[SSSD] Re: [PATCH] config: Some fixes to schema

Thu, 04 Aug 2016 02:45:10 -0700 

On 08/04/2016 11:40 AM, Jakub Hrozek wrote:

On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote:

On 07/12/2016 06:38 PM, Lukas Slebodnik wrote:

On (12/07/16 15:59), Michal Židek wrote:

On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:

On (12/07/16 15:16), Michal Židek wrote:

+# secrets responder
+option = provider
+


I think you need to also update "rule/allowed_sections"

maybe you could run tour tool "sssctl config-check"
before sending patches :-)



What a useful tool it turned out to be :)


And there are another related question to this topic.
Should we add undocumented option to the list?

We already have "command" in schema. Should we add other as well?

IMHO, no.

LS


So far we only added options that we expect users
to use. Options that are for developers are not added to the
schema for now.

Michal



 From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/3] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
---

ACK


 From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 2/3] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini     | 1 +
src/config/etc/sssd.api.conf | 1 +
3 files changed, 3 insertions(+)


ACK


 From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Tue, 12 Jul 2016 15:05:16 +0200
Subject: [PATCH 3/3] config: Allow 'secrets' section

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow the 'secrets' section in config file
schema.
---
src/config/SSSDConfigTest.py |  6 ++++--
src/config/cfg_rules.ini     | 22 ++++++++++++++++++++++
src/config/etc/sssd.api.conf |  4 ++++
3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 332d870..4748ecb 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
              'autofs',
              'ssh',
              'pac',
-            'ifp']
+            'ifp',
+            'secrets']
          for section in control_list:
              self.assertTrue(sssdconfig.has_section(section),
                              "Section [%s] missing" %
@@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
              'autofs',
              'ssh',
              'pac',
-            'ifp']
+            'ifp',
+            'secrets']
          service_list = sssdconfig.list_services()
          for service in control_list:
              self.assertTrue(service in service_list,
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 635c078..cab25fc 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,6 +8,7 @@ section = autofs
section = ssh
section = pac
section = ifp
+section_re = ^secrets/.*$
section_re = ^domain/.*$

[rule/allowed_sssd_options]
@@ -224,6 +225,27 @@ option = diag_cmd
option = allowed_uids
option = user_attributes

+[rule/allowed_secrets_options]
+validator = ini_allowed_options
+section_re = ^secrets/.*$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# secrets responder
+option = provider
+


There are some options which you didn't include (e.g. forward_headers)
@see
    grep confdb_get -A 5 src/responder/secrets/*
    grep proxy_get_config_string -A 5 src/responder/secrets/*

LS


It looks like secret uses different set of options completely.
Also there is the service/program specific configuration of
secrets that should work similar to domains (like [secret/apache]
or something like that).

I will not sent this patch until I have better understanding
of how secrets service work and how it can be configured. I think we
should make a ticket for the documentation/design page
enhancement and make the schema change as a subtask for it.


We already have:
     https://fedorahosted.org/sssd/ticket/3053
I would like to work on that next week..


Ah, great.

I will add the need for schema update in the comments of that
ticket and close the one about fixes to initial schema.

Michal
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org



























					Reply via email to