Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 13.06.2016 07:26, Jan Cholasta wrote:
On 12.6.2016 17:29, Martin Babinsky wrote:
On 06/10/2016 05:42 PM, Martin Babinsky wrote:
On 06/10/2016 02:22 PM, Jan Cholasta wrote:
On 9.6.2016 17:06, Martin Babinsky wrote:
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing
them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and
signature of
`server-role-find` have changed, a small update in WebUI
patches is
required.
NACK, why did you remove sizelimit from server_role_find
command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command.
It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API
file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API
file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the
major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
"ipa server-role-find" does not return the "IPA master" role for my
server ("ipa-server-role $HOSTNAME 'IPA master'" does).
This is intentional since we discussed during the design phase[1] that
"IPA master" role should be implicit and not shown to the user in
server-show and server-role-find operation. This however does not
preclude you to query its status manually if you know the role name.
[1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles
OK. There should be an option to get everything, though (can be added
later, I guess).
I would rather skip the option altogether rather than hide it:
+# we do not want to test negative membership for roles
+# hide it from CLI
+elif option.name == 'no_servrole':
+option = option.clone(flags={'no_option'})
So something like:
elif option.name == 'no_servrole':
continue
should do the trick?
Correct.
The patches need a rebase (VERSION).
Otherwise LGTM.
Ok I will send fixed patches ASAP.
Attaching rebased patches. 'no_servrole' option is now skipped and does
not show in the API.
Good. ACK.
Functional tests: ACK
pushed to master:
* 7e2bef0b9f36a90902784be9363cbcb5ba4221b4 Server Roles: definitions of
server roles and attributes
* d07b7e0f6fe62eb10edcc7d3a4e884e5c8fd1d29 Server Roles: Backend plugin
to query roles and attributes
* 40d8dded7fc1e71621516da9197c736057c0b6e4 Test suite for `serverroles`
backend
* 80cbddaa37241e5c762edb656e4c658e652c87ef Server Roles: public API for
server roles
* b9aa31191b3067aced1432daa06d18b4382cd77f Server Roles: make
server-{show,find} utilize role information
* 5f7086e7183f0fcfece2bdd5be3d1ea17384717b Server Roles: make
*config-show consume relevant roles/attributes
* 21def4fde0b09a256fad3231a9042219f707fc8a Server Roles: provide an API
for setting CA renewal master
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 12.6.2016 17:29, Martin Babinsky wrote:
On 06/10/2016 05:42 PM, Martin Babinsky wrote:
On 06/10/2016 02:22 PM, Jan Cholasta wrote:
On 9.6.2016 17:06, Martin Babinsky wrote:
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing
them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and
signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find
command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command.
It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API
file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API
file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
"ipa server-role-find" does not return the "IPA master" role for my
server ("ipa-server-role $HOSTNAME 'IPA master'" does).
This is intentional since we discussed during the design phase[1] that
"IPA master" role should be implicit and not shown to the user in
server-show and server-role-find operation. This however does not
preclude you to query its status manually if you know the role name.
[1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles
OK. There should be an option to get everything, though (can be added
later, I guess).
I would rather skip the option altogether rather than hide it:
+# we do not want to test negative membership for roles
+# hide it from CLI
+elif option.name == 'no_servrole':
+option = option.clone(flags={'no_option'})
So something like:
elif option.name == 'no_servrole':
continue
should do the trick?
Correct.
The patches need a rebase (VERSION).
Otherwise LGTM.
Ok I will send fixed patches ASAP.
Attaching rebased patches. 'no_servrole' option is now skipped and does
not show in the API.
Good. ACK.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/10/2016 05:42 PM, Martin Babinsky wrote:
On 06/10/2016 02:22 PM, Jan Cholasta wrote:
On 9.6.2016 17:06, Martin Babinsky wrote:
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing
them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and
signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find
command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command.
It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API
file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API
file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
"ipa server-role-find" does not return the "IPA master" role for my
server ("ipa-server-role $HOSTNAME 'IPA master'" does).
This is intentional since we discussed during the design phase[1] that
"IPA master" role should be implicit and not shown to the user in
server-show and server-role-find operation. This however does not
preclude you to query its status manually if you know the role name.
[1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles
I would rather skip the option altogether rather than hide it:
+# we do not want to test negative membership for roles
+# hide it from CLI
+elif option.name == 'no_servrole':
+option = option.clone(flags={'no_option'})
So something like:
elif option.name == 'no_servrole':
continue
should do the trick?
The patches need a rebase (VERSION).
Otherwise LGTM.
Ok I will send fixed patches ASAP.
Attaching rebased patches. 'no_servrole' option is now skipped and does
not show in the API.
--
Martin^3 Babinsky
From 735403be2b42356acb978815d30163221cc21c2d Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 26 May 2016 19:24:22 +0200
Subject: [PATCH 1/7] Server Roles: definitions of server roles and attributes
This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.
A brief documentation about defining and using roles is given at the beginning
of the module.
http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
---
ipaserver/servroles.py | 586 +
1 file changed, 586 insertions(+)
create mode 100644 ipaserver/servroles.py
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
new file mode 100644
index ..8628cd625f897da5c1a8539ef860ae70a44de2d8
--- /dev/null
+++ b/ipaserver/servroles.py
@@ -0,0 +1,586 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+
+"""
+This module contains the set of classes which abstract various bits and pieces
+of information present in the LDAP tree about functionalities such as DNS
+server, Active Directory trust controller etc. These properties come in two
+distinct groups:
+
+server roles
+this group represents a genral functionality provided by one or more
+IPA servers, such as DNS server, certificate authority and such. In
+this case there is a many-to-many mapping between the roles and the
+masters which provide them.
+
+server attributes
+these represent a functionality associated with the whole topology,
+such as CA renewal master or DNSSec key master.
+
+See the corresponding design page (http://www.freeipa.org/page/V4/Server_Roles)
+for more info.
+
+Both of these groups use `LDAPBasedProperty` class as a base.
+
+Server Roles
+
+
+Server role objects are usually consuming information from the master's service
+container (cn=FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX) are represented by
+`ServiceBasedRole`class. To create an instance of such role, you only need to
+specify role name and individual services comprising the role (more systemd
+services may be enabled to provide some function):
+
+>>> example_role = ServiceBasedRole(
+... "Example Role",
+... component_servi
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/10/2016 02:22 PM, Jan Cholasta wrote:
On 9.6.2016 17:06, Martin Babinsky wrote:
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing
them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and
signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command.
It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API
file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API
file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
"ipa server-role-find" does not return the "IPA master" role for my
server ("ipa-server-role $HOSTNAME 'IPA master'" does).
This is intentional since we discussed during the design phase[1] that
"IPA master" role should be implicit and not shown to the user in
server-show and server-role-find operation. This however does not
preclude you to query its status manually if you know the role name.
[1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles
I would rather skip the option altogether rather than hide it:
+# we do not want to test negative membership for roles
+# hide it from CLI
+elif option.name == 'no_servrole':
+option = option.clone(flags={'no_option'})
So something like:
elif option.name == 'no_servrole':
continue
should do the trick?
The patches need a rebase (VERSION).
Otherwise LGTM.
Ok I will send fixed patches ASAP.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 9.6.2016 17:06, Martin Babinsky wrote:
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing
them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command. It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
"ipa server-role-find" does not return the "IPA master" role for my
server ("ipa-server-role $HOSTNAME 'IPA master'" does).
I would rather skip the option altogether rather than hide it:
+# we do not want to test negative membership for roles
+# hide it from CLI
+elif option.name == 'no_servrole':
+option = option.clone(flags={'no_option'})
The patches need a rebase (VERSION).
Otherwise LGTM.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/09/2016 03:54 PM, Petr Vobornik wrote:
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command. It is
fixed in updated patches.
NACK
Option timelimit? of command server_role_find in ipalib, not in API file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
Oops, seems like a missed API.txt update.
Fixed.
--
Martin^3 Babinsky
From 735403be2b42356acb978815d30163221cc21c2d Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 26 May 2016 19:24:22 +0200
Subject: [PATCH 1/7] Server Roles: definitions of server roles and attributes
This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.
A brief documentation about defining and using roles is given at the beginning
of the module.
http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
---
ipaserver/servroles.py | 586 +
1 file changed, 586 insertions(+)
create mode 100644 ipaserver/servroles.py
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
new file mode 100644
index ..8628cd625f897da5c1a8539ef860ae70a44de2d8
--- /dev/null
+++ b/ipaserver/servroles.py
@@ -0,0 +1,586 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+
+"""
+This module contains the set of classes which abstract various bits and pieces
+of information present in the LDAP tree about functionalities such as DNS
+server, Active Directory trust controller etc. These properties come in two
+distinct groups:
+
+server roles
+this group represents a genral functionality provided by one or more
+IPA servers, such as DNS server, certificate authority and such. In
+this case there is a many-to-many mapping between the roles and the
+masters which provide them.
+
+server attributes
+these represent a functionality associated with the whole topology,
+such as CA renewal master or DNSSec key master.
+
+See the corresponding design page (http://www.freeipa.org/page/V4/Server_Roles)
+for more info.
+
+Both of these groups use `LDAPBasedProperty` class as a base.
+
+Server Roles
+
+
+Server role objects are usually consuming information from the master's service
+container (cn=FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX) are represented by
+`ServiceBasedRole`class. To create an instance of such role, you only need to
+specify role name and individual services comprising the role (more systemd
+services may be enabled to provide some function):
+
+>>> example_role = ServiceBasedRole(
+... "Example Role",
+... component_services = ['SERVICE1', 'SERVICE2'])
+>>> example_role.name
+'Example Role'
+
+The role object can then be queried for the status of the role in the whole
+topology or on a single master by using its `status` method. This method
+returns a list of dictionaries akin to LDAP entries comprised from server name,
+role name and role status (enabled if role is enabled, configured if the
+service entries are present but not marked as enabled by 'enabledService'
+config string, absent if the service entries are not present).
+
+Note that 'AD trust agent' role is based on membership of the master in the
+'adtrust agents' sysaccount group and is thus an instance of different class
+(`ADTrustBasedRole`). This role also does not have 'configured' status, since
+the master is either member of the group ('enabled') or not ('absent')
+
+Server Attributes
+=
+
+Server attributes are implemented as instances of `ServerAttribute` class. The
+attribute is defined by some flag set on 'ipaConfigString' attribute of some
+service entry. To create your own server attribute, see the following example:
+
+>>> example_attribute = ServerAttribute("Example Attri
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/09/2016 01:02 PM, Martin Babinsky wrote:
> On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
>>
>>
>> On 06/07/2016 12:07 PM, Martin Babinsky wrote:
>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
>>>
>>> Sending updated patches according to Jan's interactive review.
>>>
>>> Since the name of attributes returned by API commands and signature of
>>> `server-role-find` have changed, a small update in WebUI patches is
>>> required.
>>>
>>>
>>>
>> NACK, why did you remove sizelimit from server_role_find command's? Is
>> it possible to return it back? It breaks WebUI.
>
> Indeed, this was caused by changing the base class of the command. It is
> fixed in updated patches.
>
NACK
Option timelimit? of command server_role_find in ipalib, not in API file:
Int('timelimit?', autofill=False)
Option sizelimit? of command server_role_find in ipalib, not in API file:
Int('sizelimit?', autofill=False)
There are one or more changes to the API.
Either undo the API changes or update API.txt and increment the major
version in VERSION.
Makefile:159: recipe for target 'version-update' failed
make: *** [version-update] Error 1
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/07/2016 07:01 PM, Pavel Vomacka wrote:
On 06/07/2016 12:07 PM, Martin Babinsky wrote:
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
NACK, why did you remove sizelimit from server_role_find command's? Is
it possible to return it back? It breaks WebUI.
Indeed, this was caused by changing the base class of the command. It is
fixed in updated patches.
--
Martin^3 Babinsky
From 735403be2b42356acb978815d30163221cc21c2d Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 26 May 2016 19:24:22 +0200
Subject: [PATCH 1/7] Server Roles: definitions of server roles and attributes
This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.
A brief documentation about defining and using roles is given at the beginning
of the module.
http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
---
ipaserver/servroles.py | 586 +
1 file changed, 586 insertions(+)
create mode 100644 ipaserver/servroles.py
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
new file mode 100644
index ..8628cd625f897da5c1a8539ef860ae70a44de2d8
--- /dev/null
+++ b/ipaserver/servroles.py
@@ -0,0 +1,586 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+
+"""
+This module contains the set of classes which abstract various bits and pieces
+of information present in the LDAP tree about functionalities such as DNS
+server, Active Directory trust controller etc. These properties come in two
+distinct groups:
+
+server roles
+this group represents a genral functionality provided by one or more
+IPA servers, such as DNS server, certificate authority and such. In
+this case there is a many-to-many mapping between the roles and the
+masters which provide them.
+
+server attributes
+these represent a functionality associated with the whole topology,
+such as CA renewal master or DNSSec key master.
+
+See the corresponding design page (http://www.freeipa.org/page/V4/Server_Roles)
+for more info.
+
+Both of these groups use `LDAPBasedProperty` class as a base.
+
+Server Roles
+
+
+Server role objects are usually consuming information from the master's service
+container (cn=FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX) are represented by
+`ServiceBasedRole`class. To create an instance of such role, you only need to
+specify role name and individual services comprising the role (more systemd
+services may be enabled to provide some function):
+
+>>> example_role = ServiceBasedRole(
+... "Example Role",
+... component_services = ['SERVICE1', 'SERVICE2'])
+>>> example_role.name
+'Example Role'
+
+The role object can then be queried for the status of the role in the whole
+topology or on a single master by using its `status` method. This method
+returns a list of dictionaries akin to LDAP entries comprised from server name,
+role name and role status (enabled if role is enabled, configured if the
+service entries are present but not marked as enabled by 'enabledService'
+config string, absent if the service entries are not present).
+
+Note that 'AD trust agent' role is based on membership of the master in the
+'adtrust agents' sysaccount group and is thus an instance of different class
+(`ADTrustBasedRole`). This role also does not have 'configured' status, since
+the master is either member of the group ('enabled') or not ('absent')
+
+Server Attributes
+=
+
+Server attributes are implemented as instances of `ServerAttribute` class. The
+attribute is defined by some flag set on 'ipaConfigString' attribute of some
+service entry. To create your own server attribute, see the following example:
+
+>>> example_attribute = ServerAttribute("Example Attribute", example_role,
+... "SERVICE1", "roleMaster")
+>>> example_attribute.name
+'Example Attribute'
+
+The FQDN of master with the attribute set can be requested using `get()`
+method. The attribute master can be changed by the `set()` method
+which accepts FQDN of a new master hosting the attribute.
+
+The available role/attribute instances are stored in
+`role_instances`/`attribute_instances` tuples.
+"""
+
+import abc
+from collections import namedtuple, defaultdict
+
+from ldap import SCOPE_ONELEVEL
+import six
+
+from ipalib import _, errors
+fro
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/07/2016 12:07 PM, Martin Babinsky wrote: On 06/03/2016 05:25 PM, Martin Babinsky wrote: I am sending rebased patches implementing http://www.freeipa.org/page/V4/Server_Roles I hope the patches work since I have had a lot of fun rebasing them on top of thin client and DNS locations effort. https://fedorahosted.org/freeipa/ticket/5181 Sending updated patches according to Jan's interactive review. Since the name of attributes returned by API commands and signature of `server-role-find` have changed, a small update in WebUI patches is required. NACK, why did you remove sizelimit from server_role_find command's? Is it possible to return it back? It breaks WebUI. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2
On 06/03/2016 05:25 PM, Martin Babinsky wrote:
I am sending rebased patches implementing
http://www.freeipa.org/page/V4/Server_Roles
I hope the patches work since I have had a lot of fun rebasing them on
top of thin client and DNS locations effort.
https://fedorahosted.org/freeipa/ticket/5181
Sending updated patches according to Jan's interactive review.
Since the name of attributes returned by API commands and signature of
`server-role-find` have changed, a small update in WebUI patches is
required.
--
Martin^3 Babinsky
From e9c3d6887551782ef5e02d1c57ddb321540b6d10 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 26 May 2016 19:24:22 +0200
Subject: [PATCH 1/7] Server Roles: definitions of server roles and attributes
This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.
A brief documentation about defining and using roles is given at the beginning
of the module.
http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
---
ipaserver/servroles.py | 581 +
1 file changed, 581 insertions(+)
create mode 100644 ipaserver/servroles.py
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
new file mode 100644
index ..2972e54310f9128c055526fbc6b933118039198f
--- /dev/null
+++ b/ipaserver/servroles.py
@@ -0,0 +1,581 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+
+"""
+This module contains the set of classes which abstract various bits and pieces
+of information present in the LDAP tree about functionalities such as DNS
+server, Active Directory trust controller etc. These properties come in two
+distinct groups:
+
+server roles
+this group represents a genral functionality provided by one or more
+IPA servers, such as DNS server, certificate authority and such. In
+this case there is a many-to-many mapping between the roles and the
+masters which provide them.
+
+server attributes
+these represent a functionality associated with the whole topology,
+such as CA renewal master or DNSSec key master.
+
+See the corresponding design page (http://www.freeipa.org/page/V4/Server_Roles)
+for more info.
+
+Both of these groups use `LDAPBasedProperty` class as a base.
+
+Server Roles
+
+
+Server role objects are usually consuming information from the master's service
+container (cn=FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX) are represented by
+`ServiceBasedRole`class. To create an instance of such role, you only need to
+specify role name and individual services comprising the role (more systemd
+services may be enabled to provide some function):
+
+>>> example_role = ServiceBasedRole(
+... "Example Role",
+... component_services = ['SERVICE1', 'SERVICE2'])
+>>> example_role.name
+'Example Role'
+
+The role object can then be queried for the status of the role in the whole
+topology or on a single master by using its `status` method. This method
+returns a list of dictionaries akin to LDAP entries comprised from server name,
+role name and role status (enabled if role is enabled, configured if the
+service entries are present but not marked as enabled by 'enabledService'
+config string, absent if the service entries are not present).
+
+Note that 'AD trust agent' role is based on membership of the master in the
+'adtrust agents' sysaccount group and is thus an instance of different class
+(`ADTrustBasedRole`). This role also does not have 'configured' status, since
+the master is either member of the group ('enabled') or not ('absent')
+
+Server Attributes
+=
+
+Server attributes are implemented as instances of `ServerAttribute` class. The
+attribute is defined by some flag set on 'ipaConfigString' attribute of some
+service entry. To create your own server attribute, see the following example:
+
+>>> example_attribute = ServerAttribute("Example Attribute", example_role,
+... "SERVICE1", "roleMaster")
+>>> example_attribute.name
+'Example Attribute'
+
+The FQDN of master with the attribute set can be requested using `get()`
+method. The attribute master can be changed by the `set()` method
+which accepts FQDN of a new master hosting the attribute.
+
+The available role/attribute instances are stored in
+`role_instances`/`attribute_instances` dictionaries keyed by instance name.
+"""
+
+import abc
+from collections import namedtuple, defaultdict
+
+from ldap import SCOPE_ONELEVEL
+import six
+
+from ipalib import _, errors
+from ipapython.dn import DN
+
+
+if six.PY3:
+unicode = str
+
+
+ENABLED = u'enabled'
+CONFIGURED = u'configured'
+ABSENT = u'absent'
+
+
+@six.add_metaclass(abc.ABCMeta)
+class LDAPBasedProperty(object):
+"""
+base class for all master properties defined by LDAP content
+:par
