Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 03/04/2015 02:33 PM, Alexander Bokovoy wrote: On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything? Patches attached. ACK. Pushed to master: 52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything? Patches attached. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. So I looked up the original thread and since there are three different ways of defining uniqueness plugin's configuration, update plugin was to me the only way to handle all different configuration types. In general we cannot rely on the fact that FreeIPA deployment only contains FreeIPA-defined plugin configurations. -- / Alexander Bokovoy pgp0rYQ5YZQgQ.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 02/25/2015 04:00 PM, Alexander Bokovoy wrote: On Wed, 25 Feb 2015, Martin Basti wrote: On 25/02/15 15:37, Alexander Bokovoy wrote: On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. So I looked up the original thread and since there are three different ways of defining uniqueness plugin's configuration, update plugin was to me the only way to handle all different configuration types. In general we cannot rely on the fact that FreeIPA deployment only contains FreeIPA-defined plugin configurations. IMO, we should care only about IPA configured plugins, we cant handle everything, what users added there. If user adds an own plugin configuration there, the one should keep responsibility to test, if the plugin configuration still works after the IPA upgrade. We can't keep what user want, and what IPA needs in all cases, we would break IPA or users expectations, or both. In this case we can add detection of conflicts and print errors during upgrade, but we cant fix plugins which user created. If we want to handle user custom configuration, we will need to add detection for lot of things during upgrade not just uid uniqueness plugin. I tend to agree with Martin. I know that we created the special uniqueness plugin handling custom user plugins in the last release, but I am not convinced it is a good idea, it adds complexity to the upgrade, making it more difficult to debug. So if we can create the cn=uid uniqueness,cn=plugins,cn=config plugin just with simple update, I am fine with it. Uhm, right. Where my brain was today? :) Is that an agreement with Martin's approach? I am not sure :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 25/02/15 15:37, Alexander Bokovoy wrote: On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. So I looked up the original thread and since there are three different ways of defining uniqueness plugin's configuration, update plugin was to me the only way to handle all different configuration types. In general we cannot rely on the fact that FreeIPA deployment only contains FreeIPA-defined plugin configurations. IMO, we should care only about IPA configured plugins, we cant handle everything, what users added there. If user adds an own plugin configuration there, the one should keep responsibility to test, if the plugin configuration still works after the IPA upgrade. We can't keep what user want, and what IPA needs in all cases, we would break IPA or users expectations, or both. In this case we can add detection of conflicts and print errors during upgrade, but we cant fix plugins which user created. If we want to handle user custom configuration, we will need to add detection for lot of things during upgrade not just uid uniqueness plugin. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On Wed, 25 Feb 2015, Martin Basti wrote: On 25/02/15 15:37, Alexander Bokovoy wrote: On Wed, 25 Feb 2015, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. So I looked up the original thread and since there are three different ways of defining uniqueness plugin's configuration, update plugin was to me the only way to handle all different configuration types. In general we cannot rely on the fact that FreeIPA deployment only contains FreeIPA-defined plugin configurations. IMO, we should care only about IPA configured plugins, we cant handle everything, what users added there. If user adds an own plugin configuration there, the one should keep responsibility to test, if the plugin configuration still works after the IPA upgrade. We can't keep what user want, and what IPA needs in all cases, we would break IPA or users expectations, or both. In this case we can add detection of conflicts and print errors during upgrade, but we cant fix plugins which user created. If we want to handle user custom configuration, we will need to add detection for lot of things during upgrade not just uid uniqueness plugin. Uhm, right. Where my brain was today? :) -- / Alexander Bokovoy pgpwWp_beEuk_.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 02/25/2015 02:34 PM, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything? Patches attached. Hello Martin, The fix looks good. I have just one question regarding install/updates/10-uniqueness.update. For example : # uid uniqueness scopes Active/Delete containers dn: cn=attribute uniqueness,cn=plugins,cn=config -remove:nsslapd-pluginarg1:'$SUFFIX' -add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' -add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees:'$SUFFIX' +add:uniqueness-subtrees:'cn=accounts,$SUFFIX' +add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' remove:nsslapd-pluginenabled:off add:nsslapd-pluginenabled:on If we update the rpm from a version where 'nsslapd-pluginarg1' was used. It will not remove it and we will have 'nsslapd-pluginarg1' along with 'uniqueness-subtrees'. Should not we keep 'remove:nsslapd-pluginarg1:'$SUFFIX'' ? thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 02/25/2015 05:28 PM, Martin Basti wrote: On 25/02/15 17:23, thierry bordaz wrote: On 02/25/2015 02:34 PM, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything? Patches attached. Hello Martin, The fix looks good. I have just one question regarding install/updates/10-uniqueness.update. For example : # uid uniqueness scopes Active/Delete containers dn: cn=attribute uniqueness,cn=plugins,cn=config -remove:nsslapd-pluginarg1:'$SUFFIX' -add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' -add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees:'$SUFFIX' +add:uniqueness-subtrees:'cn=accounts,$SUFFIX' +add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' remove:nsslapd-pluginenabled:off add:nsslapd-pluginenabled:on If we update the rpm from a version where 'nsslapd-pluginarg1' was used. It will not remove it and we will have 'nsslapd-pluginarg1' along with 'uniqueness-subtrees'. Should not we keep 'remove:nsslapd-pluginarg1:'$SUFFIX'' ? thanks thierry Hello Thierry, in patch 0197 is pre-upgrade plugin, which migrate all uniqueness plugins into new syntax (this happens before the update file is applied). So no nsslapd-pluginarg* attrs will be there. and in patch 0198 I removed the cn=attribute uniquenes plugin, we already have cn=uid uniqueness that do the same thing. Martin^2 -- Martin Basti Ok. I understand. Thanks for the explanation. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0197-0198] Fix uniqueness plugins upgrade
On 25/02/15 17:23, thierry bordaz wrote: On 02/25/2015 02:34 PM, Martin Basti wrote: Modifications: * All plugins are migrated into new configuration style. * I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin. Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything? Patches attached. Hello Martin, The fix looks good. I have just one question regarding install/updates/10-uniqueness.update. For example : # uid uniqueness scopes Active/Delete containers dn: cn=attribute uniqueness,cn=plugins,cn=config -remove:nsslapd-pluginarg1:'$SUFFIX' -add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' -add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees:'$SUFFIX' +add:uniqueness-subtrees:'cn=accounts,$SUFFIX' +add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' remove:nsslapd-pluginenabled:off add:nsslapd-pluginenabled:on If we update the rpm from a version where 'nsslapd-pluginarg1' was used. It will not remove it and we will have 'nsslapd-pluginarg1' along with 'uniqueness-subtrees'. Should not we keep 'remove:nsslapd-pluginarg1:'$SUFFIX'' ? thanks thierry Hello Thierry, in patch 0197 is pre-upgrade plugin, which migrate all uniqueness plugins into new syntax (this happens before the update file is applied). So no nsslapd-pluginarg* attrs will be there. and in patch 0198 I removed the cn=attribute uniquenes plugin, we already have cn=uid uniqueness that do the same thing. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel