[Freeipa-devel] [PATCHES] 0473-0477+0497 Managed permission updater, part 1

Petr Viktorin pviktori at redhat.com
Fri Mar 14 15:27:58 UTC 2014 

On 03/13/2014 02:01 PM, Petr Viktorin wrote:
> On 03/07/2014 10:45 AM, Martin Kosek wrote:
>> On 03/05/2014 01:48 PM, Petr Viktorin wrote:
>>> On 03/03/2014 04:10 PM, Petr Viktorin wrote:
>>>> On 02/28/2014 02:47 PM, Petr Viktorin wrote:
>>>>> On 02/28/2014 02:12 PM, Martin Kosek wrote:
>>>>>> On 02/26/2014 10:44 AM, Petr Viktorin wrote:
>>>>>>> Hello,
>>>>>>> Here are a few fixes/improvements, and the first part of a managed
>>>>>>> permission
>>>>>>> updater.
>>>>>>>
>>>>>>> The patches should go in this order but don't need to be
>>>>>>> ACKed/pushed
>>>>>>> all at once.
>>>>>>>
>>>>>>>
>>>>>>> Design:
>>>>>>> http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
>>>>>>>
>>>>>>>
>>>>>>> This part is a "preview" of sorts, to get the basic mechanism and
>>>>>>> the
>>>>>>> metadata
>>>>>>> format reviewed before I add all of the default read permissions.
>>>>>>> It implements the first section of "Default Permission Updater" in
>>>>>>> the design;
>>>>>>> "Replacing legacy default permissions" and "Removing the global
>>>>>>> anonymous read
>>>>>>> ACI" is left for later.
>>>>>>> Metadata is added for the netgroup plugin* for starters
>>> [...]
>>>>>>>
>>>>>>
>>>>>> 1) 476: Typo in test name:
>>>>>>
>>>>>> +            desc='Search fo rnonexisting permission with ":" in the
>>>>>> name',
>>>>>
>>>>> Will fix.
>>>
>>> Fixed
>>>
>>>>>> 2) 477: do we want to log anything when permission is up to date?
>>>>>>
>>>>>> +            try:
>>>>>> +                ldap.update_entry(entry)
>>>>>> +            except errors.EmptyModlist:
>>>>>> +                return
>>>>>
>>>>> I don't think that's needed, after all that's the expected behavior in
>>>>> all but the first upgrade.
>>>>> But I'll be happy to add it if you think it would be better.
>>>
>>> I've added a DEBUG message here.
>>>
>>> [...]
>>>>>> 4) I have been quite resilient to the prefixes for the permissions,
>>>>>> but it
>>>>>> seems it is the easier possible approach to fix conflicts with user
>>>>>> permissions
>>>>>> without having to check that later for every upgrade or doing more
>>>>>> complex
>>>>>> stuff like multiple RDNs or different container for system and user
>>>>>> permissions.
>>>>>>
>>>>>> I am now just thinking about the prefixing. Now you use this name:
>>>>>>
>>>>>> ipa:Read Netgroups
>>>>>>
>>>>>> Would it be "nicer" to use:
>>>>>>
>>>>>> IPA:Read Netgroups
>>>>>> or
>>>>>> IPA: Read Netgroups
>>>>>> or even
>>>>>> [IPA] Read Netgroups
>>>>>> ? :-)
>>>>>
>>>>> Bikeshedding time!
>>>>> Everyone on the list, please chime in!
>>>>
>>>> Bikeshedding results from today's meeting:
>>>>
>>>> "ipa: " pviktori++
>>>> "System: " mkosek++ simo+ ab++
>>>> "Builtin: " simo++ pvo+
>>>> "Default:"
>>>>
>>>> The winner is "System: ", so I'll go and change to that.
>>>
>>> Done.
>>
>> Thanks. The patch set looks good now, I just see that the update
>> process may
>> not be optimal After I run the upgrade second time, it still tries to
>> update
>> the ACI even though there was no change done to the permission object and
>> should thus raise errors.EmptyModlist and skip the ACI update:
>>
>> 2014-03-07T09:44:34Z INFO Updating managed permissions for netgroup
>> 2014-03-07T09:44:34Z INFO Updating managed permission: System: Read
>> Netgroups
>> 2014-03-07T09:44:34Z DEBUG Updating ACI for managed permission:
>> System: Read
>> Netgroups
>> 2014-03-07T09:44:34Z DEBUG Removing ACI u'(targetattr = "cn ||
>> description ||
>> hostcategory || ipaenabledflag || ipauniqueid || nisdomainname ||
>> usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version
>> 3.0;acl
>> "permission:System: Read Netgroups";allow (read,compare,search) userdn =
>> "ldap:///all";)' from
>> cn=ng,cn=alt,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>> 2014-03-07T09:44:34Z DEBUG Adding ACI u'(targetattr = "cn ||
>> description ||
>> hostcategory || ipaenabledflag || ipauniqueid || nisdomainname ||
>> usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version
>> 3.0;acl
>> "permission:System: Read Netgroups";allow (read,compare,search) userdn =
>> "ldap:///all";)' to
>> cn=ng,cn=alt,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>> 2014-03-07T09:44:34Z INFO No changes to ACI
>> 2014-03-07T09:44:34Z INFO Updating managed permission: System: Read
>> Netgroup
>> Membership
>>
>> Any idea what could cause this?
>
> Ah, you're right. The updater tried to remove the 'top' objectclass,
> since it found that in the permission but it wasn't in
> permission.object_class.
> I added 'top' to the list in a new patch.
>
> There was a minor conflict with master; I'm attaching the whole rebased
> patchset for convenience.

Rebased again.

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0473.4-Allow-indexing-API-object-types-by-class.patch
Type: text/x-patch
Size: 4114 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0474.4-permission-find-Fix-handling-of-the-search-term-for-.patch
Type: text/x-patch
Size: 3667 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0475.4-test_permission_plugin-Fix-tests-that-make-too-broad.patch
Type: text/x-patch
Size: 6973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0476.4-Allow-modifying-permissions-with-in-the-name.patch
Type: text/x-patch
Size: 11043 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0477.4-Add-Object-metadata-and-update-plugin-for-managed-pe.patch
Type: text/x-patch
Size: 9082 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0497.4-permission-plugin-Add-top-to-the-list-of-object-clas.patch
Type: text/x-patch
Size: 1502 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140314/5617ba9f/attachment-0005.bin>

More information about the Freeipa-devel mailing list