Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozek jhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On 02/21/2011 08:52 AM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. Can this be fixed by the memberOf plugin? If the memberOf plugin is modified to also change/set the attribute there should not be a race condition. What is the recommendation from Rich and Nathan? I am fine with the temp fix but should we have a ticket to fix it in a better way in 2.1? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Dmitri Pal wrote: On 02/21/2011 08:52 AM, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 21 Feb 2011 11:56:39 +0100 Jakub Hrozekjhro...@redhat.com wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. Unfortunately the way plugins are done, post-ops are pretty much impossible to catch from the outside. And I really don't like this either. I would definitely prefer for the reply to the modifying client to wait until the memberof plugin is done, even if this means the operations will be slow. But I don't know if this can be done easily with the current DS architecture ... The problem is that we cannot even enter a read loop to wait smaller amounts of time until we get back the right answer because a competing client may change the membership while we are waiting and causing us to loop forever ... Simo. This is the same conclusion I came too and decided that a brief sleep is the lesser of evils. Can this be fixed by the memberOf plugin? If the memberOf plugin is modified to also change/set the attribute there should not be a race condition. What is the recommendation from Rich and Nathan? I am fine with the temp fix but should we have a ticket to fix it in a better way in 2.1? This is a race condition only in that we're racing against the memberOf plugin. Take the case of a group the a member user: If you remove the member attribute from the group then immediately do an ldap search for (member=cn=group,...) you may very well get the user if the memberOf operation isn't completed yet. In this case it makes the user look like an indirect member of the group (because they are no long in the group's member attribute). I talked to Nathan about this on Friday. memberOf runs as a postop so only runs once the modification results have been sent. So from the IPA perspective the work is complete and we move along. We don't get any sort of ID that we can query on to see if memberOf is done, and at the point of our operation we have no idea what scope of work memberOf has to do, it could be extensive (think about a group of 1000 users and you delete the group, it has to remove memberOf from all those 1000 users). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob freeipa-rcrit-734-2-indirect.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob Strangely enough, I had to do a slight modification to make the test pass: hostgroup = [ -u'mepOriginEntry', u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', +u'mepOriginEntry', ] I thought that the comparison wouldn't take order into account.. Other than that, ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 734 Add handling for indirect memberof other entries.
Jakub Hrozek wrote: On Mon, Feb 21, 2011 at 09:44:49AM -0500, Rob Crittenden wrote: Rob Crittenden wrote: Jakub Hrozek wrote: On Sat, Feb 19, 2011 at 11:47:45PM -0500, Rob Crittenden wrote: This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. I don't know the DS plugin architecture good enough but there's no callback or anything we can hook to? If the machine swaps or something, we might get incorrect data with the sleep anyway.. The ticket has an excellent test case for this. Similar tests can be done for users/groups and hosts/hostgroups. ticket 966 rob The testcase is failing for me: test_group[13]: hostgroup_add: Create u'testhostgroup1' ... FAIL test_group[14]: hostgroup_add: Create u'testhostgroup2' ... FAIL It seems that the objectlasses should be updated: expected = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top'] got = [u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', u'mepOriginEntry'] Oh, that's because we create the netgroup now. Strange that I didn't see that, I just redid my base install on Thursday. I'll update that and give it another go. rob Updated patch rob Strangely enough, I had to do a slight modification to make the test pass: hostgroup = [ -u'mepOriginEntry', u'ipaobject', u'ipahostgroup', u'nestedGroup', u'groupOfNames', u'top', +u'mepOriginEntry', ] I thought that the comparison wouldn't take order into account.. The list checking does currently assume the same order. Other than that, ack Ok, re-ordered and pushed. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
