[Freeipa-devel] Extending the IPA-API
Adam Young
ayoung at redhat.com
Thu Oct 27 15:59:18 UTC 2011
We had a pretty good discussion about the apporach we are looking at to
allow end sites to extend their IPA implementations without getting in
the way of upgrades etc. Here are some of the things I took away from
that meeting.
We want to maintain the namespace as it is. A site might decide it
wants to deploy customer-user.py and have an entity named
customer-user, but the group plugin will still talk to the user.py
plugin internally. However, if all interaction is done via the
function calls, customer-user.py can replace user.py as the code that
handles, for example, user_add.
However, Rob Has ann approach that will allow an end site to extend an
existing plugin. His proof-of-concept was:
from ipalib.plugins.user import user, user_add
from ipapython import ipautil
from ipalib import api, errors
from ipalib import Str
from ipalib import _
class extend_user(user):
user.takes_params = user.takes_params + (
Str('foo',
cli_name='foo',
label=_('Foo'),
),
)
Which would add the attribute foo to the existing user object. This
will show up in the next metadata call, so the web UI can use it as well.
We discussed in depth whether this mechanism should succeed or fail if
the newly added name already exists in the Plugin. One option is to
succeed, but log the error. This means that if a user adds afield that
we late go bck and retrofit, the IPA site will work, but custom code
made by the end user will be ignored. The alternative is for IPA server
to fail to start, but allow all of the other components (KDC, LDAP) to
run. Then a user will just lose the ability to administer their site
until they address the conflict, but key services will still be available.
The web UI can implement a similar mechanism. We do not want end sites
modifying the .js files shipped with the IPA server RPM, other wise,
they could inject columns and fields there, but they would be
susceptible to breaking during upgrade. Instead, we will provide an
extension mechanism similar to the Library back end:
The Apache server will provide access to the file
/etc/ipa/html/extensions.json. By default, this file will contain the
simplest valid JSON possible:
{}
This file will be fetched via AJAX and evaluated during the
initialization of Entities. THe format of the file will indicate what
fields will be hidden in the UI, and what fields to add. As much as
possible, the format will match the Java script that is used to
poulated the entities.
Something along the lines of:
{entity:user,
search:{add:['foo'],
hide:['manager']},
details:{add:[ {identity: ['foo','bar']}],
hide:['manager']},
}
This would add one field to the search results, and two fields to the
details page, inside the identity section.
For the first pass, all added fields would be added as text fields.
On the second pass, the JSON listed above can be extended to allow
custom widgets in the field declarations.
On the third pass, we add in a second file:
/etc/ipa/html/custom_widgets.js. By default it will be blank.
This file will be added to the index.html of the webUI, and evaluated
after all of the other widgets, but before the entities. This will
allow the end sites to not only add in their own widgets, but to
possibly change the definition of some of the baseline widgets as well.
More information about the Freeipa-devel
mailing list