[Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Christian From 6b57eb232641370f7d91febdc663bfcc62a795e7 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Mon, 13 Jul 2015 14:02:29 +0200 Subject: [PATCH] Remove tuple unpacking from except clause Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. Signed-off-by: Christian Heimes chei...@redhat.com --- contrib/RHEL4/ipachangeconf.py| 4 ++-- ipa-client/ipaclient/ipachangeconf.py | 4 ++-- ipalib/plugins/hbactest.py| 7 --- ipaserver/dcerpc.py | 18 -- 4 files changed, 20 insertions(+), 13 deletions(-) diff --git a/contrib/RHEL4/ipachangeconf.py b/contrib/RHEL4/ipachangeconf.py index 1a361513558f20d65ac8cbb0044e7b8d352e6bad..87b306f5dff336f80b1d02909433253f148108a6 100644 --- a/contrib/RHEL4/ipachangeconf.py +++ b/contrib/RHEL4/ipachangeconf.py @@ -29,13 +29,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py index 15d41274f7a99550b0a49314fb949402e65ee1d1..edf34f5ae738eb22b8935c222392dc9b6f08638d 100644 --- a/ipa-client/ipaclient/ipachangeconf.py +++ b/ipa-client/ipaclient/ipachangeconf.py @@ -31,13 +31,13 @@ def openLocked(filename, perms): fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) fcntl.lockf(fd, fcntl.LOCK_EX) -except OSError, (errno, strerr): +except OSError as e: if fd != -1: try: os.close(fd) except OSError: pass -raise IOError(errno, strerr) +raise IOError(e.errno, e.strerror) return os.fdopen(fd, r+) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 068190310bf14d068620bc4a86d1c48ae1437251..c8dedd367e78cbe900b716369f8ef78575a21298 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -462,13 +462,14 @@ class hbactest(Command): matched_rules.append(ipa_rule.name) if res == pyhbac.HBAC_EVAL_DENY: notmatched_rules.append(ipa_rule.name) -except pyhbac.HbacError as (code, rule_name): +except pyhbac.HbacError as e: +code, rule_name = e.args if code == pyhbac.HBAC_EVAL_ERROR: error_rules.append(rule_name) self.log.info('Native IPA HBAC rule %s parsing error: %s' % \ (rule_name, pyhbac.hbac_result_string(code))) -except (TypeError, IOError) as (info): -self.log.error('Native IPA HBAC module error: %s' % (info)) +except (TypeError, IOError) as info: +self.log.error('Native IPA HBAC module error: %s' % info) access_granted = len(matched_rules) 0 else: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index a1da0a641064f59a79639d97489ff73181787a4a..4de5afb540e880e8948749c2cfa9a019eb807c47 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -772,7 +772,8 @@ class TrustDomainInstance(object): try: result = lsa.lsarpc(binding, self.parm, self.creds) return result - except RuntimeError, (num, message): + except RuntimeError as e: + num, message = e.args raise assess_dcerpc_exception(num=num, message=message) def init_lsa_pipe(self, remote_host): @@ -889,7 +890,8 @@ class TrustDomainInstance(object): try: self._policy_handle = self._pipe.OpenPolicy2(u, objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED) result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_DNS) -except RuntimeError, (num, message): +except RuntimeError as e: +num, message = e.args raise assess_dcerpc_exception(num=num, message=message) self.info['name'] = unicode(result.name.string) @@ -901,7 +903,8 @@ class TrustDomainInstance(object): try: result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) -except RuntimeError,
Re: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN
On 10/07/15 14:51, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5038 I reworded the error message to keep the same format as stageuser-add and user-add. Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas
On 10/07/15 19:57, Simo Sorce wrote: On Fri, 2015-07-10 at 13:03 -0400, Simo Sorce wrote: This bug affects 4.2, we should backport the fix there too. See ticket: https://fedorahosted.org/freeipa/ticket/5116 For what is worth I tested this change in my replica install code and it fixes the issue, though the code is different and therefore should be tested with a classic replica install. Also sorry for the HTML attachment, fat fingered while trying to copy/paste the ticket link from FF. Simo. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: Personally-opinionated-NACK. I would like to avoid advertising --force options when possible. --force should not be necessary in proper setups and advertising it will make people to use it instead of fixing underlying problems. How do you propose for things to work when the host is pre-created (with --random) and the service should be pre-created, and then IP address will only be set by the machine itself when it IPA-enrolls with the OTP? Can we *please* drop this patch? Does your nack go against this patch (code change), or against the ticket https://fedorahosted.org/freeipa/ticket/3959 itself? Frankly, I don't really understand why service-add checks for the DNS record at all. DNS is a property of host, not service. Yes, it might be nice to advise the user that they do not have DNS record for the host but the current ipa: ERROR: Host does not have corresponding DNS A record is just bad user experience. Do you propose to change that ERROR to warning, for example, relaxing the requirement for the DNS records being present? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
On 07/13/2015 02:59 PM, Rob Crittenden wrote: Christian Heimes wrote: The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob ACK Otherwise, I agree with Rob. Can you create an umbrella ticket? I will pushmark the commit there. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
On Mon, 13 Jul 2015, Jan Pazdziora wrote: On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: Personally-opinionated-NACK. I would like to avoid advertising --force options when possible. --force should not be necessary in proper setups and advertising it will make people to use it instead of fixing underlying problems. How do you propose for things to work when the host is pre-created (with --random) and the service should be pre-created, and then IP address will only be set by the machine itself when it IPA-enrolls with the OTP? This is a workflow question, not a code fix. If you need to use --force, use it but this specific flow has to be documented, not suggested by the code. We have plenty of cases where you have to use --addattr/--setattr as well, but we don't advertise them in the error messages. On contrary, documenting the fact that in some workflows you actually need to override default belts and suspenders is fine. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
Christian Heimes wrote: The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
On 2015-07-13 15:21, Tomas Babej wrote: On 07/13/2015 02:59 PM, Rob Crittenden wrote: Christian Heimes wrote: The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob ACK Otherwise, I agree with Rob. Can you create an umbrella ticket? I will pushmark the commit there. Sure, I'll create a meta ticket for Python 3 and a sub ticket for each task. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 886-890 webui: API browser
On 3.7.2015 10:45, Tomas Babej wrote: On 07/03/2015 10:06 AM, Tomas Babej wrote: On 07/02/2015 04:55 PM, Martin Kosek wrote: On 07/01/2015 04:51 PM, Petr Vobornik wrote: For those of you who don't want to try the patches: * https://pvoborni.fedorapeople.org/images/api-user-show.png * https://pvoborni.fedorapeople.org/images/api-user-add.png On 07/01/2015 09:35 AM, Martin Kosek wrote: On 06/30/2015 06:35 PM, Petr Vobornik wrote: First part of API Browser - displaying the metadata in more consumable way. Second part, how to use it in different languages will be written as wiki pages first. The browser could be later enhanced with more infos and tooltips. Patch 886 extends backend to send more metadata. Patch 887,888,889 are webui fixes and prerequisites Patch 890 is the API browser Thanks, this is a very good start. I looked at a VM with the patches and have couple usability suggestions: 1) It was hard for me to find where the API Browser is. But IPA Server looks as a good tab where it should be though. could be moved to Help tab when it's introduced. For that we need at least one more link. 2) I have strong doubts about the Objects tab, this is only understandable to users knowledgeable about FreeIPA framework internals. Common API user who just want to consume the API and not know about the internals will not know what this is. What I would do is make API Browser directly clickable so that it opens the Commands tab. This is what most people will use. Other tabs may be stacked on the left just like with Staged or Deleted users. For now, I would hide Objects as I think it would cause more confusion. If we want to show it, there should be some introduction what it is good for and maybe limitation of showed fields to only those that has any value for the consumers. fixed, there is only API Browser and no submenu 3) In Commands tab, we will some more explanatory what the attributes of Param needs and probably hide some. For example exclude is not needed for consumers. Attributes as follows were kept: label, type, default, default_from, values, minlength, maxlength, pattern, minvalue, maxvalue, precision, cli_name, option_group 4) Many attributes have autofill: True. I wonder how usable it is without knowing the actual default for the attribute. Can we show the default? default_from now contains list of attrs which are used for the default value, e.g.: default value created from: givenname, sn 5) I would hide Output Params all together given we don't have them set up correctly in FreeIPA framework and they may rather confuse people, with having all the HBAC or SUDO with User objects. Removed from metadata I may think about it more, there were just my couple first thoughts. Others may have different opinions here. Martin Other changes: * cli options are shown with dashes as in CLI * required and multivalued were changed into tags next to option name. 'flags' which were shown as the tags are not displayed anymore updated patches attached. I like the new version, good job! ACK from my side. Patchset works fine in my testing. Two (nitpick) questions: 1.) Should we show objects that have defined no methods or params as 'pkinit'? 2.) Relationships and attirbute members are displayed in rather raw form: attribute_members: {member:[user,group],memberindirect:[user,group],memberof:[group,netgroup,role,hbacrule,sudorule],memberofindirect:[group,netgroup,role,hbacrule,sudorule]} relationships: {member:[Member,,no_],memberindirect:[Indirect Member,null,no_indirect_],memberof:[Member Of,in_,not_in_],memberofindirect:[Indirect Member Of,null,not_in_indirect_]} Could we maybe special-case these (or introduce a way how to detect and display a dict of lists as formatted html)? Or are there arguments for the raw view of the API? Tomas On a second thought, I don't think these issues should block this patchset for now. We can improve/discuss that in 4.2.x. Pushed to master: 2a976334c2160c91a61fb0c47e7adbbd3150 I did not see the latest version but still, can we add *BIG FAT* warning that the API is not stable yet? I would like to prevent people from getting false sense of stability. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause
On Mon, 13 Jul 2015, Tomas Babej wrote: On 07/13/2015 02:59 PM, Rob Crittenden wrote: Christian Heimes wrote: The patch replaces implicit tuple unpacking from except clauses with explicit unpacking of the exception objects' args attribute. Example: e = RuntimeError('num', 'messages') num, message = e num, message ('num', 'messages') e.args ('num', 'messages') num, message = e.args num, message ('num', 'messages') Not related to this patch directly but I think it would be a good idea to create a Python 3 tracking ticket to make it easy to find python 3-specific changes. Then create tickets to fix particular issues and link those with the tracking ticket. rob ACK Otherwise, I agree with Rob. Can you create an umbrella ticket? I will pushmark the commit there. Please do not push this specific version of the patch yet. Christian will do the changes with four separate commits as discussed on the IRC, to avoid future problems with maintenance and backports. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
On 13.7.2015 16:32, Alexander Bokovoy wrote: On Mon, 13 Jul 2015, Jan Pazdziora wrote: On Mon, Jul 13, 2015 at 03:12:13PM +0200, Petr Spacek wrote: Personally-opinionated-NACK. I would like to avoid advertising --force options when possible. --force should not be necessary in proper setups and advertising it will make people to use it instead of fixing underlying problems. How do you propose for things to work when the host is pre-created (with --random) and the service should be pre-created, and then IP address will only be set by the machine itself when it IPA-enrolls with the OTP? This is a workflow question, not a code fix. If you need to use --force, use it but this specific flow has to be documented, not suggested by the code. We have plenty of cases where you have to use --addattr/--setattr as well, but we don't advertise them in the error messages. On contrary, documenting the fact that in some workflows you actually need to override default belts and suspenders is fine. I agree with Alexander. The point is that you have to know what you are doing if you decide to use --force/--setattr and advertising them will lead to cargo cults. The idea of services/hosts without host entry may be worth discussing, please start a separate thread on ipa-devel. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
On 10.7.2015 20:06, Veronika Kabatova wrote: - Original Message - From: Tomas Babej tba...@redhat.com To: Veronika Kabatova vkaba...@redhat.com, freeipa-devel@redhat.com Sent: Friday, July 10, 2015 2:56:58 PM Subject: Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message On 07/09/2015 01:49 PM, Veronika Kabatova wrote: The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 ticket. Veronika Kabatova Hello, thanks for the patch. Actually, the doctest does not pass: $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py --doctest-modules = test session starts = platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 plugins: multihost, sourceorder collected 85 items ../ipalib/errors.py ...F..F.. == FAILURES === _ [doctest] ipalib.errors.DNSNotARecordError __ 1137 1138 **4019** Raised when a hostname is not a DNS A/ record 1139 1140 For example: 1141 1142 raise DNSNotARecordError() Differences (unified diff with -expected +actual): @@ -1,4 +1,6 @@ Traceback (most recent call last): - ... -DNSNotARecordError: Host does not have corresponding DNS A/ record, -use --force to continue anyway + File /usr/lib64/python2.7/doctest.py, line 1315, in __run +compileflags, 1) in test.globs + File doctest ipalib.errors.DNSNotARecordError[0], line 1, in module +raise DNSNotARecordError() +DNSNotARecordError: Host does not have corresponding DNS A/ record, use --force to continue anyway /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure The reason for the mismatch here is that you wrapped the line - in this case, we need to violate the PEP8, and allow the length of the line exceed 80 characters. Good to know, thanks for clarifying. Attached modified version which doesn't break tests, even if PEP8 checker is not happy with it. Personally-opinionated-NACK. I would like to avoid advertising --force options when possible. --force should not be necessary in proper setups and advertising it will make people to use it instead of fixing underlying problems. Can we *please* drop this patch? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Why do we require DNS record when service is being added?
Hello, we got a nack https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html when attempting to address ticket https://fedorahosted.org/freeipa/ticket/3959 Basically, when service is being added with ipa service-add, you have to use --force to add it if the underlying host record does not have DNS record. But it seems that the workflow of host created with --random OTP generated, service added to this host record (which still does not have IP address because no machine was enrolled), and only then IPA-enrolling with ipa-client --password OTP is a supported and increasingly promoted and used mechanism, for example with realm support for provisioned machines in Foreman. The initial intent of ticket https://fedorahosted.org/freeipa/ticket/3959 was to lower the stress and confusion of new IPA users by making the error message that you get when there isn't DNS record for the host entry less scary and more helpful. There is objection to making it more helpful, with the fear that people will just learn to add --force to every command and avoid the safeguards. However -- what is the purpose of the DNS check when adding service? Shouldn't that check be removed altogether? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
On 08/07/15 16:09, Gabe Alford wrote: Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 01/07/15 09:05, Martin Basti wrote: On 30/06/15 17:31, Gabe Alford wrote: On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 16/06/15 16:58, Gabe Alford wrote: I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe I'm getting certificate on server without extra '\n' at the end. So certificate files are not the same. I assume you did a diff of the server /etc/ipa/ca.crt and the client /etc/ipa/ca.crt, right? Did you setup a server and then connect a client (just wonder what your steps were so that I can also reproduce)? Yes. I did that. I will retest it today. Retested and ca.cert on client has extra '\n' at the end. -- Martin Basti -- Martin Basti -- Martin Basti Thank you! ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 07/10/2015 04:17 PM, Martin Basti wrote: On 10/07/15 12:08, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. As for the WebUI, I am not really satisfied with the current state - the time zone select button requires saving the rule before any further setting on the page and the tables for setting the time rules don't allow editing the rules, which gets annoying fast. The WebUI for the time policies in HBAC was created for my Master's thesis purposes in a hurry and I will probably need to discuss it some more with Petr V. It works well for basic display and add/remove of the time rules, though. So, that is what I do now, aside from SSSD functionality. Please, let me know what your ideas are, especially about those weekofmonth and year issues. Cheers, Stanislav Laznicka Please revert this change, 'replaces' keyword is used only for legacy permission. Changes in new permissions are handled automatically by update plugin. 'replaces': [ -'(targetattr = servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost)(target =ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Modify HBAC rule;allow (write) groupdn =ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)', +'(targetattr = servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost)(target =ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Modify HBAC rule;allow (write) groupdn =ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)', ], Martin -- Martin Basti Attaching the sequence of fixed patches. From 3bd1b08e00417d32138dbe7e92536b474f62fc8b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka slazn...@redhat.com Date: Tue, 7 Jul 2015 09:44:23 +0200 Subject: [PATCH 1/4] Added time-based policies types to LDAP schema. https://fedorahosted.org/freeipa/ticket/547 https://fedorahosted.org/freeipa/ticket/548 --- install/share/60basev2.ldif | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 00712ddda2c548b7f7924a012f3f68499f2f01da..846c304264e3d9af9eeb293e4a8178282dc4958c 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -37,7 +37,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multivalue attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The flag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access