Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade

2014-07-04 Thread Petr Viktorin 

On 07/03/2014 09:24 PM, Petr Spacek wrote:

On 3.7.2014 19:00, Martin Basti wrote:

Patch attached


Congratulations! I wasn't able to find any bug in this ;-)

ACK from functional perspective.

It can be pushed if there is no problem with Python side of things.





Martin, I see a lot of code like this:
   zone['idnsname'][0]
To get a single-valued attribute, you should use:
   zone.single_value['idnsname']
which does a proper check that there is really only a single value.

I see the old style used elsewhere in the plugin though; it should be 
changed everywhere, and I don't think there's immediate benefit to doing 
that. Just keep this in mind for the future.



Pushed 0093 to master: f8b6595f4999740a704bcdae6d4f9b5021f7f61f

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade

2014-07-04 Thread Martin Basti 
On Fri, 2014-07-04 at 12:51 +0200, Petr Viktorin wrote:
 On 07/03/2014 09:24 PM, Petr Spacek wrote:
  On 3.7.2014 19:00, Martin Basti wrote:
  Patch attached
 
  Congratulations! I wasn't able to find any bug in this ;-)
 
  ACK from functional perspective.
 
  It can be pushed if there is no problem with Python side of things.
 
 
 
 
 Martin, I see a lot of code like this:
 zone['idnsname'][0]
 To get a single-valued attribute, you should use:
 zone.single_value['idnsname']
 which does a proper check that there is really only a single value.
 
 I see the old style used elsewhere in the plugin though; it should be 
 changed everywhere, and I don't think there's immediate benefit to doing 
 that. Just keep this in mind for the future.
 
 
 Pushed 0093 to master: f8b6595f4999740a704bcdae6d4f9b5021f7f61f
 

Thank you for the hint.
If I have a time I will fix it in dns plugin(s)
-- 
Martin^2 Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade

2014-07-03 Thread Martin Basti 
Patch attached
-- 
Martin^2 Basti
From f7e6c6d17562d4d5bcdbddaefbaf279fd1b901db Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 3 Jul 2014 15:50:27 +0200
Subject: [PATCH] Restore privileges after forward zones  update

Ticket: https://fedorahosted.org/freeipa/ticket/3210
---
 ipaserver/install/plugins/dns.py | 43 +++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index d2a9500c5bb58a81950bc2077fa611fcfd0c973a..07c0325d7a7c6062c1827d08f211d317bdc63db4 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -210,6 +210,10 @@ class update_master_to_dnsforwardzones(PostUpdate):
 # add time to filename
 self.backup_path = time.strftime(self.backup_path)
 
+# DNs of privileges which contain dns managed permissions
+privileges_to_ldif = set()  # store priviledges only once
+zone_to_privileges = {}  # zone: [privileges cn]
+
 self.log.info('Zones with specified forwarders with policy different'
   ' than none will be transformed to forward zones.')
 self.log.info('Original zones will be saved in LDIF format in '
@@ -228,8 +232,14 @@ class update_master_to_dnsforwardzones(PostUpdate):
 
 if 'managedBy' in zone:
 entry = ldap.get_entry(DN(zone['managedBy'][0]))
+for privilege_member_dn in entry.get('member', []):
+privileges_to_ldif.add(privilege_member_dn)
 writer.unparse(str(entry.dn), dict(entry.raw))
 
+# privileges where permission is used
+if entry.get('member'):
+zone_to_privileges[zone['idnsname'][0]] = entry['member']
+
 # raw values are required to store into ldif
 records = api.Command['dnsrecord_find'](
 zone['idnsname'][0],
@@ -249,6 +259,17 @@ class update_master_to_dnsforwardzones(PostUpdate):
zone['idnsname'][0])
 self.log.error(traceback.format_exc())
 return (False, False, [])
+
+for privilege_dn in privileges_to_ldif:
+try:
+entry = ldap.get_entry(privilege_dn)
+writer.unparse(str(entry.dn), dict(entry.raw))
+except Exception, e:
+self.log.error('Unable to backup privilege %s' %
+   privilege_dn)
+self.log.error(traceback.format_exc())
+return (False, False, [])
+
 f.close()
 except Exception:
 self.log.error('Unable to create backup file')
@@ -285,7 +306,8 @@ class update_master_to_dnsforwardzones(PostUpdate):
 # create permission if original zone has one
 if 'managedBy' in zone:
 try:
-api.Command['dnsforwardzone_add_permission'](zone['idnsname'][0])
+perm_name = api.Command['dnsforwardzone_add_permission'](
+zone['idnsname'][0])['value']
 except Exception, e:
 self.log.error('Transform to forwardzone terminated: '
'Adding managed by permission to forward zone'
@@ -296,9 +318,28 @@ class update_master_to_dnsforwardzones(PostUpdate):
   zone['idnsname'][0])
 continue
 
+else:
+if zone['idnsname'][0] in zone_to_privileges:
+privileges = [
+dn[0].value for dn in zone_to_privileges[zone['idnsname'][0]]
+]
+try:
+api.Command['permission_add_member'](perm_name,
+privilege=privileges)
+except Exception, e:
+self.log.error('Unable to restore privileges for '
+   'permission %s, for zone %s'
+% (perm_name, zone['idnsname']))
+self.log.error(traceback.format_exc())
+self.log.info('Zone %s was transformed to forward zone'
+  ' without restored privileges',
+  zone['idnsname'][0])
+

Re: [Freeipa-devel] [PATCH 0093] Restore priviledges after forward zone upgrade

2014-07-03 Thread Petr Spacek 

On 3.7.2014 19:00, Martin Basti wrote:

Patch attached


Congratulations! I wasn't able to find any bug in this ;-)

ACK from functional perspective.

It can be pushed if there is no problem with Python side of things.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel