[Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades

Fri Feb 22 12:49:33 UTC 2013

On 02/19/2013 08:23 PM, Simo Sorce wrote:
> On Tue, 2013-02-19 at 13:32 -0500, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 18.2.2013 22:00, Rob Crittenden wrote:
>>>> An objectclass and attribute are not being added on upgrades. Missing
>>>> these causes the UI to not work.
>>>>
>>>> I also noticed a typo in the ordering of a number of the trust
>>>> attributes so fix those as well.
>>>>
>>>> rob
>>>>
>>>
>>> The patch looks good, but I think errors like this will pop up from time
>>> to time, because we have to maintain the same thing in two places - the
>>> installation LDIFs and update files. Maybe we should start thinking
>>> about merging these two somehow, e.g. using the LDIFs for both
>>> installation and updates, with directives for the updater in specially
>>> formatted comments.
>>>
>>> Honza
>>>
>>
>> This idea came up long, long ago when we first added the updater very 
>> early in v2. The problem, as I recall, is that some schema is needed 
>> during the install so we need to ship it in ldif format, and the idea of 
>> splitting it didn't appeal to us.
>>
>> So perhaps what we should endeavor to do is add all new schema via 
>> updates and only update the schema files themselves if the schema is 
>> needed for a fresh install (since updates are done last).
>>
>> This also puts more schema into 99user.ldif which may or may not be 
>> desirable.
> 
> Ron another option is to keep putting all updates only in schema files,
> and then have the updater "validate" the schema files.
> 
> Validation would be:
> 1. Download schema from server (we already do this in the framework so
> it comes for free)
> 2. parse the schema files and check if each attribute and objectclass is
> present and in the correct form.
> 3. if any attribute is missing, we add it
> 4. if any attribute has been changed, we change it
> 5. same for object classes.
> 
> This would allow us to keep everything just in schema files, and for now
> only updates would end up in 99.ldif
> 
> I know there is also work in 389ds to improve schema validation and
> handling, so there is a chance in future we will have online interfaces
> to put data in multiple files w/o lumping everything in 99.ldif
> 
> So by keeping stuff in schema files rather than arbitrary update files
> we are also sort of future proof.
> 
> Finally keeping data in schema files instead of spreading it in updates
> should make it easier to keep an eye on the whole schema.
> 
> The main issue I see is that this approach needs new code to analyze and
> compare schema files, however that shouldn't be overly hard.
> 
> Simo.
> 

I think this is a great idea. Having schema updates on 2 or more separate
spaces is error prone. attributeTypes or objectClasses update files may be
confusing as we often have 2 and more replace: directives when we update
objectClasses or attributeTypes more that one time.

As for the LDIF file parsing, we could also use python-ldap's convenience
classes which will make the comparing easier.

I created a ticket to address this effort:
https://fedorahosted.org/freeipa/ticket/3454

Martin