Re: [Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1
On 03/05/2014 01:48 PM, Petr Viktorin wrote: On 03/03/2014 04:10 PM, Petr Viktorin wrote: On 02/28/2014 02:47 PM, Petr Viktorin wrote: On 02/28/2014 02:12 PM, Martin Kosek wrote: On 02/26/2014 10:44 AM, Petr Viktorin wrote: Hello, Here are a few fixes/improvements, and the first part of a managed permission updater. The patches should go in this order but don't need to be ACKed/pushed all at once. Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 This part is a preview of sorts, to get the basic mechanism and the metadata format reviewed before I add all of the default read permissions. It implements the first section of Default Permission Updater in the design; Replacing legacy default permissions and Removing the global anonymous read ACI is left for later. Metadata is added for the netgroup plugin* for starters [...] 1) 476: Typo in test name: +desc='Search fo rnonexisting permission with : in the name', Will fix. Fixed 2) 477: do we want to log anything when permission is up to date? +try: +ldap.update_entry(entry) +except errors.EmptyModlist: +return I don't think that's needed, after all that's the expected behavior in all but the first upgrade. But I'll be happy to add it if you think it would be better. I've added a DEBUG message here. [...] 4) I have been quite resilient to the prefixes for the permissions, but it seems it is the easier possible approach to fix conflicts with user permissions without having to check that later for every upgrade or doing more complex stuff like multiple RDNs or different container for system and user permissions. I am now just thinking about the prefixing. Now you use this name: ipa:Read Netgroups Would it be nicer to use: IPA:Read Netgroups or IPA: Read Netgroups or even [IPA] Read Netgroups ? :-) Bikeshedding time! Everyone on the list, please chime in! Bikeshedding results from today's meeting: ipa: pviktori++ System: mkosek++ simo+ ab++ Builtin: simo++ pvo+ Default: The winner is System: , so I'll go and change to that. Done. Thanks. The patch set looks good now, I just see that the update process may not be optimal After I run the upgrade second time, it still tries to update the ACI even though there was no change done to the permission object and should thus raise errors.EmptyModlist and skip the ACI update: 2014-03-07T09:44:34Z INFO Updating managed permissions for netgroup 2014-03-07T09:44:34Z INFO Updating managed permission: System: Read Netgroups 2014-03-07T09:44:34Z DEBUG Updating ACI for managed permission: System: Read Netgroups 2014-03-07T09:44:34Z DEBUG Removing ACI u'(targetattr = cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory)(targetfilter = (objectclass=ipanisnetgroup))(version 3.0;acl permission:System: Read Netgroups;allow (read,compare,search) userdn = ldap:///all;;)' from cn=ng,cn=alt,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 2014-03-07T09:44:34Z DEBUG Adding ACI u'(targetattr = cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory)(targetfilter = (objectclass=ipanisnetgroup))(version 3.0;acl permission:System: Read Netgroups;allow (read,compare,search) userdn = ldap:///all;;)' to cn=ng,cn=alt,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 2014-03-07T09:44:34Z INFO No changes to ACI 2014-03-07T09:44:34Z INFO Updating managed permission: System: Read Netgroup Membership Any idea what could cause this? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1
On 03/03/2014 04:10 PM, Petr Viktorin wrote:
On 02/28/2014 02:47 PM, Petr Viktorin wrote:
On 02/28/2014 02:12 PM, Martin Kosek wrote:
On 02/26/2014 10:44 AM, Petr Viktorin wrote:
Hello,
Here are a few fixes/improvements, and the first part of a managed
permission
updater.
The patches should go in this order but don't need to be ACKed/pushed
all at once.
Design:
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This part is a preview of sorts, to get the basic mechanism and the
metadata
format reviewed before I add all of the default read permissions.
It implements the first section of Default Permission Updater in
the design;
Replacing legacy default permissions and Removing the global
anonymous read
ACI is left for later.
Metadata is added for the netgroup plugin* for starters
[...]
1) 476: Typo in test name:
+desc='Search fo rnonexisting permission with : in the
name',
Will fix.
Fixed
2) 477: do we want to log anything when permission is up to date?
+try:
+ldap.update_entry(entry)
+except errors.EmptyModlist:
+return
I don't think that's needed, after all that's the expected behavior in
all but the first upgrade.
But I'll be happy to add it if you think it would be better.
I've added a DEBUG message here.
[...]
4) I have been quite resilient to the prefixes for the permissions,
but it
seems it is the easier possible approach to fix conflicts with user
permissions
without having to check that later for every upgrade or doing more
complex
stuff like multiple RDNs or different container for system and user
permissions.
I am now just thinking about the prefixing. Now you use this name:
ipa:Read Netgroups
Would it be nicer to use:
IPA:Read Netgroups
or
IPA: Read Netgroups
or even
[IPA] Read Netgroups
? :-)
Bikeshedding time!
Everyone on the list, please chime in!
Bikeshedding results from today's meeting:
ipa: pviktori++
System: mkosek++ simo+ ab++
Builtin: simo++ pvo+
Default:
The winner is System: , so I'll go and change to that.
Done.
--
PetrĀ³
From a4bb46871d3d1d1202e88bbbfbc8655d92ee45f3 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 12 Feb 2014 16:17:39 +0100
Subject: [PATCH] Allow indexing API object types by class
This allows code like:
from ipalib.plugins.dns import dnszone_mod
api.Command[dnszone_mod]
This form should be preferred when getting specific objects
because it ensures that the appropriate plugin is imported.
https://fedorahosted.org/freeipa/ticket/4185
---
ipalib/base.py| 15 +--
ipatests/test_ipalib/test_base.py | 12 ++--
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/ipalib/base.py b/ipalib/base.py
index 83d778fe751e66414fe34d0d3243cdae34941ad6..91259c7f3b480ffc0e70061e1efa0135ff500478 100644
--- a/ipalib/base.py
+++ b/ipalib/base.py
@@ -287,7 +287,7 @@ class NameSpace(ReadOnly):
class Member(object):
... def __init__(self, i):
... self.i = i
-... self.name = 'member%d' % i
+... self.name = self.__name__ = 'member%d' % i
... def __repr__(self):
... return 'Member(%d)' % self.i
...
@@ -378,6 +378,14 @@ class NameSpace(ReadOnly):
unsorted_ns[0]
Member(7)
+As a special extension, NameSpace objects can be indexed by objects that
+have a __name__ attribute (e.g. classes). These lookups are converted
+to lookups on the name:
+
+ class_ns = NameSpace([Member(7), Member(3), Member(5)], sort=False)
+ unsorted_ns[Member(3)]
+Member(3)
+
The `NameSpace` class is used in many places throughout freeIPA. For a few
examples, see the `plugable.API` and the `frontend.Command` classes.
@@ -447,6 +455,7 @@ def __contains__(self, name):
Return ``True`` if namespace has a member named ``name``.
+name = getattr(name, '__name__', name)
return name in self.__map
def __getitem__(self, key):
@@ -455,12 +464,14 @@ def __getitem__(self, key):
:param key: The name or index of a member, or a slice object.
+key = getattr(key, '__name__', key)
if isinstance(key, basestring):
return self.__map[key]
if type(key) in (int, slice):
return self.__members[key]
raise TypeError(
-TYPE_ERROR % ('key', (str, int, slice), key, type(key))
+TYPE_ERROR % ('key', (str, int, slice, 'object with __name__'),
+ key, type(key))
)
def __repr__(self):
diff --git a/ipatests/test_ipalib/test_base.py b/ipatests/test_ipalib/test_base.py
index ef6c180c798632cb0cebd9b6ad89caaf744d7931..0117946bc2de8cb2aa014e42e6c6569b33f0900b 100644
--- a/ipatests/test_ipalib/test_base.py
+++
Re: [Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1
On 02/28/2014 02:47 PM, Petr Viktorin wrote:
On 02/28/2014 02:12 PM, Martin Kosek wrote:
On 02/26/2014 10:44 AM, Petr Viktorin wrote:
Hello,
Here are a few fixes/improvements, and the first part of a managed
permission
updater.
The patches should go in this order but don't need to be ACKed/pushed
all at once.
Design:
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This part is a preview of sorts, to get the basic mechanism and the
metadata
format reviewed before I add all of the default read permissions.
It implements the first section of Default Permission Updater in
the design;
Replacing legacy default permissions and Removing the global
anonymous read
ACI is left for later.
Metadata is added for the netgroup plugin* for starters, so
installing this
will give you two shiny new read permissions:
$ ipa permission-find ipa: --all
-
2 permissions matched
-
dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroup Membership
Permissions: read, compare, search
Effective attributes: externalhost, member, memberof, memberuser
Default attributes: member, memberof, memberuser, externalhost
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroups
Permissions: read, compare, search
Effective attributes: cn, description, hostcategory, ipaenabledflag,
ipauniqueid, nisdomainname, usercategory
Default attributes: cn, usercategory, hostcategory, ipauniqueid,
ipaenabledflag, nisdomainname, description
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
Number of entries returned 2
with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:
(targetattr = externalhost || member || memberof ||
memberuser)(targetfilter
= (objectclass=ipanisnetgroup))(version 3.0;acl
permission:ipa:Read Netgroup
Membership;allow (read,compare,search) userdn = ldap:///all;;)
(targetattr = cn || description || hostcategory || ipaenabledflag ||
ipauniqueid || nisdomainname || usercategory)(targetfilter =
(objectclass=ipanisnetgroup))(version 3.0;acl permission:ipa:Read
Netgroups;allow (read,compare,search) userdn = ldap:///all;;)
Patches:
0473: Enables refactoring that will make it more clear (to humans and
machines)
what plugins code depends on.
https://fedorahosted.org/freeipa/ticket/4185
0474: Fix handling of the search term for legacy permissions
My code that's in master now handles the search term incorrectly.
This does a
better job.
0475: Fix tests that relied on some assumptions I'll be breaking
0476: Allow modifying (but not creating) permissions with : in the
name
0477: Permission updater sample metadata
1) 476: Typo in test name:
+desc='Search fo rnonexisting permission with : in the
name',
Will fix.
2) 477: do we want to log anything when permission is up to date?
+try:
+ldap.update_entry(entry)
+except errors.EmptyModlist:
+return
I don't think that's needed, after all that's the expected behavior in
all but the first upgrade.
But I'll be happy to add it if you think it would be better.
3) I am not sure if this was initiated by this patch, but when I
checked access
log for a permission-find --name ipa operation, it produced over 170
LDAP
operations, most of them asking for the same information many times. See
attached access log excerpt.
It's unrelated to this patch. I've started optimizing permission-find
with many legacy permissions, expect a patch soon.
4) I have been quite resilient to the prefixes for the permissions,
but it
seems it is the easier possible approach to fix conflicts with user
permissions
without having to check that later for every upgrade or doing more
complex
stuff like multiple RDNs or different container for system and user
permissions.
I am now just thinking about the prefixing. Now you use this name:
ipa:Read Netgroups
Would it be nicer to use:
IPA:Read Netgroups
or
IPA: Read Netgroups
or even
[IPA] Read Netgroups
? :-)
Bikeshedding time!
Everyone on the list, please chime in!
Bikeshedding results from today's meeting:
ipa: pviktori++
System: mkosek++ simo+ ab++
Builtin: simo++ pvo+
Default:
The winner is System: , so I'll go and change to that.
I don't really have a preference.
5) Are we sure we want to make our code Python 2.7 dependent?
+'ipapermright': {'read', 'search',
Re: [Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1
On 02/28/2014 02:12 PM, Martin Kosek wrote:
On 02/26/2014 10:44 AM, Petr Viktorin wrote:
Hello,
Here are a few fixes/improvements, and the first part of a managed permission
updater.
The patches should go in this order but don't need to be ACKed/pushed all at
once.
Design:
http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This part is a preview of sorts, to get the basic mechanism and the metadata
format reviewed before I add all of the default read permissions.
It implements the first section of Default Permission Updater in the design;
Replacing legacy default permissions and Removing the global anonymous read
ACI is left for later.
Metadata is added for the netgroup plugin* for starters, so installing this
will give you two shiny new read permissions:
$ ipa permission-find ipa: --all
-
2 permissions matched
-
dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroup Membership
Permissions: read, compare, search
Effective attributes: externalhost, member, memberof, memberuser
Default attributes: member, memberof, memberuser, externalhost
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
Permission name: ipa:Read Netgroups
Permissions: read, compare, search
Effective attributes: cn, description, hostcategory, ipaenabledflag,
ipauniqueid, nisdomainname, usercategory
Default attributes: cn, usercategory, hostcategory, ipauniqueid,
ipaenabledflag, nisdomainname, description
Bind rule type: all
Subtree: cn=ng,cn=alt,$SUFFIX
Target filter: (objectclass=ipanisnetgroup)
Type: netgroup
ipapermissiontype: V2, MANAGED, SYSTEM
objectclass: ipapermission, groupofnames, top, ipapermissionv2
Number of entries returned 2
with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:
(targetattr = externalhost || member || memberof || memberuser)(targetfilter
= (objectclass=ipanisnetgroup))(version 3.0;acl permission:ipa:Read Netgroup
Membership;allow (read,compare,search) userdn = ldap:///all;;)
(targetattr = cn || description || hostcategory || ipaenabledflag ||
ipauniqueid || nisdomainname || usercategory)(targetfilter =
(objectclass=ipanisnetgroup))(version 3.0;acl permission:ipa:Read
Netgroups;allow (read,compare,search) userdn = ldap:///all;;)
Patches:
0473: Enables refactoring that will make it more clear (to humans and machines)
what plugins code depends on.
https://fedorahosted.org/freeipa/ticket/4185
0474: Fix handling of the search term for legacy permissions
My code that's in master now handles the search term incorrectly. This does a
better job.
0475: Fix tests that relied on some assumptions I'll be breaking
0476: Allow modifying (but not creating) permissions with : in the name
0477: Permission updater sample metadata
1) 476: Typo in test name:
+desc='Search fo rnonexisting permission with : in the name',
Will fix.
2) 477: do we want to log anything when permission is up to date?
+try:
+ldap.update_entry(entry)
+except errors.EmptyModlist:
+return
I don't think that's needed, after all that's the expected behavior in
all but the first upgrade.
But I'll be happy to add it if you think it would be better.
3) I am not sure if this was initiated by this patch, but when I checked access
log for a permission-find --name ipa operation, it produced over 170 LDAP
operations, most of them asking for the same information many times. See
attached access log excerpt.
It's unrelated to this patch. I've started optimizing permission-find
with many legacy permissions, expect a patch soon.
4) I have been quite resilient to the prefixes for the permissions, but it
seems it is the easier possible approach to fix conflicts with user permissions
without having to check that later for every upgrade or doing more complex
stuff like multiple RDNs or different container for system and user permissions.
I am now just thinking about the prefixing. Now you use this name:
ipa:Read Netgroups
Would it be nicer to use:
IPA:Read Netgroups
or
IPA: Read Netgroups
or even
[IPA] Read Netgroups
? :-)
Bikeshedding time!
Everyone on the list, please chime in!
I don't really have a preference.
5) Are we sure we want to make our code Python 2.7 dependent?
+'ipapermright': {'read', 'search', 'compare'},
I did not test if we do not require some python 2.7 feature elsewhere already,
but this construct raised a warning for me.
That ship has sailed already.
Recently there was commit a8ba5e0 which explicitly
