[Freeipa-devel] [PATCH 0028][Tests] Fix failing user tests
Hi, here's patch with fix for failing user tests, specifically tests with renaming users. Failures were caused by RFE Kerberos principal aliases. As part of the fix, I had to rewrite few of the tests themselves, since they used "--setattr" option rather than "--rename" option, which produces different results. Lenka From 18968819c48088c77786736cc52271d973e123cd Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Fri, 15 Jul 2016 17:57:53 +0200 Subject: [PATCH] Tests: Fix for failing user tests Providing fix for failing user rename tests. Failures were caused by RFE Kerberos principal alias. Some tests were rewritten, since they used "--setattr" option instead of "--rename", and hence didn't reflect proper behaviour of the principal aliases feature. --- ipatests/test_xmlrpc/test_user_plugin.py| 31 ++--- ipatests/test_xmlrpc/tracker/user_plugin.py | 10 ++ 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index def522814f6c0a894f0bd8f352e110a95e5aa09a..7c27abc56cb859eb4fb710f1ff384793dfbe453c 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -316,24 +316,10 @@ class TestUpdate(XMLRPC_test): renameduser.ensure_missing() olduid = user.uid -# using user.update(dict(uid=value)) results in -# OverlapError: overlapping arguments and options: ['uid'] -user.attrs.update(uid=[renameduser.uid]) -command = user.make_update_command( -updates=dict(setattr=(u'uid=%s' % renameduser.uid)) -) -result = command() -user.check_update(result) -user.uid = renameduser.uid +user.update(updates=dict(rename=renameduser.uid)) # rename the test user back so it gets properly deleted -user.attrs.update(uid=[olduid]) -command = user.make_update_command( -updates=dict(setattr=(u'uid=%s' % olduid)) -) -result = command() -user.check_update(result) -user.uid = olduid +user.update(updates=dict(rename=olduid)) def test_rename_to_the_same_value(self, user): """ Try to rename user to the same value """ @@ -640,18 +626,13 @@ class TestUserWithGroup(XMLRPC_test): if its manager is also renamed """ renamed_name = u'renamed_npg2' old_name = user_npg2.uid -command = user_npg2.make_update_command(dict(rename=renamed_name)) -result = command() -user_npg2.attrs.update(uid=[renamed_name]) -user_npg2.check_update(result) + +user_npg2.update(updates=dict(rename=renamed_name)) + user_npg.attrs.update(manager=[renamed_name]) user_npg.retrieve(all=True) -command = user_npg2.make_command( -'user_mod', renamed_name, **dict(rename=old_name) -) -# we rename the user back otherwise the tracker is too confused -result = command() +user_npg2.update(updates=dict(rename=old_name)) def test_check_if_manager_gets_removed(self, user_npg, user_npg2): """ Delete manager and check if it's gone from user's attributes """ diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 1a85e93327e5d517249fd67e208e83a922509002..fca0ab9c46b18ed145990bf04c2444701b8a3675 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -196,11 +196,18 @@ class UserTracker(Tracker): for key, value in updates.items(): if value is None or value is '' or value is u'': del self.attrs[key] +elif key == 'rename': +new_principal = u'{0}@{1}'.format(value, self.api.env.realm) +self.attrs['uid'] = [value] +self.attrs['krbcanonicalname'] = [new_principal] +if new_principal not in self.attrs['krbprincipalname']: +self.attrs['krbprincipalname'].append(new_principal) else: if type(value) is list: self.attrs[key] = value else: self.attrs[key] = [value] + for key, value in expected_updates.items(): if value is None or value is '' or value is u'': del self.attrs[key] @@ -212,6 +219,9 @@ class UserTracker(Tracker): extra_keys=set(updates.keys()) | set(expected_updates.keys()) ) +if 'rename' in updates: +self.uid = self.attrs['uid'][0] + def check_create(self, result, extra_keys=()): """ Check 'user-add' command result """ expected = self.filter_attrs(self.create_keys | set(extra_keys)) -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:
[Freeipa-devel] [PATCH] 963 unite log file name of ipa-ca-install
ipa-ca-install said that it used /var/log/ipareplica-ca-install.log but in fact it used /var/log/ipaserver-ca-install.log This patch unites it to ipaserver-ca-install.log It was chosen because ipa-ca-install can be also used on master on CA-less -> CA conversion. Term "server" is valid for both master and replica. https://fedorahosted.org/freeipa/ticket/6088 -- Petr Vobornik From 9af48b0d4c0b0b6d1e51cc320ec9409caa0ec873 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Fri, 15 Jul 2016 16:25:36 +0200 Subject: [PATCH] unite log file name of ipa-ca-install ipa-ca-install said that it used /var/log/ipareplica-ca-install.log but in fact it used /var/log/ipaserver-ca-install.log This patch unites it to ipaserver-ca-install.log It was chosen because ipa-ca-install can be also used on master on CA-less -> CA conversion. Term "server" is valid for both master and replica. https://fedorahosted.org/freeipa/ticket/6088 --- install/tools/ipa-ca-install | 4 ++-- ipaplatform/base/paths.py| 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index ed685920cbadb9cd3fc80865afb1610ca42f8b13..eee5dee34ac375e16a17d79b0b60918ad53b2089 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -38,7 +38,7 @@ from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipaplatform.paths import paths -log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG +log_file_name = paths.IPASERVER_CA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None def parse_options(): @@ -285,7 +285,7 @@ def main(): cainstance.is_ca_installed_locally()): sys.exit("CA is already installed on this host.") -standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug) +standard_logging_setup(log_file_name, debug=options.debug) root_logger.debug("%s was invoked with options: %s,%s", sys.argv[0], safe_options, filename) root_logger.debug("IPA version %s", version.VENDOR_VERSION) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index d6fbe32f6839a5db40148777132ba1454cbc3382..2c221a1b48d1aa16579e9e4882f13ea6271ad1b6 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -303,7 +303,6 @@ class BasePathNamespace(object): IPABACKUP_LOG = "/var/log/ipabackup.log" IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log" IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log" -IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log" IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log" IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log" IPARESTORE_LOG = "/var/log/iparestore.log" -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies
On 07/15/2016 03:11 PM, Simo Sorce wrote: On Fri, 2016-07-15 at 14:29 +0200, Stanislav Laznicka wrote: On 07/15/2016 02:10 PM, Simo Sorce wrote: On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: On Wed, 18 May 2016, Stanislav Laznicka wrote: when removal succeeds but addition fails for some reason? The operation is not atomic anymore. We offline-discussed this with Honza. There should be a new command `ipa hbacrule-replace-accesstime rule_name --orig- time=icalstr1 --new-time=icalstr2`. As it would be derived from LDAPQuery, the atomicity is kept. This may not be very nice for CLI but should work well for WebUI. Both icalstr1 and icalstr2 need to be encoded as newlines that appear so often in iCalendar strings would only make a mess here. Example of use: ipa hbacrule-replace-accesstime rule_name --orig-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVEN T\\r \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTA RT:2 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=M ONTH LY;INTERVAL=5;BYDAY=MO;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VC ALEN DAR\\r\\n'" --new-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVEN T\\r \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTA RT:2 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=M ONTH LY;INTERVAL=5;BYDAY=MO,TU;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND :VCA LENDAR\\r\\n'" to add Tuesdays to the timespan defined by the rule. I would really like to see a file input support here. It would be simpler to operate in CLI as you would anyway create vCal files -- no sane person is going to deal with these strings directly on the command line. That is correct and some basic file support is already in the patches I sent earlier, though replacing rules is not a part of it. However, it does not solve the problem as you would still need access to the files to work with the attributes and then change the files accordingly. However, we've had yet another brainstorm with Petr^2, Martin^2 and Honza. We really don't want the above so we came up with some ideas that I'm listing below. Note that we also do not want more than one VEVENT component in any of the time rules. So, the ideas: 1) Have the time rules as separate objects. This approach got most support here. Adding Simo and Jakub to CC should they have any input against this. 2) Have the time rules stored as strings in the multi- valued accesstime attribute at each rule. These would be referenced by their UID property of the VEVENT component of the iCalendar string (instead of that pure hell above). As each of the strings can only contain one VEVENT which has to define a UID, the only problem would be to keep the uniqueness of UIDs consistent. From my point of view, 1) seems rather better but your experience might be different. Don't hesitate to share your opinions, please. Can you please give me an example ldif of a complete hbac rule including time rules with the 2 different proposals ? I do not really care a lot how the framework ends up managing the objetcs, I care mostly about how the information is stored in LDAP and how efficient the storage will be for SSSD retrieval. That's my evaluation pov. Keep in mind that rules are modified rarely but downloaded much more frequently, so it is ok to have a slightly harder way to store them to gain efficiency in retrieving and downloading them. Simo. Please find the ldif files attached, with some additional changes than only to hbac rules. It's from my current implementations. OT: We had an offline discussion with Honza that to keep the backward compatibility, it might be good to introduce v2 of HBAC rules so that's what you see there. Perhaps accessTime should be in that v2 rule as well but that's even more off-topic here. I really would like an example ldif of a set of objects created with an actual time rule in effect, the schema tells me something but not all. You have ipaHBACRulev2 defined twice in different way in the two files, why ? What is accessTime ? Simo. Those two files show two different implementations - templates.ldif of the template approach, objects.ldif of "time rules as objects" approach. Should have probably mentioned that. Also, like I said, I should have probably included "accessTime" in the objects.ldif ipaHBACRulev2, which I believe is the only difference there that does not have to do anything with how this works. "accessTime" is an attributeType defined in some IPA 2.0 version or so which should bear the time policy information. Each of the time rules objects should bear one single-valued "accessTime" attribute. "accessTime" is originally defined as multi-valued so we may want to have a new attribute defined for that use. Time rules would have their own container somewhere
Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies
On Fri, 2016-07-15 at 14:29 +0200, Stanislav Laznicka wrote: > On 07/15/2016 02:10 PM, Simo Sorce wrote: > > > > On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: > > > > > > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: > > > > > > > > On Wed, 18 May 2016, Stanislav Laznicka wrote: > > > > > > > > > > > > > > > > > > > > > > > > > when removal succeeds but addition fails for some reason? > > > > > > > The > > > > > > > operation is not atomic anymore. > > > > > > > > > > > > We offline-discussed this with Honza. There should be a new > > > > > command > > > > > `ipa hbacrule-replace-accesstime rule_name --orig- > > > > > time=icalstr1 > > > > > --new-time=icalstr2`. As it would be derived from LDAPQuery, > > > > > the > > > > > atomicity is kept. This may not be very nice for CLI but > > > > > should > > > > > work > > > > > well for WebUI. Both icalstr1 and icalstr2 need to be encoded > > > > > as > > > > > newlines that appear so often in iCalendar strings would only > > > > > make a > > > > > mess here. > > > > > > > > > > Example of use: > > > > > > > > > > ipa hbacrule-replace-accesstime rule_name > > > > > --orig-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The > > > > > Company//iCal4j > > > > > 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVEN > > > > > T\\r > > > > > \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTA > > > > > RT:2 > > > > > 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=M > > > > > ONTH > > > > > LY;INTERVAL=5;BYDAY=MO;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VC > > > > > ALEN > > > > > DAR\\r\\n'" > > > > > --new-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The > > > > > Company//iCal4j > > > > > 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVEN > > > > > T\\r > > > > > \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTA > > > > > RT:2 > > > > > 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=M > > > > > ONTH > > > > > LY;INTERVAL=5;BYDAY=MO,TU;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND > > > > > :VCA > > > > > LENDAR\\r\\n'" > > > > > > > > > > > > > > > to add Tuesdays to the timespan defined by the rule. > > > > I would really like to see a file input support here. It would > > > > be > > > > simpler to operate in CLI as you would anyway create vCal files > > > > -- > > > > no > > > > sane person is going to deal with these strings directly on the > > > > command > > > > line. > > > > > > > That is correct and some basic file support is already in the > > > patches > > > I > > > sent earlier, though replacing rules is not a part of it. > > > However, > > > it > > > does not solve the problem as you would still need access to the > > > files > > > to work with the attributes and then change the files > > > accordingly. > > > > > > However, we've had yet another brainstorm with Petr^2, Martin^2 > > > and > > > Honza. We really don't want the above so we came up with some > > > ideas > > > that > > > I'm listing below. Note that we also do not want more than one > > > VEVENT > > > component in any of the time rules. So, the ideas: > > > 1) Have the time rules as separate objects. This approach > > > got > > > most > > > support here. Adding Simo and Jakub to CC should they have any > > > input > > > against this. > > > 2) Have the time rules stored as strings in the multi- > > > valued > > > accesstime attribute at each rule. These would be referenced by > > > their > > > UID property of the VEVENT component of the iCalendar string > > > (instead > > > of > > > that pure hell above). As each of the strings can only contain > > > one > > > VEVENT which has to define a UID, the only problem would be to > > > keep > > > the > > > uniqueness of UIDs consistent. > > > > > > From my point of view, 1) seems rather better but your > > > experience > > > might > > > be different. Don't hesitate to share your opinions, please. > > Can you please give me an example ldif of a complete hbac rule > > including time rules with the 2 different proposals ? > > > > I do not really care a lot how the framework ends up managing the > > objetcs, I care mostly about how the information is stored in LDAP > > and > > how efficient the storage will be for SSSD retrieval. > > > > That's my evaluation pov. > > Keep in mind that rules are modified rarely but downloaded much > > more > > frequently, so it is ok to have a slightly harder way to store them > > to > > gain efficiency in retrieving and downloading them. > > > > Simo. > Please find the ldif files attached, with some additional changes > than > only to hbac rules. It's from my current implementations. > > OT: We had an offline discussion with Honza that to keep the > backward > compatibility, it might be good to introduce v2 of HBAC rules so > that's > what you see there. Perhaps accessTime should be in that v2 rule as > well > but that's even more off-topic here. I really would like an example ldif of a set of objects created with an actual time
Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies
On 07/15/2016 02:10 PM, Simo Sorce wrote: On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: On Wed, 18 May 2016, Stanislav Laznicka wrote: when removal succeeds but addition fails for some reason? The operation is not atomic anymore. We offline-discussed this with Honza. There should be a new command `ipa hbacrule-replace-accesstime rule_name --orig-time=icalstr1 --new-time=icalstr2`. As it would be derived from LDAPQuery, the atomicity is kept. This may not be very nice for CLI but should work well for WebUI. Both icalstr1 and icalstr2 need to be encoded as newlines that appear so often in iCalendar strings would only make a mess here. Example of use: ipa hbacrule-replace-accesstime rule_name --orig-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:2 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=MONTH LY;INTERVAL=5;BYDAY=MO;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCALEN DAR\\r\\n'" --new-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:2 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=MONTH LY;INTERVAL=5;BYDAY=MO,TU;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCA LENDAR\\r\\n'" to add Tuesdays to the timespan defined by the rule. I would really like to see a file input support here. It would be simpler to operate in CLI as you would anyway create vCal files -- no sane person is going to deal with these strings directly on the command line. That is correct and some basic file support is already in the patches I sent earlier, though replacing rules is not a part of it. However, it does not solve the problem as you would still need access to the files to work with the attributes and then change the files accordingly. However, we've had yet another brainstorm with Petr^2, Martin^2 and Honza. We really don't want the above so we came up with some ideas that I'm listing below. Note that we also do not want more than one VEVENT component in any of the time rules. So, the ideas: 1) Have the time rules as separate objects. This approach got most support here. Adding Simo and Jakub to CC should they have any input against this. 2) Have the time rules stored as strings in the multi-valued accesstime attribute at each rule. These would be referenced by their UID property of the VEVENT component of the iCalendar string (instead of that pure hell above). As each of the strings can only contain one VEVENT which has to define a UID, the only problem would be to keep the uniqueness of UIDs consistent. From my point of view, 1) seems rather better but your experience might be different. Don't hesitate to share your opinions, please. Can you please give me an example ldif of a complete hbac rule including time rules with the 2 different proposals ? I do not really care a lot how the framework ends up managing the objetcs, I care mostly about how the information is stored in LDAP and how efficient the storage will be for SSSD retrieval. That's my evaluation pov. Keep in mind that rules are modified rarely but downloaded much more frequently, so it is ok to have a slightly harder way to store them to gain efficiency in retrieving and downloading them. Simo. Please find the ldif files attached, with some additional changes than only to hbac rules. It's from my current implementations. OT: We had an offline discussion with Honza that to keep the backward compatibility, it might be good to introduce v2 of HBAC rules so that's what you see there. Perhaps accessTime should be in that v2 rule as well but that's even more off-topic here. objectClasses: (2.16.840.1.113730.3.8.4.80 NAME 'ipaTimeRule' SUP top STRUCTURAL MUST ( cn ) MAY ( memberOf $ accessTime ) X-ORIGIN 'IPA v4.5') attributeTypes: (2.16.840.1.113730.3.8.4.72 NAME 'memberTimeRule' DESC 'Reference to a time rule describing some period of time' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.5' ) objectClasses: (2.16.840.1.113730.3.8.4.16 NAME 'ipaHBACRulev2' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime $ memberTimeRule ) X-ORIGIN 'IPA v4.5' ) dn: cn=timerules,$SUFFIX changetype: add objectClass: top objectClass: nsContainer cn: timerules attributeTypes: (2.16.840.1.113730.3.8.11.72 NAME 'timeruleTemplate' DESC 'CNs of the timerule templates' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.3' ) objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRulev2' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ service
Re: [Freeipa-devel] [PATCH 0186] DNS install: Ensure that DNS servers container exists
On 07/15/2016 10:32 AM, Martin Babinsky wrote: > On 07/15/2016 10:32 AM, Stanislav Laznicka wrote: >> On 07/14/2016 05:51 PM, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/6083 >>> >>> >>> >> ACK, works as expected. >> > > ..and putting the list back into the loop > master: * 37bfd1fdde8906b2b5712d1f99f3f4be8f91ca0a DNS install: Ensure that DNS servers container exists -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] spec: require Dogtag >= 10.3.3-3
On 07/12/2016 03:10 PM, Petr Spacek wrote: > On 8.7.2016 06:52, Fraser Tweedale wrote: >> On Thu, Jul 07, 2016 at 01:16:04PM +0200, Petr Spacek wrote: >>> Hello, >>> >>> IPA 4.4.0 requires Dogtag >= 10.3.4. Is this version going to be built for >>> Fedora any time soon? >>> >>> Or should I update my scripts to automatically enable >>> COPR @freeipa/freeipa-master >>> in my testing VMs? >>> >>> Thanks. >>> Petr^2 Spacek >>> >> Hi Petr, >> >> The required features were released for Fedora as 10.3.3-3. >> Attached patch retracts the min required version accordingly. > > ACK > master: * 49389ed1e06c786df489c0fd9f6e8183f00eedff spec: require Dogtag >= 10.3.3-3 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies
On Wed, 2016-05-18 at 15:28 +0200, Stanislav Laznicka wrote: > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: > > > > On Wed, 18 May 2016, Stanislav Laznicka wrote: > > > > > > > > > > > > > > > > > when removal succeeds but addition fails for some reason? > > > > > The > > > > > operation is not atomic anymore. > > > > > > > > We offline-discussed this with Honza. There should be a new > > > command > > > `ipa hbacrule-replace-accesstime rule_name --orig-time=icalstr1 > > > --new-time=icalstr2`. As it would be derived from LDAPQuery, the > > > atomicity is kept. This may not be very nice for CLI but should > > > work > > > well for WebUI. Both icalstr1 and icalstr2 need to be encoded as > > > newlines that appear so often in iCalendar strings would only > > > make a > > > mess here. > > > > > > Example of use: > > > > > > ipa hbacrule-replace-accesstime rule_name > > > --orig-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j > > > 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r > > > \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:2 > > > 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=MONTH > > > LY;INTERVAL=5;BYDAY=MO;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCALEN > > > DAR\\r\\n'" > > > --new-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j > > > 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r > > > \\nUID:1...@company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:2 > > > 0101115T05Z\\r\\nDTEND:20101115T07Z\\r\\nRRULE:FREQ=MONTH > > > LY;INTERVAL=5;BYDAY=MO,TU;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCA > > > LENDAR\\r\\n'" > > > > > > > > > to add Tuesdays to the timespan defined by the rule. > > I would really like to see a file input support here. It would be > > simpler to operate in CLI as you would anyway create vCal files -- > > no > > sane person is going to deal with these strings directly on the > > command > > line. > > > That is correct and some basic file support is already in the patches > I > sent earlier, though replacing rules is not a part of it. However, > it > does not solve the problem as you would still need access to the > files > to work with the attributes and then change the files accordingly. > > However, we've had yet another brainstorm with Petr^2, Martin^2 and > Honza. We really don't want the above so we came up with some ideas > that > I'm listing below. Note that we also do not want more than one > VEVENT > component in any of the time rules. So, the ideas: > 1) Have the time rules as separate objects. This approach got > most > support here. Adding Simo and Jakub to CC should they have any input > against this. > 2) Have the time rules stored as strings in the multi-valued > accesstime attribute at each rule. These would be referenced by > their > UID property of the VEVENT component of the iCalendar string (instead > of > that pure hell above). As each of the strings can only contain one > VEVENT which has to define a UID, the only problem would be to keep > the > uniqueness of UIDs consistent. > > From my point of view, 1) seems rather better but your experience > might > be different. Don't hesitate to share your opinions, please. Can you please give me an example ldif of a complete hbac rule including time rules with the 2 different proposals ? I do not really care a lot how the framework ends up managing the objetcs, I care mostly about how the information is stored in LDAP and how efficient the storage will be for SSSD retrieval. That's my evaluation pov. Keep in mind that rules are modified rarely but downloaded much more frequently, so it is ok to have a slightly harder way to store them to gain efficiency in retrieving and downloading them. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0059] Fix to ipa-cacert-manage man and help differences
https://fedorahosted.org/freeipa/ticket/6013 From 44e55c3523aa1bf9a7243b9d22fb52e50f7c9440 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 15 Jul 2016 14:04:59 +0200 Subject: [PATCH] Improvements for the ipa-cacert-manage man and help The man page for ipa-cacert-manage didn't mention that some options are only applicable to the install some to the renew subcommand. Also fixed a few missing articles. https://fedorahosted.org/freeipa/ticket/6013 --- install/tools/man/ipa-cacert-manage.1 | 38 ++ ipaserver/install/ipa_cacert_manage.py | 2 +- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 1f37788336048e412eee71757f236c9944860514..d12b4b23eb72922c914712a9d1f969e996a2e272 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -20,7 +20,9 @@ .SH "NAME" ipa\-cacert\-manage \- Manage CA certificates in IPA .SH "SYNOPSIS" -\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] \fICOMMAND\fR +\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew +.RE +\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR .SH "DESCRIPTION" \fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA. .SH "COMMANDS" @@ -29,7 +31,7 @@ ipa\-cacert\-manage \- Manage CA certificates in IPA \- Renew the IPA CA certificate .sp .RS -This command can be used to manually renew CA certificate of the IPA CA. +This command can be used to manually renew the CA certificate of the IPA CA. .sp When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish. .sp @@ -42,13 +44,30 @@ When the IPA CA is not configured, this command is not available. \- Install a CA certificate .sp .RS -This command can be used to install new CA certificate to IPA. +This command can be used to install a new CA certificate to IPA. .RE -.SH "OPTIONS" +.SH "COMMON OPTIONS" +.TP +\fB\-\-version\fR +Show the program's version and exit. +.TP +\fB\-h\fR, \fB\-\-help\fR +Show the help for this program. .TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR The Directory Manager password to use for authentication. .TP +\fB\-v\fR, \fB\-\-verbose\fR +Print debugging information. +.TP +\fB\-q\fR, \fB\-\-quiet\fR +Output only errors. +.TP +\fB\-\-log\-file\fR=\fIFILE\fR +Log to the given file. +.RE +.SH "RENEW OPTIONS" +.TP \fB\-\-self\-signed\fR Sign the renewed certificate by itself. .TP @@ -57,6 +76,8 @@ Sign the renewed certificate by external CA. .TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. +.RE +.SH "INSTALL OPTIONS" .TP \fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR Nickname for the certificate. @@ -73,15 +94,6 @@ T \- CA trusted to issue client certificates .IP p \- not trusted .RE -.TP -\fB\-v\fR, \fB\-\-verbose\fR -Print debugging information. -.TP -\fB\-q\fR, \fB\-\-quiet\fR -Output only errors. -.TP -\fB\-\-log\-file\fR=\fIFILE\fR -Log to the given file. .SH "EXIT STATUS" 0 if the command was successful diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index de13ad39397ae5e9b924b0621521e5fc6016c8e6..32ef25c7aac3e57d27955b6a2608adb6a1626019 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -35,7 +35,7 @@ from ipaserver.install import certs, cainstance, installutils class CACertManage(admintool.AdminTool): command_name = 'ipa-cacert-manage' -usage = "%prog {renew|install} [options]" +usage = "%prog renew [options]\n%prog install [options] CERTFILE" description = "Manage CA certificates." -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0110] schema: Fix subtopic -> topic mapping
On 07/14/2016 03:09 PM, Martin Babinsky wrote: > On 07/14/2016 01:21 PM, David Kupka wrote: >> https://fedorahosted.org/freeipa/ticket/6069 >> >> > ACK. > master: * 92dea9b186611f7f1ba8aa5952b4cfdc363d75b8 schema: Fix subtopic -> topic mapping -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0014-0016][Tests] Authentication indicators
On 07/14/2016 03:11 PM, Milan Kubík wrote: > On 07/14/2016 11:43 AM, Lenka Doudova wrote: >> >>> >>> >> Resending the complete patch set. >> L. >> >> > > Thanks, ACK. > > -- > Milan Kubik > master: * 0f9a5ce6b4c533647b8894f516e34bea8184f1b8 Tests: Tracker class for services * dcdbbb975927a24ec05f7addefd59c71823a57c2 Tests: Authentication indicators xmlrpc tests * aab861142d3aec503ebae4779fbfa1858e20f451 Tests: Authentication indicators integration tests -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0185] messages: specify message type for ResultFormattingError
On 07/14/2016 10:06 AM, Alexander Bokovoy wrote: > On Wed, 13 Jul 2016, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/6081 >> >> -- >> Martin^3 Babinsky > >> From dd2dfe4bf0a629716145af83c1b7f73595290079 Mon Sep 17 00:00:00 2001 >> From: Martin Babinsky >> Date: Wed, 13 Jul 2016 18:22:04 +0200 >> Subject: [PATCH] messages: specify message type for ResultFormattingError >> >> the ResultFormattingError message class was missing a `type` member which >> could cause `otptoken-add` command to crash during QR image rendering >> using >> suboptimal TTY settings >> >> https://fedorahosted.org/freeipa/ticket/6081 >> --- >> ipalib/messages.py | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/ipalib/messages.py b/ipalib/messages.py >> index >> 7288606f6ac923c2c87fadba5f2a6a2d9dadb7f5..6abad64a8259a8e164db60f63e75bbb9c230e7bf >> 100644 >> --- a/ipalib/messages.py >> +++ b/ipalib/messages.py >> @@ -363,6 +363,7 @@ class ResultFormattingError(PublicMessage): >> """ >> **13019** Unable to correctly format some part of the result >> """ >> +type = "warning" >> errno = 13019 >> >> > ACK. > master: * a5c8c9880d62dca50caa1cc8a77c3ae40225570b messages: specify message type for ResultFormattingError -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
On 07/13/2016 06:07 PM, Alexander Bokovoy wrote: > On Wed, 13 Jul 2016, Martin Babinsky wrote: >> In that case, if nobody objects then the second revision of the patch >> may be pushed since Alexander already acked it, right Alexander? > Correct. ACK. master: * 2f02ffed03beac43b26e8521eff87b9489a746f9 Preserve user principal aliases during rename operation -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0112-3] Speeding up cli help
Hello! After Honza introduced thin client that builds plugins and commands dynamically from schema client became much slower. This is only logical, instead of importing a module client now must fetch the schema from server, parse it and instantiate the commands using the data. First step to speed it up was addition of schema cache to client. That removed the RTT and download time of fetching schema every time. Now the most time consuming task became displaying help for lists of topics and command and displaying individual topics. This is simply because of the need to instantiate all the commands to find the relations between topics and commands. All the necessary bits for server commands and topics are already in the schema cache so we can skip this part and generate help from it, right? Not so fast! There are client plugins with commands and topics. So we can generate basic bits (list of all topics, list of all commands, list of commands for each topic) from schema and store it in cache. Then we need to go through all client plugins and get similar bits for client plugins. Then we can merge and print. Still the client response is not as fast as before and I this it even can't be. Also first time you display particular topic or list takes longer because it must be freshly generated and stored in cache for next use. And this is what the attached patches do. https://fedorahosted.org/freeipa/ticket/6048 -- David Kupka From e04b588df13286785aef53c59c41ea9c8935384f Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 14 Jul 2016 10:41:37 +0200 Subject: [PATCH 1/2] schema: Generate help for server plugins from schema and store it in cache https://fedorahosted.org/freeipa/ticket/6048 --- ipaclient/remote_plugins/schema.py | 159 - 1 file changed, 158 insertions(+), 1 deletion(-) diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py index cd1d5d607978899254325f634ccec91d2c92f59b..5c05a84e63fb9d04660d8113020bc3b11e4141a8 100644 --- a/ipaclient/remote_plugins/schema.py +++ b/ipaclient/remote_plugins/schema.py @@ -25,6 +25,7 @@ from ipapython.dn import DN from ipapython.dnsutil import DNSName from ipapython.ipa_log_manager import log_mgr + if six.PY3: unicode = str @@ -318,10 +319,136 @@ class _SchemaNameSpace(collections.Mapping): return len(list(self._schema.iter_namespace(self.name))) +class _MutableNameSpace(_SchemaNameSpace, collections.MutableMapping): + +def __setitem__(self, key, value): +self._schema.add_namespace_member(self.name, key, value) + +def __delitem__(self, key): +raise NotImplementedError("Droping individual pieces of cached data" + " makes no sense. At least for now.") + + class NotAvailable(Exception): pass +class Help(object): +def __init__(self, schema): +self.schema = schema + +@staticmethod +def _doc_to_summary(d): +if d: +return unicode(d).lstrip().split('\n', 1)[0] +else: +return u'' + +def _command_is_visible(self, cmd_full_name): +cmd = self.schema['commands'][cmd_full_name] +if 'cli' in cmd.get('exclude', []): +return False +return True + +def _topic_is_visible(self, topic_full_name): +topic_index = self.schema['topics_index'][topic_full_name] +# super topics are always visible +if topic_index['subtopics']: +return True + +# if there is at least one cli visible command +# topic is also visible +topic_cmds = topic_index['commands'] +for cmd_full_name in topic_cmds: +if self._command_is_visible(cmd_full_name): +return True +return False + +def _list(self, ns_name): +ret = [] + +try: +help_ = self.schema['help'][ns_name] +ret = help_['text'] +mcl = help_['mcl'] +except KeyError: +for full_name in sorted(self.schema[ns_name]): +if (( +ns_name == 'commands' and +not self._command_is_visible(full_name) + ) or ( +ns_name == 'topics' and +not self._topic_is_visible(full_name) + )): +continue + +obj = self.schema[ns_name][full_name] +name = obj['name'] +summary = self._doc_to_summary(obj['doc']) +ret.append((name, summary,)) + +mcl = max([len(n[0]) for n in ret]) + +self.schema['help'][ns_name] = {'text': ret, 'mcl': mcl} + +return (ret, mcl,) + +def commands(self): +return self._list('commands') + +def topics(self): +return self._list('topics') + +def topic(self, full_name): +cmds = [] +subs = [] +try: +doc = self.sc
Re: [Freeipa-devel] [PATCH 0149] help: Add dnsserver commands to help topic 'dns'
On 12/07/16 12:54, Petr Spacek wrote: Hello, help: Add dnsserver commands to help topic 'dns' https://bugzilla.redhat.com/show_bug.cgi?id=1353888 Hi! Your patch turns dnsserver topic to a subtopic of dns topic. I'm sorry I gave you wrong advice. Attached patch makes dnsserver-* commands appear in dns topic. -- David Kupka From 965e4b84a8b52e1760fc69745825362fc4ecf020 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 15 Jul 2016 11:55:19 +0200 Subject: [PATCH] help: Add dnsserver commands to help topic 'dns' https://bugzilla.redhat.com/show_bug.cgi?id=1353888 --- ipaserver/plugins/dnsserver.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/plugins/dnsserver.py b/ipaserver/plugins/dnsserver.py index beddec04230d810479fff9612721cf12260bbb3a..d635722a6b6aaea942d49456a04f5d0480d344c9 100644 --- a/ipaserver/plugins/dnsserver.py +++ b/ipaserver/plugins/dnsserver.py @@ -48,6 +48,8 @@ EXAMPLES: register = Registry() +topic = None + dnsserver_object_class = ['top', 'idnsServerConfigObject'] @register() @@ -149,6 +151,7 @@ class dnsserver(LDAPObject): @register() class dnsserver_mod(LDAPUpdate): __doc__ = _('Modify DNS server configuration') +topic = 'dns' msg_summary = _('Modified DNS server "%(value)s"') @@ -156,6 +159,7 @@ class dnsserver_mod(LDAPUpdate): @register() class dnsserver_find(LDAPSearch): __doc__ = _('Search for DNS servers.') +topic = 'dns' msg_summary = ngettext( '%(count)d DNS server matched', @@ -166,6 +170,7 @@ class dnsserver_find(LDAPSearch): @register() class dnsserver_show(LDAPRetrieve): __doc__=_('Display configuration of a DNS server.') +topic = 'dns' @register() @@ -175,6 +180,7 @@ class dnsserver_add(LDAPCreate, Local): Be careful in future this will be transformed to public API call """ __doc__ = _('Add a new DNS server.') +topic = 'dns' msg_summary = _('Added new DNS server "%(value)s"') @@ -186,5 +192,6 @@ class dnsserver_del(LDAPDelete, Local): Be careful in future this will be transformed to public API call """ __doc__ = _('Delete a DNS server') +topic = 'dns' msg_summary = _('Deleted DNS server "%(value)s"') -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0186] DNS install: Ensure that DNS servers container exists
On 07/15/2016 10:32 AM, Stanislav Laznicka wrote: On 07/14/2016 05:51 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/6083 ACK, works as expected. ..and putting the list back into the loop -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code