[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

stlaz commented:
"""
I would put broken KRA cert migration to lowest priority since 
https://github.com/freeipa/freeipa/pull/367 moves the original KRA cert anyway.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280078231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

tiran commented:
"""
Cookie parsing bug with FreeIPA 4.4 client: 
https://fedorahosted.org/freeipa/ticket/6676
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280012485
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

tiran commented:
"""
FYI, KRA and vault are broken because KRA cert is not migrated: 
https://fedorahosted.org/freeipa/ticket/6675
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-280008032
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a
https://fedorahosted.org/freeipa/changeset/38c66896de1769077cd5b057133606ec5eeaf62b
https://fedorahosted.org/freeipa/changeset/b109f5d850ce13585d4392ca48896dc069a746e5
https://fedorahosted.org/freeipa/changeset/b6741d81e187fc84177c12ef8ad900d3b5cda6a4
https://fedorahosted.org/freeipa/changeset/d2f5fc304f1938d23171ae330fa20b213ceed54e
https://fedorahosted.org/freeipa/changeset/d124e307f3b7d88bca53784f030ed6043b224432
https://fedorahosted.org/freeipa/changeset/f648c5631afa5e7954eee9a84fb1222d3bce3bf1
https://fedorahosted.org/freeipa/changeset/c2b1b2a36200b50babfda1eca37fb4b51fefa9c6
https://fedorahosted.org/freeipa/changeset/4fd89833ee5421b05c10329d627d0e0fc8496046
https://fedorahosted.org/freeipa/changeset/4bd2d6ad46c9151e11f9223dd5383555fdedb249
https://fedorahosted.org/freeipa/changeset/00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed
https://fedorahosted.org/freeipa/changeset/41c1efc44a6b809445facd4772574595029553b1
https://fedorahosted.org/freeipa/changeset/09c92e2bc1ca9db5b73d5ab8483b42dbd6b9a0e9
https://fedorahosted.org/freeipa/changeset/e4d462ad53597fd5410aa4e94a57bb15b92a3f13
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279925508
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Thank you.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Done
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
I would personally go with:
* Change session handling: 5959
* Generate tmpfiles config at install time: 5959
* Drop use of kinit_as_http from trust code: 5959
* Use Anonymous user to obtain FAST armor ccache: 5959
* Configure HTTPD to work via Gss-Proxy: 4189, 5959
* Separate RA cert store from the HTTP cert store: 5959
* Simplify NSSDatabase password file handling: 5959
* Always use /etc/ipa/ca.crt as CA cert file: 5959
* Add a new user to run the framework code: 5959
* Rationalize creation of RA and HTTPD NSS databases: 5959
* Fix uninstall stopping ipa.service: 5959
* Allow rpc callers to pass ccache and service names: 6543
* Explicitly pass down ccache names for connections: 6543
* Insure removal of session on identity change: 6543
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, is there an umbrella ticket? 5959 perhaps?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
For some commits I was sure what ticket to use, for some I was not, so I 
elected not to put a specific ticket in there. If you have a good idea of what 
ticket (of the External Authentication project) to apply to specific commits 
let me know and I can amend commit messages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, most of the commits do not have a ticket link, is this intentional?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279708615
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok split the last stuff in 3 commits.
I remove the use of private ccache for a few reasons:
1. touches environment variables.
2. will unconditionally remove a ccache even when passed in, so it may end up 
removing the wrong thing
3. private_ccache is used in dcerpc code and I do not want to change semantics 
and risk breaking tat code path
4. This fix is much smaller and removes one more yield, which is not a bad 
thing as it makes the code easier to read.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for 
the changes in `ipatests/util.py`, but that doesn't mean they should be in the 
same commit, as they affect every use of `RPCClient`, not just the one in the 
tests. Following your logic, the whole PR should be just a single commit, which 
would be equally wrong.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279695377
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
We actually record the principal, change the patch to destroy session_cookie in 
create_connection if the principal is different.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, 
it makes no sense to keep them separate as in eahc patch I add respecively to 
connect() and disconnect() arguments that are use in ipatest/util.py

As for resetting session_cookie, when principal change, I am all for it, except 
we do not record the principal in the rpc context ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I don't think this is the correct approach. Rather than deleting 
`context.session_cookie` in `RPCClient.destroy_connection()` when requested, it 
should be done automatically in `RPCClient.create_connection()` when the 
principal name in the ccache is different from the principal name of the cookie.

Also, IMHO it would be preferable to keep the changes in `ipatest/util.py` in a 
separate commit and not mix them with the generic changes not related only to 
tests in `ipalib/rpc.py`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279675537
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@HonzaCholasta push it before we break it again! :-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
So I am not sure what is going on here, after fiddling with the failing tests 
to print out what was going on, they suddenly started working (and a 3 other 
started failing).
It is not clear to me what is going on, but it may be unclean environment too.. 
after running testes a few times for example I found out my user KRB5CCNAME 
environment variable had been changed (this is not ok it's a bug in the tests 
and will make things unreliable).
Anyway after a full rebuild and reinstall I was not able to go back to a state 
where I could reproduce the issues in caacl tests.
I rebased the patchset on latest master and pushed it, let's see what CI says.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I think I know what is going on here, can you add an actual test to the 
testsuite that checks this ?
I will fix my PR to not cause this deadlock, I've reproduce it here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
While investigating the CI test failures, I stumbled upon another issue - two 
simultaneous login requests will deadlock httpd until it is restarted. This is 
how I did it:
```bash
(
export KRB5CCNAME=$(mktemp)
echo password | kinit admin
curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 
--negotiate -u : -e https://$HOSTNAME/ipa/session/json -D -
) & (
export KRB5CCNAME=$(mktemp)
echo password | kinit notadmin
curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 
--negotiate -u : -e https://$HOSTNAME/ipa/session/json -D -
)
```
It is not reproducible on the master branch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278611793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

martbab commented:
"""
I have figured out that the previous Travis failures were caused by missing 
version in mod_auth_gssapi Requires. If I downgrade the package to 
mod_auth_gssapi-1.4.1-1.fc25.x86_64 apache crashes on unknown directive:

```
Feb 07 13:32:41 master1.ipa.test httpd[45040]: Invalid command 
'GssapiDelegCcachePerms', perhaps misspelled or defined by a module not 
included in the server configuration
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Main process 
exited, code=exited, status=1/FAILURE
Feb 07 13:32:41 master1.ipa.test systemd[1]: Failed to start The Apache HTTP 
Server.
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Unit entered failed 
state.
Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Failed with result 
'exit-code'.
```

We will need bump requires to mod_auth_gssapi-1.5.0-1.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-277991477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

martbab commented:
"""
I have disabled updates-testing in the CI because of multitude of unrelated 
breakages (recent openldap-client vs. nss breakage comes to mind), but we may 
take the SRPMS from koji and stick them to copr.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276348713
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The correct packages are now in updates-testing in Fedora 25, pick from there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276340645
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

pvoborni commented:
"""
Could we rather add the mod_auth_gssapi and gssproxy packages into 
@freeipa/freeipa-master copr repo? Without the rpms in master copr repo, other 
people's automation will be broken after merging the PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276106097
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

martbab commented:
"""
@simo5 the simplest way to fix CI is to add WIP commit that enables your COPR 
repos during 'builddep' step like this (untested):
```diff
diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index dc08d79..da64631 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -27,6 +27,8 @@ steps:
   - make V=0 ${make_target}
   builddep:
   - rm -rf /var/cache/dnf/*
+  - dnf copr enable -y simo/mod_auth_gssapi
+  - dnf copr enable -y simo/gssproxy
   - "dnf makecache fast || :"
   - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best 
--allowerasing
   cleanup:
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276055855
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Both replica install and CA-less install now work, but:
* `ipa-replica-install` creates `/var/lib/ipa/radb` owned by `root` rather than 
`ipaapi`.
* `/var/lib/ipa/radb` should not be created in CA-less install.
* Upgrade from 4.4 fails in various ways:
  * on the first master: https://transfer.sh/JgKTV/ipaupgrade.log
  * on a replica: https://transfer.sh/LTMvO/ipaupgrade.log
* Could you please add a command to enable your COPR repositories to 
`.test_runner_config.yaml` so that CI starts working properly? @martbab can 
advise.

@MartinBasti: we agreed to document all new functions last week, this PR was 
first submitted months ago, so IMO the rule does not apply here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-276032900
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
With this last rebase I can install again both ca and ca-less without issues.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok reproduced, it is not clar how to me yet, but at some point ca.crt get 
zeroed out and that's why the ldap command fails, investigating
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, it turns out the request fails not on the replica, but on the initial 
master, so it's actually `ipa-server-install` which is broken - if you install 
server from current master and replica from this PR it works fine. Steps to 
reproduce:
```
server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U
...
replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla
```

Note that you won't actually be able to do the above, as the 
`ipa-server-install` step will fail with:
```
Restarting the KDC
Please add records in this file to your DNS system: 
/tmp/ipa.system.records.xLK2pI.db
Unable to set admin password Command '/usr/bin/ldappasswd -h 
vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y 
/var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP 
uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'
 returned non-zero exit status 1
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA 
server
Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to 
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
This does not happen with current master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275044170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok, with this latest push I can install servers and replicas both with CA and 
CA-less.
I cannot reproduce the failure @HonzaCholasta sees, so from my side I am done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274832504
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, replica install still fails for me in the same way as before.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274741477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The latest rebase installs a replica correctly here, haven't got to fix ca-less 
yet, but everything else should be ready to go.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274577459
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Here's what I did
```
# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
# rm -rf /var/lib/ipa/radb
# ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla
...
  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170120063423':
status: CA_UNREACHABLE
ca-error: Server at 
https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will 
retry: 907 (RPC failed at server.  cannot connect to 
'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, 
unsupported format.).
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS
 Certificate 
DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert'
CA: IPA
issuer: 
subject: 
expires: unknown
pre-save command: 
post-save command: 
track: yes
auto-renew: yes
# certutil -d /var/lib/ipa/radb -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.
# stat /var/lib/ipa/radb
stat: cannot stat '/var/lib/ipa/radb': No such file or directory
```
Here's the full replica install log: http://pastebin.com/kwj8nFcC
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I cannot get a replica install to fail like your did, can you post some logs ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I can confirm that the ldapi error occurs every other install. I can 
also confirm that it does not occur during the initial server install on a 
clean machine, so I agree it can be fixed later.

* CA-less install is still broken. To reproduce the bug, make sure to delete 
all certificates from `/etc/httpd/alias` before running the install, otherwise 
[ticket 4639](https://fedorahosted.org/freeipa/ticket/4639) will hide the bug. 
I use:
  ```bash
  certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
  ```

* Replica install fails when `/var/lib/ipa/radb` does not exist prior to 
running the install:
  ```
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
  ```

* `/var/lib/ipa/radb` should be removed on uninstall.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273737162
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Thanks @HonzaCholasta I already fixed the service thing but didn't push as I 
started getting another error on install, buit before I fix that I am working 
on releasing gssproxy where wer are hitting another heisenbug just in the 
testing suite (works as expected when installed).
On the ldapi error I have seen it too during development, for a period I was 
getting it every time once on install ie:
install, play, uninstall, install, Error!, uninstall, install, play ...
So I had to install - uninstall - reinstall for each test, but it had 
disappeared for a while.
It seem some uninstall snag to me, if I can find some info on why it occurs 
I'll open a bug (or fix it if it is due to my code changes).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272171891
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Not sure if it's this PR or not, but `ipa-server-install` *sometimes* fails 
with:
```
  [11/22]: setting up ssl
  [error] NetworkError: cannot connect to 
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
cannot connect to 
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272106420
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I can't reproduce the bug anymore with the latest update.

Pylint found one trivial issue:
```
ipaserver/install/server/upgrade.py:83: [E0602(undefined-variable), 
uninstall_ipa_memcached] Undefined variable 'SimpleServiceInstance')
```
(It should be `service.SimpleServiceInstance`.)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272100308
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I switched all endpoints to use GSSAPI (and transparently use a session cookie 
once one transation is successful), so there may be some parts of the code a 
bit surprised about it, do you have apache logs to chare that show the problem 
? (enabling ipa debug would probably help too)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270654342
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I might have fixed the certmonger issue, see 
HonzaCholasta@907ef3cff2045edd4625d4c422d1d0ae473fe51c, however I'm hitting the 
"No valid Negotiate header in server response" error again. Any idea what might 
be causing it?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270606660
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Rebased on master and fixed a couple minor lint issues
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270394337
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

rcritten commented:
"""
You can specify the nickname using -n/--nickname. You'll probably also want to 
set --cafile=/etc/ipa/ca.crt, --dbdir=/etc/httpd/alias and 
sslpinfile=/etc/httpd/alias/pwdfile.txt to maintain current behavior.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270165993
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Why is dogtag-ipa-renew-agent-submit part of the certmonger package ?
And how do we fix it now ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270163719
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
* Dogtag certificates and RA certificate renewal is broken:
  ```
ca-error: Server at 
"https://vm-226.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca/profileProcess; 
replied: 1: You did not provide a valid certificate for this operation
  ```
  This is because certmonger's 
`/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit` expects an `ipaCert` in 
`/etc/httpd/alias`.

* CA-less server install fails:
  ```
[13/21]: publish CA cert
[error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias 
-L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 
255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Command '/usr/bin/certutil -d /etc/httpd/alias -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
  ```
  2017-01-03T05:21:43Z DEBUG Starting external process
  2017-01-03T05:21:43Z DEBUG args=/usr/bin/certutil -d /var/lib/ipa/radb -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a
  2017-01-03T05:21:43Z DEBUG Process finished, return code=255
  2017-01-03T05:21:43Z DEBUG stdout=
  2017-01-03T05:21:43Z DEBUG stderr=certutil: Could not find cert: 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA
  : PR_FILE_NOT_FOUND_ERROR: File not found
  ```
  If I work around the above, it fails further down with:
  ```
  trying https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json
  Forwarding 'schema' to json server 
'https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json'
  No valid Negotiate header in server response
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270059781
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I think this code is ready to be included.
I am still playing with a minor change in mod_auth_gssapi, but that can also go 
in later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-267997245
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@pspacek I added workflows to the Design page, please verify
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Note: this PR also depends on and includes commits from #206
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

pspacek commented:
"""
@simo5 Please extend the design page with image description which explains each 
of the steps. There are numbers and letters in the image which are not 
explained anywhere. A detailed end-to-end example of interaction could be 
useful for detailed review. Thank you!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265424963
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Updated branch, hopefully lint will be happy.
While there I discovered dcerpc.py ws using the HTTP keytab, after discussing 
with @abbra we decided to just remove such use for now and see later if we need 
any changes. The use was rare and in the importnat cases we have already a 
better option in the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Yeah going through those right now
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

tiran commented:
"""
@simo5 TravisCI's pep8 checker is complaining about some PEP8 violations:

```
./ipalib/install/kinit.py:64:1: E302 expected 2 blank lines, found 1
./ipalib/rpc.py:702:80: E501 line too long (93 > 79 characters)
./ipaplatform/redhat/tasks.py:437:13: E128 continuation line under-indented for 
visual indent
./ipaserver/install/httpinstance.py:117:1: E302 expected 2 blank lines, found 1
./ipaserver/install/httpinstance.py:127:1: E302 expected 2 blank lines, found 1
./ipaserver/rpcserver.py:428:80: E501 line too long (83 > 79 characters)
./ipaserver/rpcserver.py:625:80: E501 line too long (82 > 79 characters)
./ipaserver/rpcserver.py:932:80: E501 line too long (111 > 79 characters)
./ipaserver/rpcserver.py:941:80: E501 line too long (80 > 79 characters)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265221871
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code