[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

Rob Crittenden rcritten at redhat.com
Fri Jun 29 20:38:37 UTC 2012 

Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Fri, 29 Jun 2012, Sumit Bose wrote:
>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote:
>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote:
>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote:
>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote:
>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote:
>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote:
>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote:
>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote:
>>>> > > > > > > >
>>>> > > > > > > > to keep track of the different ranges we use for
>>>> UIDs/GIDs for local
>>>> > > > > > > > users/groups and users from trusted domains new range
>>>> objects are
>>>> > > > > > > > introduced which are stored below
>>>> cn=range,cn=etc,$SUFFIX.
>>>> > > > > > > >
>>>> > > > > > > > 0022: LDAP schema update
>>>> > > > > > >
>>>> > > > > > > ack
>>>> > > > > > >
>>>> > > > > > > > 0023: Create a range object during installation fir the
>>>> local ID range
>>>> > > > > > >
>>>> > > > > > > nack, I think we need to find a way to handle adding at
>>>> least the base
>>>> > > > > > > range on update. Otherwise an updated server won't be
>>>> able to have IDs
>>>> > > > > > > for most of its users.
>>>> > > > > >
>>>> > > > > > I fully agree, but since we said that we concentrate on
>>>> update issues in
>>>> > > > > > beta2 I wanted to send the version for the fresh install
>>>> first to allow
>>>> > > > > > testing.
>>>> > > > >
>>>> > > > > The reason I'd like updates is that this patchset can be
>>>> installed on
>>>> > > > > top of existing servers for testing w/o having to reinstall
>>>> from scratch
>>>> > > > > or manually creating the ipaDomainIDRange object :):)
>>>> > > >
>>>> > > > ok, will do.
>>>> > > >
>>>> > > > Do you otherwise agree with the patches or is there something I
>>>> should
>>>> > > > change while adding the updates?
>>>> > > >
>>>> > > > bye,
>>>> > > > Sumit
>>>> > > >
>>>> > > > >
>>>> > > > > > >
>>>> > > > > > > > 0024: add primary and secondary RID base to the local
>>>> range object
>>>> > > > > > > >       during ipa-adtrust-install
>>>> > > > > > >
>>>> > > > > > > Not sure if setting the range belongs in the previous
>>>> patch or this one.
>>>> > > > > >
>>>> > > > > > I think it is right here, because a plain IPA server does
>>>> not need the
>>>> > > > > > RID related attributes.
>>>> > > > > >
>>>> > > > > > > We might decide to ask questions during
>>>> ipa-adtrust-install if the range
>>>> > > > > > > is not available, maybe presenting a set of pre-canned
>>>> choices if we can
>>>> > > > > > > detect them.
>>>> > > > > >
>>>> > > > > > I agree here, too. But as above I would like to handle
>>>> update issues
>>>> > > > > > in a second round.
>>>> > > > > >
>>>> > > > > > >
>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber
>>>> < base and
>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect
>>>> any ID the
>>>> > > > > > > falls outside the configured range (either because we
>>>> failed to detect
>>>> > > > > > > ranges on upgrade and the user botched the question or
>>>> because the admin
>>>> > > > > > > added arbitrary IDs.
>>>> > > > > > > If a warning we should warn that missing a range that
>>>> suitably covers
>>>> > > > > > > these IDs, those users/groups will not be available for
>>>> the trust.
>>>> > > > > > >
>>>> > > > > > > Maybe we should also have a simple ipa command that can
>>>> list all
>>>> > > > > > > users/groups that fall outside the ranges as well.
>>>> > > > > >
>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa
>>>> range-add', 'ipa
>>>> > > > > > range-find' etc. I can add it there.
>>>> > > > > >
>>>> > >
>>>> > > Hi,
>>>> > >
>>>> > > this new series of patches add the cli plugin to create the ID
>>>> ranges
>>>> > > manually. I'm still working on a detection of the locally used id
>>>> range
>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which
>>>> rejects
>>>> > > new ranges which overlaps with existing ones.
>>>> > >
>>>> > > bye,
>>>> > > Sumit
>>>> >
>>>> > the attached patch adds a preop plugin which checks for overlaps with
>>>> > existing ranges.
>>>> >
>>>> > bye,
>>>> > Sumit
>>>>
>>>> Finally I added a method to guess and create the initial ID range,
>>>> if no
>>>> one is preset, e.g. when updating from an older version of freeIPA. A
>>>> full series of patches is attached.
>>>>
>>>> bye,
>>>> Sumit
>>>
>>> This version of patches fixes review comments by Alexander and also adds
>>> some test for the range CLI plugin which were kindly provided by
>>> Alexander.
>> ACK
>>
>
> These patches aren't applying for me.
>
> rob

Hmm. Pulled a fresh tree and they imported fine.

pushed to master

rob

More information about the Freeipa-devel mailing list