tools/README
On Tue, Nov 30, 2010 at 02:02:00PM -0500, Rob Crittenden wrote: The README in install/tools is really for v1 and contains almost nothing useful for v2 so I'm proposing to drop it altogether. I'm also adding a link to the QuickStart guide on the trac wiki. The guide itself needs a lot of work but its a start. rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
The attached patch is required on top of the changes, as the admin user
no longer has any rolegroup, and thus would see the self service api.
It should be pushed with this patch.
On 12/01/2010 04:01 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 18 Nov 2010 23:11:51 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Re-implement access control using an updated model.
The new model is based on permissions, privileges and roles. Most
importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works
that way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported
by this model (it will be provided separately).
ticket 445
WARNING. The patch is humongous and changes a whole slew of stuff. It
patches cleanly against the master right now but it is quite delicate
so the sooner this is reviewed (without pushing anything else) the
better.
The self-tests all pass for me as well as some spot checking.
Also note that I currently define a single role and it has no
privileges. We will need to fill that in soon.
Sorry Rob, but before I can ACK a change of this proportion in the
Security model I want a wiki page with the model explained clearly and
in detail.
I am vetoing this patch until we have that.
Note, I am *not* saying the patch is wrong, only that reviewing it w/o
a reference model is basically impossible and it touches sensitive
security stuff so I can't just let it pass hoping we got everything
right.
Simo.
Adam found a bug when installing the DNS server. Updated patch attached.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From a620d92d5b24d43aad12dddbef0932e9d49f0328 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 1 Dec 2010 16:44:44 -0500
Subject: [PATCH] admin determination
extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins
---
install/static/webui.js | 15 +--
1 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/install/static/webui.js b/install/static/webui.js
index f168474e5ab1fd19cf4a11501b2b4131f8878d67..1b9aa7c22a5780334b5cec31ab9162a488c0074c 100644
--- a/install/static/webui.js
+++ b/install/static/webui.js
@@ -92,9 +92,21 @@ IPA.tab_state = function(entity_name){
}
}
+
+
/* main (document onready event handler) */
$(function() {
+function should_show_all_ui(){
+var whoami = IPA.whoami;
+
+if (whoami.hasOwnProperty('memberof_group')
+whoami.memberof_group !== undefined) return true;
+
+return whoami.hasOwnProperty('memberof_rolegroup')
+whoami.memberof_rolegroup.length 0;
+}
+
function init_on_win(data, text_status, xhr) {
$(window).bind('hashchange', window_hashchange);
@@ -112,8 +124,7 @@ $(function() {
var navigation = $('#navigation');
-if (whoami.hasOwnProperty('memberof_rolegroup')
-whoami.memberof_rolegroup.length 0){
+if (should_show_all_ui()){
IPA.tab_set = admin_tab_set;
nav_create(admin_tab_set, navigation, 'tabs');
} else {
--
1.7.2.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
On 12/01/2010 05:07 PM, Adam Young wrote:
The attached patch is required on top of the changes, as the admin
user no longer has any rolegroup, and thus would see the self service
api. It should be pushed with this patch.
posted the wrong version. THis one checks for presence of the group admins.
On 12/01/2010 04:01 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 18 Nov 2010 23:11:51 -0500
Rob Crittendenrcrit...@redhat.com wrote:
Re-implement access control using an updated model.
The new model is based on permissions, privileges and roles. Most
importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works
that way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported
by this model (it will be provided separately).
ticket 445
WARNING. The patch is humongous and changes a whole slew of stuff. It
patches cleanly against the master right now but it is quite delicate
so the sooner this is reviewed (without pushing anything else) the
better.
The self-tests all pass for me as well as some spot checking.
Also note that I currently define a single role and it has no
privileges. We will need to fill that in soon.
Sorry Rob, but before I can ACK a change of this proportion in the
Security model I want a wiki page with the model explained clearly and
in detail.
I am vetoing this patch until we have that.
Note, I am *not* saying the patch is wrong, only that reviewing it w/o
a reference model is basically impossible and it touches sensitive
security stuff so I can't just let it pass hoping we got everything
right.
Simo.
Adam found a bug when installing the DNS server. Updated patch attached.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From 3be524d64ec63556f49d00860a57509df2b1ad69 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 1 Dec 2010 16:44:44 -0500
Subject: [PATCH] admin determination
extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins
added check for group admins
---
install/static/webui.js | 15 +--
1 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/install/static/webui.js b/install/static/webui.js
index f168474e5ab1fd19cf4a11501b2b4131f8878d67..757c39d0e7312b34b70812b3b2ba8311fbcd1bbe 100644
--- a/install/static/webui.js
+++ b/install/static/webui.js
@@ -92,9 +92,21 @@ IPA.tab_state = function(entity_name){
}
}
+
+
/* main (document onready event handler) */
$(function() {
+function should_show_all_ui(){
+var whoami = IPA.whoami;
+
+if (whoami.hasOwnProperty('memberof_group')
+whoami.memberof_group.indexOf('admins') !== -1) return true;
+
+return whoami.hasOwnProperty('memberof_rolegroup')
+whoami.memberof_rolegroup.length 0;
+}
+
function init_on_win(data, text_status, xhr) {
$(window).bind('hashchange', window_hashchange);
@@ -112,8 +124,7 @@ $(function() {
var navigation = $('#navigation');
-if (whoami.hasOwnProperty('memberof_rolegroup')
-whoami.memberof_rolegroup.length 0){
+if (should_show_all_ui()){
IPA.tab_set = admin_tab_set;
nav_create(admin_tab_set, navigation, 'tabs');
} else {
--
1.7.2.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
Adam Young wrote: On 12/01/2010 05:07 PM, Adam Young wrote: The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. Ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/This is primarily meant to be able to allow users to add/remove members of a specific group only./This is primarily designed to enable users to add or remove members of a specific group. (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need primarily. If it does something else, what is it?) I couldn't grok 100% the subtree target description. s/... the ACI is allowed to do, they are one or more of:/... the ACI is allowed to do, and are one or more of: For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the addusers taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
On 12/01/2010 05:51 PM, Rob Crittenden wrote: Adam Young wrote: On 12/01/2010 05:07 PM, Adam Young wrote: The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. Ack rob Pushed to master. realized that this can be pushed as is. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Multicolumn enrollment dialog
Hi,
Please review the attached patch. Thanks!
https://fedorahosted.org/reviewboard/r/112/
The enrollment dialog has been modified to use scrollable tables that
supports multiple columns to display the search results and selected
entries. The columns are specified by calling create_adder_column()
on the association facet. By default the tables will use only one
column which is to display the primary keys.
The following enrollment dialogs have been modified to use multiple
columns:
- Group's member_user
- Service's managedby_host
- HBAC Service Group's member_hbacsvc
- SUDO Command Group's member_sudocmd
The ipa_association_table_widget's add() and remove() have been moved
into ipa_association_facet so they can be customized by facet's
subclass. The ipa_table's add_row() has been renamed to add_record().
Some old code has been removed from ipa_facet_create_action_panel().
The code was used to generate association links from a single facet.
It's no longer needed because now each association has its own facet.
The test data has been updated. The IPA.nested_tabs() has been fixed
to return the entity itself if IPA.tab_set is not defined. This is
needed to pass unit test.
--
Endi S. Dewata
From ef4210e6c4d93c2d2b6eebec89e030d26d9aa39c Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Dec 2010 14:51:39 -0600
Subject: [PATCH] Multicolumn enrollment dialog
The enrollment dialog has been modified to use scrollable tables that
supports multiple columns to display the search results and selected
entries. The columns are specified by calling create_adder_column()
on the association facet. By default the tables will use only one
column which is to display the primary keys.
The following enrollment dialogs have been modified to use multiple
columns:
- Group's member_user
- Service's managedby_host
- HBAC Service Group's member_hbacsvc
- SUDO Command Group's member_sudocmd
The ipa_association_table_widget's add() and remove() have been moved
into ipa_association_facet so they can be customized by facet's
subclass. The ipa_table's add_row() has been renamed to add_record().
Some old code has been removed from ipa_facet_create_action_panel().
The code was used to generate association links from a single facet.
It's no longer needed because now each association has its own facet.
The test data has been updated. The IPA.nested_tabs() has been fixed
to return the entity itself if IPA.tab_set is not defined. This is
needed to pass unit test.
---
install/static/associate.js| 245
install/static/entity.js | 22 +--
install/static/group.js| 13 ++
install/static/hbac.js |2 +-
install/static/hbacsvcgroup.js | 22 +++-
install/static/ipa.css |2 +-
install/static/rule.js |2 +-
install/static/search.js |2 +-
install/static/service.js | 13 ++
install/static/sudocmdgroup.js | 22 +++-
install/static/test/data/hbacsvc_find.json | 29 +++-
install/static/widget.js | 208
12 files changed, 388 insertions(+), 194 deletions(-)
diff --git a/install/static/associate.js b/install/static/associate.js
index fbd1c63c98bbff0186e9cb17de3148514fb1a02e..a6edf748f7dc9b54292f7b8b469ce624e0ad5f8e 100644
--- a/install/static/associate.js
+++ b/install/static/associate.js
@@ -152,9 +152,13 @@ function ipa_association_adder_dialog(spec) {
var pkey_name = IPA.metadata[that.other_entity].primary_key;
that.create_column({
name: pkey_name,
-primary_key: true
+label: IPA.metadata[that.other_entity].label,
+primary_key: true,
+width: '200px'
});
}
+
+that.adder_dialog_init();
};
that.search = function() {
@@ -170,7 +174,7 @@ function ipa_association_adder_dialog(spec) {
}
var filter = that.get_filter();
-ipa_cmd('find', [filter], {}, on_success, null, that.other_entity);
+ipa_cmd('find', [filter], {'all': true}, on_success, null, that.other_entity);
};
that.add = function() {
@@ -252,13 +256,11 @@ function ipa_association_table_widget(spec) {
that.facet = spec.facet;
that.other_entity = spec.other_entity;
-that.superior_create = that.superior('create');
+that.add = spec.add;
+that.remove = spec.remove;
that.create = function(container) {
-that.member_attribute = ipa_get_member_attribute(
-that.entity_name, that.other_entity);
-
if (!that.columns.length) {
var pkey_name = IPA.metadata[that.other_entity].primary_key;
@@ -290,7 +292,7 @@ function ipa_association_table_widget(spec) {
};
}
-that.superior_create(container);
+
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/24/2010 02:28 PM, Pavel Zůna wrote:
On 2010-11-24 16:21, Adam Young wrote:
On 11/24/2010 03:46 AM, Pavel Zuna wrote:
On 11/24/2010 03:26 AM, Adam Young wrote:
On 11/23/2010 09:37 AM, Pavel Zuna wrote:
Finally managed to rewrite the DNS plugin again. Sorry, it took so
long, we had training in the office and I also had a nasty bug in
baseldap.py I couldn't find.
Anyway, this version has it all:
- changes we agreed on meeting, the resource abstraction is gone
and
we now only have zones and records = adding new record automatically
updates and existing entry or creates it if it wasn't there and
deleting the last record deletes the whole entry - all of it
transparent to the user
- unit tests
- ipa help documentation
Fixes tickets:
#36
#450
I also closed bug #654412.
It has a new patch sequence number, because it depends on another
patch with a higher number and didn't want to create forward
dependencies.
Depends on my patches number:
35 (will repost if needed)
38 (posted a while ago on freeipa-devel)
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I keep getting an error when doing simple things like install and ipa
help:
[ayo...@ipa freeipa]$ ./ipa help dns2
ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value
Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)',
domain='ipa', localedir=None), label=Gettext('Zone name',
domain='ipa',
localedir=None), multivalue=False, normalizer=lambda,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
Traceback (most recent call last):
File /home/ayoung/devel/freeipa/ipalib/cli.py, line 962, in run
api.finalize()
File /home/ayoung/devel/freeipa/ipalib/plugable.py, line 615, in
finalize
p.instance.finalize()
File /home/ayoung/devel/freeipa/ipalib/frontend.py, line 724, in
finalize
self._create_param_namespace('args')
File /home/ayoung/devel/freeipa/ipalib/frontend.py, line 350, in
_create_param_namespace
sort=False
File /home/ayoung/devel/freeipa/ipalib/base.py, line 407, in
__init__
(self.__class__.__name__, name, self.__map[name], member)
AttributeError: cannot override NameSpace.idnsname value
Str('idnsname',
cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa',
localedir=None), label=Gettext('Zone name', domain='ipa',
localedir=None), multivalue=False, normalizer=lambda,
primary_key=True, query=True, required=True) with Str('idnsname',
attribute=True, cli_name='name', doc=Gettext('Record name',
domain='ipa', localedir=None), label=Gettext('Record name',
domain='ipa', localedir=None), multivalue=False, primary_key=True,
query=True, required=True)
ipa: ERROR: an internal error has occurred
That's because you need my patch number 35 for it to work...
Pavel
OK, with that change, the patch applies and works.
I've tested: creating a zone
Creating an a record
Adding an a record entry to an existing entry (calling ipa dnsrecord-add
a second time with just a different ip address)
Adding an record.
Deleting one and multiple records
One thing that is a little counter intuitive is that you have to specify
which records to delete: just running
ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all
records with the A name of hiphop. I think this is the right behavior,
but it should be better documented.
Ok, I'm going to add a few lines about it in the docstring (ipa help).
Maybe we should have an option to delete all records associated with a
resource name. For example when someone is deleting a host from DNS
and wants all of its records gone.
Have to hold off on pushing it due to F14: python-netaddr Isn't in F14,
so we are adding a new python package with this plugin, too.
Pavel
ACK and pushed to master
Note that I got an OK on the added dependency on python-netaddr.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] UI for host managedby
Hi,
Please review the attached patch. Thanks!
A custom facet has been added to manage the host's managedby attribute.
The facet defines the add and remove methods, the columns for the
association table and enrollment dialog, and the link for the primary
key column.
--
Endi S. Dewata
From 0cd0435af1678a693e405d22b3b5ccd814c526a8 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Dec 2010 20:25:44 -0600
Subject: [PATCH] UI for host managedby
A custom facet has been added to manage the host's managedby attribute.
The facet defines the add and remove methods, the columns for the
association table and enrollment dialog, and the link for the primary
key column.
---
install/static/host.js | 66
1 files changed, 66 insertions(+), 0 deletions(-)
diff --git a/install/static/host.js b/install/static/host.js
index 5cfceba5cc8fbbee8922a05a6f220141bac357bb..4f3a636ebe3169cea87dd59536d822015191b041 100644
--- a/install/static/host.js
+++ b/install/static/host.js
@@ -58,6 +58,13 @@ function ipa_host() {
});
that.add_facet(facet);
+facet = ipa_host_managedby_host_facet({
+'name': 'managedby_host',
+'label': 'Managed by Hosts',
+'other_entity': 'host'
+});
+that.add_facet(facet);
+
that.create_association_facets();
that.entity_init();
@@ -412,3 +419,62 @@ function host_certificate_status_widget(spec) {
return that;
}
+
+function ipa_host_managedby_host_facet(spec) {
+
+spec = spec || {};
+
+var that = ipa_association_facet(spec);
+
+that.add_method = 'add_managedby';
+that.delete_method = 'remove_managedby';
+
+that.init = function() {
+
+var column = that.create_column({
+name: 'fqdn',
+label: 'Name',
+primary_key: true
+});
+
+column.setup = function(container, record) {
+container.empty();
+
+var value = record[column.name];
+value = value ? value.toString() : '';
+
+$('a/', {
+'href': '#'+value,
+'html': value,
+'click': function (value) {
+return function() {
+var state = IPA.tab_state(that.other_entity);
+state[that.other_entity + '-facet'] = 'details';
+state[that.other_entity + '-pkey'] = value;
+$.bbq.pushState(state);
+return false;
+}
+}(value)
+}).appendTo(container);
+};
+
+that.create_column({name: 'description', label: 'Description'});
+
+that.create_adder_column({
+name: 'fqdn',
+label: 'Name',
+primary_key: true,
+width: '100px'
+});
+
+that.create_adder_column({
+name: 'description',
+label: 'Description',
+width: '100px'
+});
+
+that.association_facet_init();
+};
+
+return that;
+}
\ No newline at end of file
--
1.6.6.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Certificate management with self-signed CA
Hi,
Please review the attached patch. Thanks!
The certificate_status_widget has been modified to check for the
environment variable ra_plugin to determine the CA used by IPA
server. If self-signed CA is used, some operations will not be
available (e.g. checking certificate status, revoking/restoring
certificate), so the corresponding interface will be hidden. Other
operations such as creating new certificate and viewing certificate
are still available.
--
Endi S. Dewata
From 8ad43d4ffc323316e1f2796396758ddc3c6b9b39 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Dec 2010 21:46:38 -0600
Subject: [PATCH] Certificate management with self-signed CA
The certificate_status_widget has been modified to check for the
environment variable ra_plugin to determine the CA used by IPA
server. If self-signed CA is used, some operations will not be
available (e.g. checking certificate status, revoking/restoring
certificate), so the corresponding interface will be hidden. Other
operations such as creating new certificate and viewing certificate
are still available.
---
install/static/certificate.js | 69 +---
1 files changed, 43 insertions(+), 26 deletions(-)
diff --git a/install/static/certificate.js b/install/static/certificate.js
index 449b8f173d28c652a1d5790a30d808e551e7be84..67f9b1b35ec63d490f4a014e1d29772af917897f 100755
--- a/install/static/certificate.js
+++ b/install/static/certificate.js
@@ -404,6 +404,10 @@ function certificate_status_widget(spec) {
that.get_entity_principal = spec.get_entity_principal;
that.get_entity_certificate = spec.get_entity_certificate;
+that.is_selfsign = function() {
+return IPA.env.ra_plugin == 'selfsign';
+};
+
that.create = function(container) {
that.widget_create(container);
@@ -428,11 +432,13 @@ function certificate_status_widget(spec) {
'value': 'Get'
}).appendTo(td);
-$('input/', {
-'type': 'button',
-'name': 'revoke',
-'value': 'Revoke'
-}).appendTo(td);
+if (!that.is_selfsign()) {
+$('input/', {
+'type': 'button',
+'name': 'revoke',
+'value': 'Revoke'
+}).appendTo(td);
+}
$('input/', {
'type': 'button',
@@ -440,27 +446,29 @@ function certificate_status_widget(spec) {
'value': 'View'
}).appendTo(td);
-tr = $('tr/').appendTo(table);
+if (!that.is_selfsign()) {
+tr = $('tr/').appendTo(table);
-td = $('td/').appendTo(tr);
-$('li/', {
-'class': 'certificate-status-revoked'
-}).appendTo(td);
+td = $('td/').appendTo(tr);
+$('li/', {
+'class': 'certificate-status-revoked'
+}).appendTo(td);
-td = $('td/').appendTo(tr);
-td.append('Certificate Revoked:');
+td = $('td/').appendTo(tr);
+td.append('Certificate Revoked:');
-td = $('td/').appendTo(tr);
-td.append($('span/', {
-'name': 'revocation_reason'
-}));
-td.append(' ');
+td = $('td/').appendTo(tr);
+td.append($('span/', {
+'name': 'revocation_reason'
+}));
+td.append(' ');
-$('input/', {
-'type': 'button',
-'name': 'restore',
-'value': 'Restore'
-}).appendTo(td);
+$('input/', {
+'type': 'button',
+'name': 'restore',
+'value': 'Restore'
+}).appendTo(td);
+}
tr = $('tr/').appendTo(table);
@@ -567,17 +575,26 @@ function certificate_status_widget(spec) {
function set_status(status, revocation_reason) {
that.valid.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_VALID);
-that.revoked.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_REVOKED);
that.missing.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_MISSING);
that.get_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden');
-that.revoke_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden');
that.view_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden');
-that.revocation_reason.html(revocation_reason == undefined ? '' : CRL_REASON[revocation_reason]);
-that.restore_button.css('visibility', revocation_reason == 6 ? 'visible' : 'hidden');
+
+if (!that.is_selfsign()) {
+that.revoked.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_REVOKED);
+that.revoke_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden');
+
