[Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG

Rob Crittenden rcritten at redhat.com
Tue May 24 13:37:44 UTC 2011 

Martin Kosek wrote:
> On Mon, 2011-05-23 at 17:32 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2011-05-20 at 10:58 -0400, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> This patch is based on old Pavel's patch.
>>>>>>>>
>>>>>>>> I am considering applying the patch for master branch only as it
>>>>>>>> changes
>>>>>>>> an API (adds a new flag) and is a sort of new-functionality-ish.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Automatic creation may of User Private Groups (UPG) may not be
>>>>>>>> wanted at all times. This patch adds a new flag --noprivate to
>>>>>>>> ipa user-add command to disable it.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/1131
>>>>>>>
>>>>>>> Nack, setattr and addattr are removed from API.txt. I'm guessing it's a
>>>>>>> side-effect of some change here.
>>>>>>>
>>>>>>> The approach generally looks good.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> You are right, this was a side-effect in user.py. I fixed the problem,
>>>>>> updated patch is attached.
>>>>>>
>>>>>> Martin
>>>>>
>>>>> This looks good, just a couple of requests:
>>>>>
>>>>> 1. Bump the minor API version since we are adding a new flag
>>>>> 2. Add a self-test for not creating a private group
>>>>>
>>>>> rob
>>>>
>>>> Oh, and looking back at the user I create it still has the UPG magic in
>>>> the description attribute.
>>>>
>>>> rob
>>>
>>> Thanks for careful review, I missed this bug in the original patch. UPG
>>> magic has been removed from the description and a test checking all this
>>> has been added.
>>>
>>> Martin
>>
>> I'm getting this on output, not sure if it is a bug in my tree or not:
>>
>> # ipa user-add --first=tim --last=user tuser3 --all --noprivate
>> -------------------
>> Added user "tuser3"
>> -------------------
>>     dn: uid=tuser3,cn=users,cn=accounts,dc=greyoak,dc=com
>>     User login: tuser3
>>     First name: tim
>>     Last name: user
>>     Full name: tim user
>>     Display name: tim user
>>     Initials: tu
>>     Home directory: /home/tuser3
>>     GECOS field: tim user
>>     Login shell: /bin/sh
>>     Kerberos principal: tuser3 at GREYOAK.COM
>>     UID: 204000006
>>     GID: 204000001
>> ipa: ERROR: IndexError: tuple index out of range
>> Traceback (most recent call last):
>>     File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1103, in run
>>       sys.exit(api.Backend.cli.run(argv))
>>     File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 930, in run
>>       rv = cmd.output_for_cli(self.api.Backend.textui, result, *args,
>> **options)
>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 956,
>> in output_for_cli
>>       textui.print_entry(result, order, labels, flags, print_all)
>>     File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 388, in
>> print_entry
>>       if type(entry[key]) in (tuple, list) and isinstance(entry[key][0],
>> dict):
>> IndexError: tuple index out of range
>> ipa: ERROR: an internal error has occurred
>>
>> Otherwise things look ok.
>>
>> rob
>
> Hmm, that's strange. Doesn't happen for me:
>
> $ ipa user-add --first=tim --last=user tuser3 --all --noprivate
> -------------------
> Added user "tuser3"
> -------------------
>    dn: uid=tuser3,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    User login: tuser3
>    First name: tim
>    Last name: user
>    Full name: tim user
>    Display name: tim user
>    Initials: tu
>    Home directory: /home/tuser3
>    GECOS field: tim user
>    Login shell: /bin/sh
>    Kerberos principal: tuser3 at IDM.LAB.BOS.REDHAT.COM
>    UID: 557200036
>    GID: 557200001
>    ipauniqueid: 07b2864e-85e1-11e0-957d-00163e0605ff
>    krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
>                 krbprincipalaux, krbticketpolicyaux, ipaobject
>
>
> Can you please try again with a clean tree and only my patch applied?

Sure, I'll give it a fresh look this morning.

>
> I have a one more question. Bumping minor API version makes the client
> incompatible and it fails to operate. Is this OK? I thought it would be
> incompatible only when a major version changes:
>
> $ ipa user-add --first=tim --last=user tuser3 --all --noprivate
> ipa: ERROR: 2.2 client incompatible with 2.1 server at u'https://vm-027.idm.lab.bos.redhat.com/ipa/xml'
>
> Martin
>

Right, you've added a flag that an API 2.1 server won't understand. So a 
lower minor version can talk to a higher minor version but not the other 
way around.

rob

More information about the Freeipa-devel mailing list