[Freeipa-devel] [PATCH 0058] interactive installer does not ignore leading/trailing whitespace
Hello, Fix for https://fedorahosted.org/freeipa/ticket/5355 Thanks, Gabe From 02434fc8467bbc81313d4bda0cf0e9644c151f00 Mon Sep 17 00:00:00 2001 From: Gabe Date: Tue, 27 Oct 2015 19:17:43 -0600 Subject: [PATCH] interactive installer does not ignore leading/trailing whitespace https://fedorahosted.org/freeipa/ticket/5355 --- ipapython/ipautil.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index b6fd11338f5f55402d5e4502297866f3b0cc0534..34ff339800d56673f3438a3495cdf4f54d5563d3 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -763,7 +763,7 @@ def user_input(prompt, default = None, allow_empty = True): try: ret = input("%s: " % prompt) if allow_empty or ret.strip(): -return ret +return ret.strip() except EOFError: if allow_empty: return '' @@ -776,7 +776,7 @@ def user_input(prompt, default = None, allow_empty = True): if not ret and (allow_empty or default): return default elif ret.strip(): -return ret +return ret.strip() except EOFError: return default -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] enable pem=True in export_pem_cert function
Tomas Babej wrote: > On 10/26/2015 08:59 PM, Niranjan wrote: > > Greetings, > > > > export_pem_cert function from ipapython/certdb should export the > > certificate > > in pem format but instead exports the cert in der format as it doesn't > > enable pem=True. > > > > This patch specifies pem=True for export_pem_cert function > > > > Regards > > Niranjan > > Hi, > > the patch looks good, however, I'm curious as to how did you find this > bug? Does it affect anything? I am part of the CS(dogtag) QE team, and as part of CS Automation, i am relying on some generic functions provided by ipapython. While using those functions for our automation, I found it. > > It seems to me that this part of the code is a dead branch which should > be removed. I did not look further ipapython, so i am not aware where else export_pem_cert is being used, but i would like the functions in certdb.py be available. > > $ git grep export_pem_cert > ipapython/certdb.py:def export_pem_cert(self, nickname, location): > ipaserver/install/certs.py:def export_pem_cert(self, nickname, > ipaserver/install/certs.py:return self.nssdb.export_pem_ce.. > > Tomas pgpjsOjWKyWMi.pgp Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0327] KRA: fix check if CA is installed on replica
On 10/27/2015 10:43 AM, Martin Basti wrote: On 26.10.2015 10:35, Martin Babinsky wrote: On 10/23/2015 05:18 PM, Martin Basti wrote: On 23.10.2015 15:15, Martin Babinsky wrote: On 10/23/2015 03:12 PM, Martin Babinsky wrote: On 10/16/2015 12:41 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5345 Patch attached. I have tested it on 4-2 branch and it works as expected, ACK. Obviously, master branch would require a different patch. I actually missed your check in ipaserver/install/kra.py which can break ipa-replica-install with --setup-kra, so NACK. Updated patches attached. NACK on the master-branch patch. You forgot a 'return' in this code snippet: +if self.installing_replica: +domain_level = dsinstance.get_domain_level(api) +if domain_level > DOMAIN_LEVEL_0: +self.options.promote = True +return that would make installation abort when domain level is greter than zero. Updated patch attached. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0091] Silence of the linters
On 10/27/2015 06:26 PM, Tomas Babej wrote: > > > On 10/27/2015 06:25 PM, Martin Babinsky wrote: >> On 10/27/2015 06:21 PM, Martin Babinsky wrote: >>> this patch silences a false-positive pylint error introduced by recent >>> python 3 porting patches (commit >>> c38516eab7b82f3ba7334cdea7a422a070048b59) >>> >>> >>> >> pep8 fail. >> >> Attaching updated patch. >> >> >> > > Thanks for the PEP8 compliant version - now we're reducing the number of > errors on all fronts! > > ACK. > > Tomas > Pushed to master: 82fd4250b9b4f408174edec7c7f070dc9fc73ab0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0091] Silence of the linters
On 10/27/2015 06:25 PM, Martin Babinsky wrote: > On 10/27/2015 06:21 PM, Martin Babinsky wrote: >> this patch silences a false-positive pylint error introduced by recent >> python 3 porting patches (commit >> c38516eab7b82f3ba7334cdea7a422a070048b59) >> >> >> > pep8 fail. > > Attaching updated patch. > > > Thanks for the PEP8 compliant version - now we're reducing the number of errors on all fronts! ACK. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0091] Silence of the linters
On 10/27/2015 06:21 PM, Martin Babinsky wrote: this patch silences a false-positive pylint error introduced by recent python 3 porting patches (commit c38516eab7b82f3ba7334cdea7a422a070048b59) pep8 fail. Attaching updated patch. -- Martin^3 Babinsky From c34a8697014e4c7b00f05f660114949da7023eff Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 27 Oct 2015 18:18:26 +0100 Subject: [PATCH] silence pylint in Python 3-specific portion of ipalib/rpc.py --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 2accdc5f0799a1cadab995212db59c081715e29f..3664b265a1f070a198f4af640f20212f14d6c302 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -656,7 +656,7 @@ class KerbTransport(SSLTransport): else: connection.putrequest("POST", handler) headers.append(("User-Agent", self.user_agent)) -self.send_headers(connection, headers) +self.send_headers(connection, headers) # pylint: disable=E1101 self.send_content(connection, request_body) return connection -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0091] Silence of the linters
this patch silences a false-positive pylint error introduced by recent python 3 porting patches (commit c38516eab7b82f3ba7334cdea7a422a070048b59) -- Martin^3 Babinsky From abd6194bb432acbab910c2de1430ce333411ea2a Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 27 Oct 2015 18:18:26 +0100 Subject: [PATCH] silence pylint in Python 3-specific portion of ipalib/rpc.py --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 2accdc5f0799a1cadab995212db59c081715e29f..59e0e1578ea54727e4c3c42c86797c47ec583a60 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -656,7 +656,7 @@ class KerbTransport(SSLTransport): else: connection.putrequest("POST", handler) headers.append(("User-Agent", self.user_agent)) -self.send_headers(connection, headers) +self.send_headers(connection, headers) # pylint: disable=E1101 self.send_content(connection, request_body) return connection -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 10/27/2015 04:23 PM, Martin Babinsky wrote: On 10/22/2015 01:06 PM, Petr Vobornik wrote: On 10/16/2015 06:41 PM, Endi Sukma Dewata wrote: On 10/15/2015 9:54 AM, Simo Sorce wrote: 3) ipa-ca-install fails with: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 445, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 435, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 631, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 185, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 448, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. I guess I'm hitting the authentication bug in Dogtag. It is supposed to be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2? We might need a new 10.2.7 build. I am not sure which version has it fixed, Endi ? PKI ticket #1580 was fixed in pki-core-10.2.6-10 for F23 and F24. We never released a pki-core-10.2.7. I suppose that is a custom build? Yes it is a custom build[4]. It was advertised that #1414[1] will be in PKI 10.2.7 but it was laterincluded into 10.2.6-5. I don't know what's a plan for 10.2.7. Required patch for the discussed issue #1580[2] is included in 10.2.6-10 So I propose to change requires - patch attached, remove 10.2.7 custom build from mkosek/freeipa-master repo and add new build(for f22) based on pki-core-10.2.6-10.fc23 from koji[3] [1] https://fedorahosted.org/pki/ticket/1414 [2] https://fedorahosted.org/pki/ticket/1580 [3] http://koji.fedoraproject.org/koji/buildinfo?buildID=689985 [4] https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/121544/ ACK Pushed to master: 3f0707a199dae98d55d8e1f69b750f2d1ed4dcab pki-core-10.2.6-11 was built for f22 and f23 in mkosek/freeipa-master copr [1] pki-core-10.2.7-0.2 was removed from the copr [1] https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/130759/ -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Fix ipa-ca-install bug #5397
On 23.10.2015 17:26, Simo Sorce wrote: This patch moves the check to see if a CA is already installed locally early. Simo. ACK Pushed to master: 53294aa7a7db7eff527455fc35283306b37fc777 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0743-0747 Python 3 porting
On 10/27/2015 05:22 PM, Tomas Babej wrote: > > > On 10/23/2015 08:21 PM, Petr Viktorin wrote: >> Hello, >> Another batch of py3 porting patches. >> >> With these, the only thing to fix to get ipapython tests passing will be >> handling encoding/decoding for stdin/stdout/stderr for ipautil.run(). > > ACK, it's nice to see some of that old code go. > > Tomas > Pushed to master: c38516eab7b82f3ba7334cdea7a422a070048b59 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0743-0747 Python 3 porting
On 10/23/2015 08:21 PM, Petr Viktorin wrote: > Hello, > Another batch of py3 porting patches. > > With these, the only thing to fix to get ipapython tests passing will be > handling encoding/decoding for stdin/stdout/stderr for ipautil.run(). ACK, it's nice to see some of that old code go. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] enable pem=True in export_pem_cert function
On 10/26/2015 08:59 PM, Niranjan wrote: > Greetings, > > export_pem_cert function from ipapython/certdb should export the certificate > in pem format but instead exports the cert in der format as it doesn't enable > pem=True. > > This patch specifies pem=True for export_pem_cert function > > Regards > Niranjan Hi, the patch looks good, however, I'm curious as to how did you find this bug? Does it affect anything? It seems to me that this part of the code is a dead branch which should be removed. $ git grep export_pem_cert ipapython/certdb.py:def export_pem_cert(self, nickname, location): ipaserver/install/certs.py:def export_pem_cert(self, nickname, ipaserver/install/certs.py:return self.nssdb.export_pem_ce.. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools
On 10/27/2015 03:54 PM, Petr Vobornik wrote: Both tools serve primarily for managing replication agreements and replicas. ipa-replica-manage also manages winsync agreements and DNA ranges. FreeIPA 4.3 will introduce managed topology which affects these tools. Let's go trough all sub-commands of both tools and decide what is the fate of them/how they should be replaced. Comments are welcome. In text, term 'disable' means: print an error message with help what is the new alternative. For domain level == 0 all sub-commands should behave the same way as before. Proposals are for domain level 1 if not stated otherwise. == ipa-replica-manage == === list === Lists all IPA server or replication agreements of a specific IPA server including winsync agreements. Server list is replaced by ipa server-find Replication agreements by: ipa topologysegment-find realm I see following paths: 1. do not change (current state) 2. list only winsync agreements - IMO it will be easier to maintain If winsync was not in play we could 'disable' it but winsync is not planned to be centrally managed. Mainly because the preferred alternative is trust. === connect === Allow for winsync, disable for REALM agmts. (current state) === disconenct === Allow for winsync, disable for REALM agmts. (current state) === del === (current state) With domain level 0: - removes replica and repl. agmts for REALM suffix and winsync With domain level 1: - removes replica entry and therefore repl. agmts for all suffices(REALM, CS) - ensure last services, e.g. sets renewal master - does additional cleanup I'm not aware of any operation which needs directory manager. IMO it can be moved to API in future release(e.g. 4.4), especially if ipa-server-install --uninstall is modified to do most of the cleanup. === re-initialize === Not changed. Can be disabled (long-term solution) Same capability is in topologysegment_reinitialize API command. The only difference is that no API command shows state of the pending operation. Should we transform presence of 'start' and 'stop' in nsds5beginreplicarefresh;left|right attribute into an output of topologysegment_show, e.g.: 'initialization in progress', 'cancellation of re-initialization requested'. yes, something like this would be possible, maybe this can be part of the replication monitoring work, allowing to query the state of specific agreements. === force-sync === no change yet Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl. agreement. 1. Is it required? 2. Should the functionality be transferred to topologysegment/topology plugin? 3. Is current approach good? in fact it is a hack, it uses the fact that a change in the replication agremeent will trigger a fresh start of the protocol thread. It woul be more clean to have "sendupdatesnow" attribute or as a value of the refresh attribute, would require a change in DS IMO if we want to preserve the possibility then the long-term solution is to move it to topology plugin. yes === list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv === Commands manages clean-all-ruv operations on REALM suffix. ipa-csreplica-manage doesn't have these commands #4987. These operations are meant for removal of dangling ruvs but they can also remove "correct" RUV which is not desired. The UX is not the best because if replica still exists it won't tell the admin what is the correct RUV and which are the dangling one(s) and therefore admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping tree,cn=config We have a ticket to automate it: https://fedorahosted.org/freeipa/ticket/5411 Is it possible to manage it in topology plugin in centralized manner? I see $5411 as short-term solution for 4.3 or 4.4. + {list|clean|abort-clean-list-clean}-ruv sub-commands should be extended to work with all suffices. Long term solution not in 4.3 is to move it to topology plugin. === dna(next)range-{show|set} commands No change in 4.3. Long term solution is to make it centrally manageable. Not sure if by topo plugin or something else. == ipa-csreplica-manage == This tool manages only CS replication agreements. === list === Not needed. We have `ipa server-find` and `ipa topologysegment-find ipaca` commands. Should be disabled, add to #5405 === connect and disconnect === Replaced by `ipa topologysegment-{add,del}` commands. disable #5405 === del === The work is done in `ipa-replica-manage del` therefore disable #5405 === re-initialize === Same as in ipa-replica-manage - can be disabled. No ticket yet. === force-sync === Same as in ipa-replica-manage - decide what to do. No ticket yet. === set-renewal-master === AFAIK it's only update in cn=masters so could be moved to API then this could be disabled. The change is simple enough for changing in 4.3. No ticket yet. == Conclusion == ipa-csreplica-manage could be abandoned in 4.3 which plays well with topic "simplify management of CA replica
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
Hi Martin, The updated patch is attached On 10/27/2015 01:58 PM, Martin Basti wrote: On 27.10.2015 13:56, Oleg Fayans wrote: On 10/27/2015 01:22 PM, Martin Basti wrote: On 27.10.2015 12:06, Oleg Fayans wrote: Hi Martin, On 10/27/2015 10:50 AM, Martin Basti wrote: On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Yep, right you are, it works as expected. Now the line looks like: self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL Now that would definitely not work in case of domain_level is 0: 0 or 1 is always 1 Oh right. I had discussion with Tomas, and we should add there check if it is not None, in case that kwargs contains {'domain_level': None} (One does not know with test when the None value appears there) I do not get this. If we do not specify domain_level in config.yaml, it will automatically be populated with a MAX_DOMAIN_LEVEL value. That means domain_level will never ever possibly be None. I do not know how pytest works inside, if you are 100% sure, that the case written above cannot happen, I'm fine with it. Martin self.domain_level = kwargs.get('domain_level') if self.domain_level is None: self.domain_level = MAX_DOMAIN_LEVEL As we cannot user 'or' expression with integers, so this is the right way. because kwargs IMO contains undefined config values as None freeipa-te
[Freeipa-devel] [PATCHES 377-379] Hardening of ipa-adtrust-install
Hi, this couple of patches harden the adtrust installer. Details in the commit messages. Fixes: https://fedorahosted.org/freeipa/ticket/5134 Tomas From a310154f1706cc05cd6c556ec7d92ffb77f7b3fa Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 27 Oct 2015 16:05:03 +0100 Subject: [PATCH] adtrustinstance: Wait for sidgen task completion As part of hardening of adtrust installer, we should wait until the sidgen task is completed before continuing, as it can take considerable amount of time for a larger deployment. https://fedorahosted.org/freeipa/ticket/5134 --- ipaserver/install/adtrustinstance.py | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index a890f141b5ea5d79511cbd7eb3d24c73cf04f3b5..588e0648e55a989fd8ab3c5262b1146f55bf11a2 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -30,6 +30,7 @@ from ipaserver.install import service from ipaserver.install import installutils from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ dns_zone_exists +from ipaserver.install.replication import wait_for_task from ipalib import errors, api from ipalib.util import normalize_zone from ipapython.dn import DN @@ -463,13 +464,24 @@ class ADTRUSTInstance(service.Service): def __add_sids(self): """ -Add SIDs for existing users and groups +Add SIDs for existing users and groups. Make sure the task is finished +before continuing. """ try: +# Start the sidgen task self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict) -except: -pass + +# Notify the user about the possible delay +self.print_msg("This step may take considerable amount of time, please wait..") + +# Wait for the task to complete +task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config') +wait_for_task(self.admin_conn, task_dn) + +except Exception: +root_logger.debug("Exception occured during SID generation: {0}" + .format(str(e))) def __add_s4u2proxy_target(self): """ -- 2.1.0 From 8663d83d40bb8ae44a1c1ec0106108e924b9 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 27 Oct 2015 16:05:35 +0100 Subject: [PATCH] adtrustinstance: Restart samba service at the end of adtrust-install Errors related to establishing trust can occur if samba service is not restarted after ipa-adtrust-install has been run. Restart the service at the end of the installer to avoid such issues. https://fedorahosted.org/freeipa/ticket/5134 --- ipaserver/install/adtrustinstance.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 588e0648e55a989fd8ab3c5262b1146f55bf11a2..9e05bdbe5c4b2e77dee3dc0d4de74a252ea6f4c1 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -743,6 +743,12 @@ class ADTRUSTInstance(service.Service): except: pass +def __restart_smb(self): +try: +services.knownservices.smb.restart() +except Exception: +pass + def __enable(self): self.backup_state("enabled", self.is_enabled()) # We do not let the system start IPA components on its own, @@ -874,6 +880,7 @@ class ADTRUSTInstance(service.Service): if self.add_sids: self.step("adding SIDs to existing users and groups", self.__add_sids) +self.step("restarting smbd", self.__restart_smb) self.start_creation(show_service_name=False) -- 2.1.0 From 1e682ad06f99723ca2b0c0a71432d13263db5dc6 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 27 Oct 2015 16:08:10 +0100 Subject: [PATCH] adtrustinstance: Do not use bare except clauses https://fedorahosted.org/freeipa/ticket/5134 --- ipaserver/install/adtrustinstance.py | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 9e05bdbe5c4b2e77dee3dc0d4de74a252ea6f4c1..c2b446832559bbeab67f57b45bc23df82d56a68e 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -209,13 +209,13 @@ class ADTRUSTInstance(service.Service): try: admin_entry = self.admin_conn.get_entry(admin_dn) -except: +except errors.NotFound: self.print_msg("IPA admin object not found") return try: admin_group_entry = self.admin_conn.get_entry(admin_group_dn) -except: +except errors.NotFound: self.print_msg("IPA admin group object not found") return @@ -226,7 +226,7 @@ class AD
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 10/22/2015 01:06 PM, Petr Vobornik wrote: On 10/16/2015 06:41 PM, Endi Sukma Dewata wrote: On 10/15/2015 9:54 AM, Simo Sorce wrote: 3) ipa-ca-install fails with: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 445, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 435, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 631, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 185, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 448, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. I guess I'm hitting the authentication bug in Dogtag. It is supposed to be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2? We might need a new 10.2.7 build. I am not sure which version has it fixed, Endi ? PKI ticket #1580 was fixed in pki-core-10.2.6-10 for F23 and F24. We never released a pki-core-10.2.7. I suppose that is a custom build? Yes it is a custom build[4]. It was advertised that #1414[1] will be in PKI 10.2.7 but it was laterincluded into 10.2.6-5. I don't know what's a plan for 10.2.7. Required patch for the discussed issue #1580[2] is included in 10.2.6-10 So I propose to change requires - patch attached, remove 10.2.7 custom build from mkosek/freeipa-master repo and add new build(for f22) based on pki-core-10.2.6-10.fc23 from koji[3] [1] https://fedorahosted.org/pki/ticket/1414 [2] https://fedorahosted.org/pki/ticket/1580 [3] http://koji.fedoraproject.org/koji/buildinfo?buildID=689985 [4] https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/121544/ ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] DNSZone command with user friendly message
On 27.10.2015 14:46, Martin Basti wrote: On 27.10.2015 13:00, Abhijeet Kasurde wrote: Hi All, This patch fixes bug - https://fedorahosted.org/freeipa/ticket/4811 Thanks, Abhijeet Kasurde [Tue Oct 27 14:44:51.328615 2015] [wsgi:error] [pid 5556] ipa: ERROR: non-public: AttributeError: 'dnszone' object has no attribute 'handle_obj_found' [Tue Oct 27 14:44:51.328654 2015] [wsgi:error] [pid 5556] Traceback (most recent call last): [Tue Oct 27 14:44:51.328659 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute [Tue Oct 27 14:44:51.328664 2015] [wsgi:error] [pid 5556] result = self.Command[name](*args, **options) [Tue Oct 27 14:44:51.328669 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Oct 27 14:44:51.328674 2015] [wsgi:error] [pid 5556] ret = self.run(*args, **options) [Tue Oct 27 14:44:51.328678 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 764, in run [Tue Oct 27 14:44:51.328683 2015] [wsgi:error] [pid 5556] return self.execute(*args, **options) [Tue Oct 27 14:44:51.328687 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2935, in execute [Tue Oct 27 14:44:51.328692 2015] [wsgi:error] [pid 5556] result = super(dnszone_enable, self).execute(*keys, **options) [Tue Oct 27 14:44:51.328696 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2262, in execute [Tue Oct 27 14:44:51.328701 2015] [wsgi:error] [pid 5556] self.obj.handle_obj_found(*keys) [Tue Oct 27 14:44:51.328705 2015] [wsgi:error] [pid 5556] AttributeError: 'dnszone' object has no attribute 'handle_obj_found' Thank you, ACK patch works as expected However now 2 tests are failing because error message was changed, please fix tests too. test_xmlrpc/test_dns_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_forward_zones::test_command[0071: dnsforwardzone_disable: Try to disable non-existent forward zone] FAILED test_xmlrpc/test_dns_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_forward_zones::test_command[0075: dnsforwardzone_enable: Try to enable non-existent forward zone] FAILED E AssertionError: assert_deepequal: expected != got. E E expected = u'no such entry' E got = u'non-existent.fwzone.test.: DNS forward zone not found' E path = () Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools
Both tools serve primarily for managing replication agreements and replicas. ipa-replica-manage also manages winsync agreements and DNA ranges. FreeIPA 4.3 will introduce managed topology which affects these tools. Let's go trough all sub-commands of both tools and decide what is the fate of them/how they should be replaced. Comments are welcome. In text, term 'disable' means: print an error message with help what is the new alternative. For domain level == 0 all sub-commands should behave the same way as before. Proposals are for domain level 1 if not stated otherwise. == ipa-replica-manage == === list === Lists all IPA server or replication agreements of a specific IPA server including winsync agreements. Server list is replaced by ipa server-find Replication agreements by: ipa topologysegment-find realm I see following paths: 1. do not change (current state) 2. list only winsync agreements - IMO it will be easier to maintain If winsync was not in play we could 'disable' it but winsync is not planned to be centrally managed. Mainly because the preferred alternative is trust. === connect === Allow for winsync, disable for REALM agmts. (current state) === disconenct === Allow for winsync, disable for REALM agmts. (current state) === del === (current state) With domain level 0: - removes replica and repl. agmts for REALM suffix and winsync With domain level 1: - removes replica entry and therefore repl. agmts for all suffices(REALM, CS) - ensure last services, e.g. sets renewal master - does additional cleanup I'm not aware of any operation which needs directory manager. IMO it can be moved to API in future release(e.g. 4.4), especially if ipa-server-install --uninstall is modified to do most of the cleanup. === re-initialize === Not changed. Can be disabled (long-term solution) Same capability is in topologysegment_reinitialize API command. The only difference is that no API command shows state of the pending operation. Should we transform presence of 'start' and 'stop' in nsds5beginreplicarefresh;left|right attribute into an output of topologysegment_show, e.g.: 'initialization in progress', 'cancellation of re-initialization requested'. === force-sync === no change yet Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl. agreement. 1. Is it required? 2. Should the functionality be transferred to topologysegment/topology plugin? 3. Is current approach good? IMO if we want to preserve the possibility then the long-term solution is to move it to topology plugin. === list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv === Commands manages clean-all-ruv operations on REALM suffix. ipa-csreplica-manage doesn't have these commands #4987. These operations are meant for removal of dangling ruvs but they can also remove "correct" RUV which is not desired. The UX is not the best because if replica still exists it won't tell the admin what is the correct RUV and which are the dangling one(s) and therefore admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping tree,cn=config We have a ticket to automate it: https://fedorahosted.org/freeipa/ticket/5411 Is it possible to manage it in topology plugin in centralized manner? I see $5411 as short-term solution for 4.3 or 4.4. + {list|clean|abort-clean-list-clean}-ruv sub-commands should be extended to work with all suffices. Long term solution not in 4.3 is to move it to topology plugin. === dna(next)range-{show|set} commands No change in 4.3. Long term solution is to make it centrally manageable. Not sure if by topo plugin or something else. == ipa-csreplica-manage == This tool manages only CS replication agreements. === list === Not needed. We have `ipa server-find` and `ipa topologysegment-find ipaca` commands. Should be disabled, add to #5405 === connect and disconnect === Replaced by `ipa topologysegment-{add,del}` commands. disable #5405 === del === The work is done in `ipa-replica-manage del` therefore disable #5405 === re-initialize === Same as in ipa-replica-manage - can be disabled. No ticket yet. === force-sync === Same as in ipa-replica-manage - decide what to do. No ticket yet. === set-renewal-master === AFAIK it's only update in cn=masters so could be moved to API then this could be disabled. The change is simple enough for changing in 4.3. No ticket yet. == Conclusion == ipa-csreplica-manage could be abandoned in 4.3 which plays well with topic "simplify management of CA replication agreements". ipa-replica-manage is still needed for RUV handling and removal of replicas in 4.3. This can change in a future. Same situation with DNA ranges handling. There is no future plan for winsync agreements and ipa-replica-manage can remain solely for this purpose in environments with managed topology. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute t
Re: [Freeipa-devel] [PATCH 0331, 0337] User plugin: allow multiple managers per user - CLI part
On 20.10.2015 18:46, Martin Basti wrote: On 20.10.2015 16:07, Martin Basti wrote: On 20.10.2015 15:57, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5344 Patch attached. Test are failing, a fix in UserTracker has to be done (partially in my patch 329) SelfNACK, I forgot to add stageuser tests Updated patch attached. I extracted tests to the separate patch, tests do not work, I had issues with user and stageuser trackers. Patch to fix issues with --addattr and managers added and attached. From 7e301a11f7ea46cff25cb0d6fa13058c69ae530c Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 27 Oct 2015 13:42:49 +0100 Subject: [PATCH] Fix --add-attr with multiple managers Framework expects managers as unicode, but if there was a manager in LDAP specified, it was returned as DN, which caused parameter conversion error. Normalize method was added to manager parameter which convert DN to manager login. https://fedorahosted.org/freeipa/ticket/5344 --- ipalib/plugins/baseuser.py | 18 ++ 1 file changed, 18 insertions(+) diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py index da4883ccec906472ed2e82f5c61ef91c9b2049e9..4d6bf1dfca7c94aba31f1f8d0125f1065271613f 100644 --- a/ipalib/plugins/baseuser.py +++ b/ipalib/plugins/baseuser.py @@ -153,6 +153,23 @@ def normalize_principal(principal): return unicode('%s@%s' % (user, realm)) +def _convert_manager(manager): +# convert DN to unicode, otherwise --addattr call will not work +# validation of manager is done later, just extract manager login from DN +if not manager: +return manager + +if isinstance(manager, DN): +try: +return manager['uid'] +except KeyError: +raise errors.ConversionError( +_("DN of the manager does not contain 'uid'") +) + + +return manager + def fix_addressbook_permission_bindrule(name, template, is_new, anonymous_read_aci, @@ -340,6 +357,7 @@ class baseuser(LDAPObject): ), Str('manager*', label=_('Manager'), +normalizer=_convert_manager, ), Str('carlicense*', label=_('Car License'), -- 2.4.3 From 250c5d3f2f5e47b19c628115ecd9df8a71d357dc Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 20 Oct 2015 18:39:57 +0200 Subject: [PATCH] Allow multiple managers per user - CLI part https://fedorahosted.org/freeipa/ticket/5344 --- API.txt| 12 ++-- VERSION| 4 ++-- ipalib/plugins/baseuser.py | 7 +-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 873c6d54221a0c1657b5457bd9dceedb4adf06b3..896df430aaa1952c0fe4af4672b78f1ad11da45e 100644 --- a/API.txt +++ b/API.txt @@ -4225,7 +4225,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) @@ -4285,7 +4285,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, query=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, query=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('not_in_group*', cli_name='not_in_groups', csv=True) @@ -4342,7 +4342,7 @@ option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_n option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, autofill=False, cli
Re: [Freeipa-devel] [PATCH] DNSZone command with user friendly message
On 10/27/2015 07:16 PM, Martin Basti wrote: On 27.10.2015 13:00, Abhijeet Kasurde wrote: Hi All, This patch fixes bug - https://fedorahosted.org/freeipa/ticket/4811 Thanks, Abhijeet Kasurde Sorry, my bad. Please find the new patch. [Tue Oct 27 14:44:51.328615 2015] [wsgi:error] [pid 5556] ipa: ERROR: non-public: AttributeError: 'dnszone' object has no attribute 'handle_obj_found' [Tue Oct 27 14:44:51.328654 2015] [wsgi:error] [pid 5556] Traceback (most recent call last): [Tue Oct 27 14:44:51.328659 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute [Tue Oct 27 14:44:51.328664 2015] [wsgi:error] [pid 5556] result = self.Command[name](*args, **options) [Tue Oct 27 14:44:51.328669 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Oct 27 14:44:51.328674 2015] [wsgi:error] [pid 5556] ret = self.run(*args, **options) [Tue Oct 27 14:44:51.328678 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 764, in run [Tue Oct 27 14:44:51.328683 2015] [wsgi:error] [pid 5556] return self.execute(*args, **options) [Tue Oct 27 14:44:51.328687 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2935, in execute [Tue Oct 27 14:44:51.328692 2015] [wsgi:error] [pid 5556] result = super(dnszone_enable, self).execute(*keys, **options) [Tue Oct 27 14:44:51.328696 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2262, in execute [Tue Oct 27 14:44:51.328701 2015] [wsgi:error] [pid 5556] self.obj.handle_obj_found(*keys) [Tue Oct 27 14:44:51.328705 2015] [wsgi:error] [pid 5556] AttributeError: 'dnszone' object has no attribute 'handle_obj_found' From 44dad1e1dc4113970068a766ccca9c66edaa Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 27 Oct 2015 17:21:17 +0530 Subject: [PATCH] Added user friendly error message for dnszone enable and disable Added try-except block in dns plugin in order to provide user friendly message to end user. https://fedorahosted.org/freeipa/ticket/4811 Signed-off-by: Abhijeet Kasurde --- ipalib/plugins/dns.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ef282c94609df0be0aa02ec14eb2b137e7ad9dbd..48d6f740ebea06e0ae9e8d68deafd607b5ae18d8 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2231,7 +2231,11 @@ class DNSZoneBase_disable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) -entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +try: +entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +except errors.NotFound: +self.obj.handle_not_found(*keys) + if not _check_entry_objectclass(entry, self.obj.object_class): self.obj.handle_not_found(*keys) @@ -2252,7 +2256,11 @@ class DNSZoneBase_enable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) -entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +try: +entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +except errors.NotFound: +self.obj.handle_not_found(*keys) + if not _check_entry_objectclass(entry, self.obj.object_class): self.obj.handle_not_found(*keys) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] DNSZone command with user friendly message
On 27.10.2015 13:00, Abhijeet Kasurde wrote: Hi All, This patch fixes bug - https://fedorahosted.org/freeipa/ticket/4811 Thanks, Abhijeet Kasurde [Tue Oct 27 14:44:51.328615 2015] [wsgi:error] [pid 5556] ipa: ERROR: non-public: AttributeError: 'dnszone' object has no attribute 'handle_obj_found' [Tue Oct 27 14:44:51.328654 2015] [wsgi:error] [pid 5556] Traceback (most recent call last): [Tue Oct 27 14:44:51.328659 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute [Tue Oct 27 14:44:51.328664 2015] [wsgi:error] [pid 5556] result = self.Command[name](*args, **options) [Tue Oct 27 14:44:51.328669 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Oct 27 14:44:51.328674 2015] [wsgi:error] [pid 5556] ret = self.run(*args, **options) [Tue Oct 27 14:44:51.328678 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 764, in run [Tue Oct 27 14:44:51.328683 2015] [wsgi:error] [pid 5556] return self.execute(*args, **options) [Tue Oct 27 14:44:51.328687 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2935, in execute [Tue Oct 27 14:44:51.328692 2015] [wsgi:error] [pid 5556] result = super(dnszone_enable, self).execute(*keys, **options) [Tue Oct 27 14:44:51.328696 2015] [wsgi:error] [pid 5556] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2262, in execute [Tue Oct 27 14:44:51.328701 2015] [wsgi:error] [pid 5556] self.obj.handle_obj_found(*keys) [Tue Oct 27 14:44:51.328705 2015] [wsgi:error] [pid 5556] AttributeError: 'dnszone' object has no attribute 'handle_obj_found' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
On 27.10.2015 13:56, Oleg Fayans wrote: On 10/27/2015 01:22 PM, Martin Basti wrote: On 27.10.2015 12:06, Oleg Fayans wrote: Hi Martin, On 10/27/2015 10:50 AM, Martin Basti wrote: On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Yep, right you are, it works as expected. Now the line looks like: self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL Now that would definitely not work in case of domain_level is 0: 0 or 1 is always 1 Oh right. I had discussion with Tomas, and we should add there check if it is not None, in case that kwargs contains {'domain_level': None} (One does not know with test when the None value appears there) I do not get this. If we do not specify domain_level in config.yaml, it will automatically be populated with a MAX_DOMAIN_LEVEL value. That means domain_level will never ever possibly be None. I do not know how pytest works inside, if you are 100% sure, that the case written above cannot happen, I'm fine with it. Martin self.domain_level = kwargs.get('domain_level') if self.domain_level is None: self.domain_level = MAX_DOMAIN_LEVEL As we cannot user 'or' expression with integers, so this is the right way. because kwargs IMO contains undefined config values as None freeipa-tests depends on freeipa-python so the constants should be available in t
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
On 10/27/2015 01:22 PM, Martin Basti wrote: On 27.10.2015 12:06, Oleg Fayans wrote: Hi Martin, On 10/27/2015 10:50 AM, Martin Basti wrote: On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Yep, right you are, it works as expected. Now the line looks like: self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL Now that would definitely not work in case of domain_level is 0: 0 or 1 is always 1 Oh right. I had discussion with Tomas, and we should add there check if it is not None, in case that kwargs contains {'domain_level': None} (One does not know with test when the None value appears there) I do not get this. If we do not specify domain_level in config.yaml, it will automatically be populated with a MAX_DOMAIN_LEVEL value. That means domain_level will never ever possibly be None. self.domain_level = kwargs.get('domain_level') if self.domain_level is None: self.domain_level = MAX_DOMAIN_LEVEL As we cannot user 'or' expression with integers, so this is the right way. because kwargs IMO contains undefined config values as None freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would n
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
On 27.10.2015 12:06, Oleg Fayans wrote: Hi Martin, On 10/27/2015 10:50 AM, Martin Basti wrote: On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Yep, right you are, it works as expected. Now the line looks like: self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL Now that would definitely not work in case of domain_level is 0: 0 or 1 is always 1 Oh right. I had discussion with Tomas, and we should add there check if it is not None, in case that kwargs contains {'domain_level': None} (One does not know with test when the None value appears there) self.domain_level = kwargs.get('domain_level') if self.domain_level is None: self.domain_level = MAX_DOMAIN_LEVEL As we cannot user 'or' expression with integers, so this is the right way. because kwargs IMO contains undefined config values as None freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would not work if domainlevel is not set in config.yaml, in which case the host.config.domain_level is None. Domain level will never be None because self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) 4) Please add comment to f
[Freeipa-devel] [PATCH] DNSZone command with user friendly message
Hi All, This patch fixes bug - https://fedorahosted.org/freeipa/ticket/4811 Thanks, Abhijeet Kasurde From a333e7ddb830e5ff10d2602b12669b767b870dbb Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 27 Oct 2015 17:21:17 +0530 Subject: [PATCH] Added user friendly error message for dnszone enable and disable Added try-except block in dns plugin in order to provide user friendly message to end user. https://fedorahosted.org/freeipa/ticket/4811 Signed-off-by: Abhijeet Kasurde --- ipalib/plugins/dns.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index ef282c94609df0be0aa02ec14eb2b137e7ad9dbd..c90f3209b9f6226e89b2d2e832039187c8f21428 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2231,7 +2231,11 @@ class DNSZoneBase_disable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) -entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +try: +entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +except errors.NotFound: +self.obj.handle_not_found(*keys) + if not _check_entry_objectclass(entry, self.obj.object_class): self.obj.handle_not_found(*keys) @@ -2252,7 +2256,11 @@ class DNSZoneBase_enable(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) -entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +try: +entry = ldap.get_entry(dn, ['idnszoneactive', 'objectclass']) +except errors.NotFound: +self.obj.handle_obj_found(*keys) + if not _check_entry_objectclass(entry, self.obj.object_class): self.obj.handle_not_found(*keys) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
Hi Martin, On 10/27/2015 10:50 AM, Martin Basti wrote: On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Yep, right you are, it works as expected. Now the line looks like: self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL Now that would definitely not work in case of domain_level is 0: 0 or 1 is always 1 because kwargs IMO contains undefined config values as None freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would not work if domainlevel is not set in config.yaml, in which case the host.config.domain_level is None. Domain level will never be None because self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) 4) Please add comment to function +def domainlevel(host): that it is useful for test where domain level will be raised dynamically, otherwise it may be lost after test refactoring as somebody may consider it as unneeded and replace it with config dict. Done So summary is the 1) and 2) are replaced by 3) :) Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 7ebc7c0899a2437463aaf7fdc03ea93fbab057bb Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: T
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
On 27.10.2015 10:22, Martin Basti wrote: On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 Respectively you should use this: self.domain_level = kwargs.get('domain_level')or MAX_DOMAIN_LEVEL because kwargs IMO contains undefined config values as None freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would not work if domainlevel is not set in config.yaml, in which case the host.config.domain_level is None. Domain level will never be None because self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) 4) Please add comment to function +def domainlevel(host): that it is useful for test where domain level will be raised dynamically, otherwise it may be lost after test refactoring as somebody may consider it as unneeded and replace it with config dict. Done So summary is the 1) and 2) are replaced by 3) :) Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0327] KRA: fix check if CA is installed on replica
On 26.10.2015 10:35, Martin Babinsky wrote: On 10/23/2015 05:18 PM, Martin Basti wrote: On 23.10.2015 15:15, Martin Babinsky wrote: On 10/23/2015 03:12 PM, Martin Babinsky wrote: On 10/16/2015 12:41 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5345 Patch attached. I have tested it on 4-2 branch and it works as expected, ACK. Obviously, master branch would require a different patch. I actually missed your check in ipaserver/install/kra.py which can break ipa-replica-install with --setup-kra, so NACK. Updated patches attached. NACK on the master-branch patch. You forgot a 'return' in this code snippet: +if self.installing_replica: +domain_level = dsinstance.get_domain_level(api) +if domain_level > DOMAIN_LEVEL_0: +self.options.promote = True +return that would make installation abort when domain level is greter than zero. Updated patch attached. From 1829177623561a239c20eb029ed84d1576a59d01 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 23 Oct 2015 14:15:00 +0200 Subject: [PATCH] KRA: fix check that CA is installed https://fedorahosted.org/freeipa/ticket/5345 --- ipaserver/install/ipa_kra_install.py | 42 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 1ae361edc3df3c572a5a8d6900ba5425300443c1..add8250d4dabfa0cb88ea7c1c291955691b3f22b 100755 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -32,6 +32,7 @@ from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import service +from ipaserver.install import cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import installutils @@ -134,28 +135,13 @@ class KRAInstaller(KRAInstall): " in unattended mode" ) -self.installing_replica = dogtaginstance.is_installing_replica("KRA") -self.options.promote = False - -if self.installing_replica: -domain_level = dsinstance.get_domain_level(api) -if domain_level > DOMAIN_LEVEL_0: -self.options.promote = True -return - -if not self.args: -self.option_parser.error("A replica file is required.") -if len(self.args) > 1: -self.option_parser.error("Too many arguments provided") - +if len(self.args) > 1: +self.option_parser.error("Too many arguments provided") +elif len(self.args) == 1: self.replica_file = self.args[0] if not ipautil.file_exists(self.replica_file): self.option_parser.error( "Replica file %s does not exist" % self.replica_file) -else: -if self.args: -self.option_parser.error("Too many parameters provided. " - "No replica file is required.") def ask_for_options(self): super(KRAInstaller, self).ask_for_options() @@ -170,6 +156,26 @@ class KRAInstaller(KRAInstall): def _run(self): super(KRAInstaller, self).run() + +if not cainstance.is_ca_installed_locally(): +raise RuntimeError("Dogtag CA is not installed. " + "Please install the CA first") + +# this check can be done only when CA is installed +self.installing_replica = dogtaginstance.is_installing_replica("KRA") +self.options.promote = False + +if self.installing_replica: +domain_level = dsinstance.get_domain_level(api) +if domain_level > DOMAIN_LEVEL_0: +self.options.promote = True +elif not self.args: +raise RuntimeError("A replica file is required.") +else: +if self.args: +raise RuntimeError("Too many parameters provided. " + "No replica file is required.") + print(dedent(self.INSTALLER_START_MESSAGE)) self.options.dm_password = self.options.password -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0335] Freeipa domain levels naming
On 27.10.2015 10:12, Petr Spacek wrote: On 23.10.2015 14:07, Petr Spacek wrote: On 23.10.2015 13:53, Martin Basti wrote: On 23.10.2015 13:53, Tomas Babej wrote: On 10/23/2015 01:51 PM, Martin Basti wrote: On 23.10.2015 13:49, Tomas Babej wrote: On 10/23/2015 12:49 PM, Martin Basti wrote: On 23.10.2015 09:34, Martin Basti wrote: On 23.10.2015 09:31, Tomas Babej wrote: On 10/22/2015 05:49 PM, Simo Sorce wrote: On 22/10/15 11:29, Martin Basti wrote: Hello all, in current master branch we have mixed usage of literals 0, 1 and constants MIN_DOMAIN_LEVEL, MAX_DOMAIN_LEVEL, and it is quite mess. I suggest to use names for domain levels: COMPAT_DOMAIN_LEVEL = 0 PROMOTION_DOMAIN_LEVEL = 1 UBER_NEW_FEATURE_DOMAIN_LEVEL = 2 MIN_DOMAIN_LEVEL = COMPAT_DOMAIN_LEVEL (=0) MAX_DOMAIN_LEVEL = UBER_NEW_FEATURE_DOMAIN_LEVEL (=2) Benefits: * ability to grep it in code Call them DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 * better readability in code Sure, but random names are not appropriate imo I'm with you guys on this, it's a good idea. Let's go with the DOMAIN_LEVEL_X naming though, it will be probably easier to remember. One thing to add to the discussion - MIN/MAX_DOMAIN_LEVEL denotes only the minimal/maximal domain level supported by the given IPA server, not the minimal/maximal domain level ever shipped by FreeIPA project. Currently, those two coincide, but in general they might be different if we ever raise the minimal level a decide to deprecate, say, domain level 0 or 1. It's a subtle but important difference. Tomas Thank you all for your opinion, I will implement DOMAIN_LEVEL_X constants and send patch. Thanks. Martin^2 Patch attached. O hope, I did not miss anything hardcoded. I think we can safely hardcode domain levels as numbers in the error messages. Substituting {dl} for constants.DOMAIN_LEVEL_0 in the error message makes little sense to me, as the value of constants.DOMAIN_LEVEL_0 will not ever change. However, with substituting is easier to find occurrences of domain levels in comments and messages in case of refactoring. In case of refactoring of what? All the error messages containing reference to a domain level 0? :) Exactly! :) Tomas, that one day we decide to drop support for domain level 0. We will have to hunt down all references to it and using constant for help messages etc. might be handy because it will show up in results of grep, so we do not forget to wipe domain level 0 from texts. Nitpick just to make you feel that I read the patch (does not warrant a NACK): I would rather see conditions in form of (<= or >=) instead of (< or >) because now you have to grep for domain level +- 1 to get all references to particular domain level :-D Nevermind, this is just a nitpick. ACK, I did not find any breakage. Pushed to master: beb6a3236d5c10acd990aaf92eddc74fee456909 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
On 27.10.2015 10:00, Oleg Fayans wrote: Hi Martin, The updated version of the patch is attached. Please, see my comments below My comments inline, I may be completely wrong in how the test suite work, so feel free to correct me. Martin On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. wat? in case that kwargs is dict containing values from config file: In [1]: kwargs = dict(domain_level=0) In [2]: kwargs.get('domain_level', 123) Out[2]: 0 freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would not work if domainlevel is not set in config.yaml, in which case the host.config.domain_level is None. Domain level will never be None because self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) 4) Please add comment to function +def domainlevel(host): that it is useful for test where domain level will be raised dynamically, otherwise it may be lost after test refactoring as somebody may consider it as unneeded and replace it with config dict. Done So summary is the 1) and 2) are replaced by 3) :) Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0335] Freeipa domain levels naming
On 23.10.2015 14:07, Petr Spacek wrote: > On 23.10.2015 13:53, Martin Basti wrote: >> >> >> On 23.10.2015 13:53, Tomas Babej wrote: >>> >>> On 10/23/2015 01:51 PM, Martin Basti wrote: On 23.10.2015 13:49, Tomas Babej wrote: > On 10/23/2015 12:49 PM, Martin Basti wrote: >> On 23.10.2015 09:34, Martin Basti wrote: >>> On 23.10.2015 09:31, Tomas Babej wrote: On 10/22/2015 05:49 PM, Simo Sorce wrote: > On 22/10/15 11:29, Martin Basti wrote: >> Hello all, >> >> in current master branch we have mixed usage of literals 0, 1 and >> constants MIN_DOMAIN_LEVEL, MAX_DOMAIN_LEVEL, and it is quite mess. >> >> I suggest to use names for domain levels: >> >> COMPAT_DOMAIN_LEVEL = 0 >> PROMOTION_DOMAIN_LEVEL = 1 >> UBER_NEW_FEATURE_DOMAIN_LEVEL = 2 >> >> MIN_DOMAIN_LEVEL = COMPAT_DOMAIN_LEVEL (=0) >> MAX_DOMAIN_LEVEL = UBER_NEW_FEATURE_DOMAIN_LEVEL (=2) >> >> Benefits: >> * ability to grep it in code > Call them DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 > >> * better readability in code > Sure, but random names are not appropriate imo I'm with you guys on this, it's a good idea. Let's go with the DOMAIN_LEVEL_X naming though, it will be probably easier to remember. One thing to add to the discussion - MIN/MAX_DOMAIN_LEVEL denotes only the minimal/maximal domain level supported by the given IPA server, not the minimal/maximal domain level ever shipped by FreeIPA project. Currently, those two coincide, but in general they might be different if we ever raise the minimal level a decide to deprecate, say, domain level 0 or 1. It's a subtle but important difference. Tomas >>> Thank you all for your opinion, >>> >>> I will implement DOMAIN_LEVEL_X constants and send patch. >>> >>> Thanks. >>> Martin^2 >>> >> Patch attached. >> O hope, I did not miss anything hardcoded. > I think we can safely hardcode domain levels as numbers in the error > messages. Substituting {dl} for constants.DOMAIN_LEVEL_0 in the error > message makes little sense to me, as the value of > constants.DOMAIN_LEVEL_0 will not ever change. However, with substituting is easier to find occurrences of domain levels in comments and messages in case of refactoring. >>> In case of refactoring of what? All the error messages containing >>> reference to a domain level 0? :) >> Exactly! :) > > Tomas, that one day we decide to drop support for domain level 0. We will have > to hunt down all references to it and using constant for help messages etc. > might be handy because it will show up in results of grep, so we do not forget > to wipe domain level 0 from texts. > > > Nitpick just to make you feel that I read the patch (does not warrant a NACK): > I would rather see conditions in form of (<= or >=) instead of (< or >) > because now you have to grep for domain level +- 1 to get all references to > particular domain level :-D > > Nevermind, this is just a nitpick. ACK, I did not find any breakage. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Replica promotion related changes in integration tests
Hi Martin, The updated version of the patch is attached. Please, see my comments below On 10/26/2015 06:48 PM, Martin Basti wrote: On 26.10.2015 08:59, Oleg Fayans wrote: On 10/23/2015 03:10 PM, Martin Basti wrote: On 23.10.2015 15:00, Oleg Fayans wrote: Hi Martin, Here comes the updated version. On 10/22/2015 05:38 PM, Martin Basti wrote: On 22.10.2015 15:23, Martin Basti wrote: On 22.10.2015 14:13, Oleg Fayans wrote: Hello, thank you for the patch. 1) please remove the added empty lines, they are unrelated to this ticket done 2) -def install_master(host, setup_dns=True, setup_kra=False): +def install_master(host, setup_dns=True, setup_kra=False, domainlevel=1): I suggest to use default domainlevel=None, which will use the default domain level (specified in build) done 3) +domain_level = domainlevel(master) I do not think that this meets expectations. We have to test, both domain level 0 and 1 for IPA 4.3, respectively new IPA must support all older domain levels, domain level is independent on IPA version, only admin can raise it up. So you have to find out way how to pass the domain level for which test will be running, we were talking about using config files, but feel free to find something new and better Fixed. Now, we declare domain level in config.yaml with the directive domain_level 4) Did you resolve the pytest fixtures which specifies which tests can be run under which domain level? In fact, we do not seem to have any tests yet that would require it. All the existing tests just use install_replica method, no matter how is it done. How about topology CI test? This can be executed only with domain level That's right. The topology test was updated. Patch is attached together with a proper version of 11-th patch (not a swap file, sorry about that). 1, right? 5) +'--ip-address', client.ip, why this change to client install? Right, it found to be unnecessary. Martin^2 6) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:85: [E1123(unexpected-keyword-arg), allow_sync_ptr] Unexpected keyword argument 'raiseonerr' in function call) Fixed 1) +if not host.config.domain_level == None: +args.append("--domain-level=%i" % host.config.domain_level) always use: variable *is not None* 2) Why there is specified level 1 as default? IIRC we agreed that the default level is the one which is default in tested package. These should be None and "": +"domain_level": "1" +"DOMAINLVL": "1", 3) However, as I read the patch 12, and I'm right, the pytest.fixture needs to know the value of domain level before we can do any dynamic detection on master. So we should use the constants MAX_DOMAIN_LEVEL as default, for 2) Done Also I'm not sure if the values are inherited from the DEFAULT_OUTPUT_DICT to code, I think it is not, so for this part you need default value, or the fixture will not work as expected. +self.domain_level = kwargs.get('domain_level', MAX_DOMAIN_LEVEL) This won't work in cases when domainlevel is explicitly set to 0 in config.yaml. This default value will always override the explicit one. freeipa-tests depends on freeipa-python so the constants should be available in tests. So then you also need update this line +if not host.config.domain_level != MAX_DOMAIN_LEVEL: +args.append("--domain-level=%i" % host.config.domain_level) This would not work if domainlevel is not set in config.yaml, in which case the host.config.domain_level is None. 4) Please add comment to function +def domainlevel(host): that it is useful for test where domain level will be raised dynamically, otherwise it may be lost after test refactoring as somebody may consider it as unneeded and replace it with config dict. Done So summary is the 1) and 2) are replaced by 3) :) Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 385ad3ca9c564e3d08a0a3256dfc65ab07374a04 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 27 Oct 2015 09:43:33 +0100 Subject: [PATCH] Updated the tests according to the new replica installation workflow As of 4.3 the replica installation is performed without preparing a gpg file on master, but rather enrolling a future replica as a client with subsequent promotion of the client. This required the corresponding change in the integration tests https://fedorahosted.org/freeipa/ticket/5379 --- ipatests/test_integration/config.py | 3 +- ipatests/test_integration/tasks.py | 41 ipatests/test_integration/test_testconfig.py | 5 +++- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/ipatests/test_integration/config.py b/ipatests/test_integration/config.py index 785a9bb8c420f99980c098887e0bd31422119564..60a4bd700afe3027dfcbdf203d02373f8a7aa9f9 100644 --- a/ipatests/test_integration/config.py +++ b/ipatests/test_integration/config.
Re: [Freeipa-devel] [PATCH 0012-0019] CA ACL tracker and functional test
On 23.10.2015 14:01, Milan KubĂk wrote: On 10/20/2015 02:19 PM, Martin Basti wrote: NACK 1) I still see many hardcoded passwords in the code with change_principal(smime_user, "Secret123"): For now changed to module variable. 2) Also the 'alice' username can be extracted to module variable instead hardcoding The fixture should take the place of module variables in the tests. Changed u'alice' into local variable. Once we fix the problems with UserTracker, we should store the password here as well. 3) File alice.conf.tmpl can be generalized to be used for more users, replace alice in template to {username} and in code replace this variable with alice, also do not forgot rename template to something more general Done. Updated patch set attached. ACK Pushed to master: 5ab0fcabf3e6ac7970c1803893717301a4b4cfe8 Pushed to ipa-4-2: 21fed035beab7dbee59f1e0c29d203345f0d0c7f -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code