[Freeipa-devel] [PATCH] 817 Add option to wait for values

Martin Kosek mkosek at redhat.com
Tue Jul 19 11:15:31 UTC 2011 

On Tue, 2011-07-19 at 00:14 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote:
> >>>>> Rob Crittenden wrote:
> >>>>>> Rob Crittenden wrote:
> >>>>>>> 389-ds postop plugins, such as the managed entry and memberof plugins,
> >>>>>>> add values after the data has been returned to the client. In the case
> >>>>>>> of the managed entry plugin this affects the parent entry as well
> >>>>>>> (adds
> >>>>>>> an objectclass value).
> >>>>>>>
> >>>>>>> This wreaks havoc on our tests as the values don't match what we
> >>>>>>> expect.
> >>>>>>>
> >>>>>>> The solution is to wait for the postop plugins to finish their work,
> >>>>>>> then return. I've added this as an option. The downside is it is going
> >>>>>>> to naturally slow things down, so it is off by default.
> >>>>>>>
> >>>>>>> It is currently only used in the hostgroup plugin.
> >>>>>>>
> >>>>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and
> >>>>>>> set it
> >>>>>>> to True and all the current tests will pass (assuming you apply
> >>>>>>> patches
> >>>>>>> 814-816 as well).
> >>>>>>>
> >>>>>>> So now we won't have any excuses for missing test failures in the unit
> >>>>>>> tests...
> >>>>>>>
> >>>>>>> rob
> >>>>>>
> >>>>>> Bah, found a small problem. Self-NACK.
> >>>>>>
> >>>>>> rob
> >>>>>
> >>>>> Updated patch attached.
> >>>>>
> >>>>> Note that I don't think there is a way for us to handle things like
> >>>>> memberof_indirect. We wouldn't know to wait.
> >>>>>
> >>>>> rob
> >>>>
> >>>> Works fine for the hostgroup entry. It's good it can be switched on/off.
> >>>>
> >>>> But what about other managed entries, like user entry? Would it make
> >>>> sense to add a wait here too? Or maybe something systematic to baseldap
> >>>> so that we wouldn't have to implement this wait to every managed entry.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> I can certainly add it to users to check for managed groups. Making it
> >>> generic would be difficult because some are conditional (such as users).
> >>>
> >>> rob
> >>
> >> Added support for managed users as well.
> >>
> >> rob
> >
> > Waiting for managed users work too. However, I have just noticed that
> > the entire solution works only partially.
> >
> > It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP
> > attributes "mepmanagedentry" and "memberof" to the<command>-add result:
> >
> > # ipa hostgroup-add hgroup3 --desc=foo --all --raw
> > -------------------------
> > Added hostgroup "hgroup3"
> > -------------------------
> >    dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    cn: hgroup3
> >    description: foo
> >    ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
> >    objectclass: ipaobject
> >    objectclass: ipahostgroup
> >    objectclass: nestedGroup
> >    objectclass: groupOfNames
> >    objectclass: top
> >    objectclass: mepOriginEntry
> > # ipa hostgroup-show hgroup3 --all --raw
> >    dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    cn: hgroup3
> >    description: foo
> >    ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
> >    memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
> >    mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
> >    objectclass: ipaobject
> >    objectclass: ipahostgroup
> >    objectclass: nestedGroup
> >    objectclass: groupOfNames
> >    objectclass: top
> >    objectclass: mepOriginEntry
> >
> > # ipa user-add --first=Foo --last=Bar fbar2 --all --raw
> > ------------------
> > Added user "fbar2"
> > ------------------
> >    dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    uid: fbar2
> >    givenname: Foo
> >    sn: Bar
> >    cn: Foo Bar
> >    displayname: Foo Bar
> >    initials: FB
> >    homedirectory: /home/fbar2
> >    gecos: Foo Bar
> >    loginshell: /bin/sh
> >    krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
> >    uidnumber: 524600004
> >    gidnumber: 524600004
> >    ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
> >    krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    objectclass: top
> >    objectclass: person
> >    objectclass: organizationalperson
> >    objectclass: inetorgperson
> >    objectclass: inetuser
> >    objectclass: posixaccount
> >    objectclass: krbprincipalaux
> >    objectclass: krbticketpolicyaux
> >    objectclass: ipaobject
> >    objectclass: mepOriginEntry
> > # ipa user-show fbar2 --all --raw
> >    dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    uid: fbar2
> >    givenname: Foo
> >    sn: Bar
> >    cn: Foo Bar
> >    displayname: Foo Bar
> >    initials: FB
> >    homedirectory: /home/fbar2
> >    gecos: Foo Bar
> >    loginshell: /bin/sh
> >    krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
> >    uidnumber: 524600004
> >    gidnumber: 524600004
> >    nsaccountlock: False
> >    ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
> >    krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >    memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
> >    mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
> >    objectclass: top
> >    objectclass: person
> >    objectclass: organizationalperson
> >    objectclass: inetorgperson
> >    objectclass: inetuser
> >    objectclass: posixaccount
> >    objectclass: krbprincipalaux
> >    objectclass: krbticketpolicyaux
> >    objectclass: ipaobject
> >    objectclass: mepOriginEntry
> >
> >
> > I think there attributes should be added in post_callback (and to the
> > tests).
> >
> > Martin
> >
> 
> Updated patch attached. The interesting change here is the 
> entry_from_entry() function.
> 
> Python calls functions passing by value the actual value passed may be 
> an immutable reference. This means we can't simply fetch the new entry 
> and replace what we already have, we have to do it value by value. We 
> also have to wipe out what is already there first because it is possible 
> an attribute has disappeared (I don't think one actually does in 
> practice in these two calls but it is cleaner this way).
> 
> For kicks you can see this in action with this snippet:
> 
> def tryme(x):
>      x = 5
> 
> y = 9
> tryme(y)
> print y
> 
> y is 9. Fun, isn't it?
> 
> rob

You are right, Python references are fun sometimes :-) Fortunately, I
learned this behavior earlier so it doesn't surprise me.

But your patch works fine, I like it. All fixed tests passed.

Pushed to master.

Martin

More information about the Freeipa-devel mailing list