[Freeipa-devel] [PATCHES] 0068-0070 Automember rebuild membership

Ana Krivokapic akrivoka at redhat.com
Wed Nov 13 15:56:58 UTC 2013 

On 11/13/2013 03:08 PM, Martin Kosek wrote:
> On 10/29/2013 12:30 PM, Ana Krivokapic wrote:
>> On 10/15/2013 06:09 PM, Ana Krivokapic wrote:
>>> On 09/30/2013 10:02 AM, Petr Viktorin wrote:
>>>> On 09/27/2013 03:12 PM, Martin Kosek wrote:
>>>>> On 09/27/2013 03:00 PM, Jan Cholasta wrote:
>>>>>> On 23.9.2013 19:41, Ana Krivokapic wrote:
>>>>>>> On 09/19/2013 03:29 PM, Ana Krivokapic wrote:
>>>>> ...
>>>>>> Patch 69:
>>>>>>
>>>>>> I think the changes in the update file should be also done in the
>>>>>> right LDIF
>>>>>> files in install/share, though I don't know what is the recent
>>>>>> consensus on this.
>>>>>>
>>>>>>
>>>>>> Honza
>>>>>>
>>>>> Last time I checked, we used to do the change both in LDIF and update
>>>>> file. Just to avoid the LDIF become obsolete.
>>>>>
>>>>> Martin
>>>> Rob recently said his preference is to move everything from LDIF to updates,
>>>> and out of the the LDIF files:
>>>> http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html
>>>>
>>>> I would agree, having two places with the same information is redundant and
>>>> error-prone.
>>>>
>>> Thanks Honza for the review.
>>>
>>> I incorporated your suggestions in this updated patchset. I attached all the
>>> patches for more convenient reviewing, but only patches 68 and 70 have changed.
>>>
>>> I haven't done any changes in the LDIF files since the consensus seems to be not
>>> to do that.
>> Patch 70 needed a rebase, attaching the whole patchset again.
> This works pretty fine, I have few comments though:
>
> 1) 0068: the task should be run only for users/hosts base DN - this is where we
> confine our automember and I think admin may be surprised that the rebuild call
> is does not respect it.

Fixed.

>
> 2) 0068: I am missing some examples for automember-rebuild in the help. At
> least for running rebuild for all users/hosts and for running it for specified
> user/host.

I added some examples, as well as a general description of the new command.

>
> 3) 0068: I think that the labels/doc for the new command/options should be
> improved. It is not obvious, that automember-rebuild can run for all
> users/hosts, at least from following doc:
>
> # ipa help automember
> ...
>   automember-rebuild               Rebuild auto membership for specified entries.
> ...
>
> Maybe we should remove the "for specified entries" part?
>
> As for the options, we now have this:
>
> # ipa help automember-rebuild
> Usage: ipa [global-options] automember-rebuild [options]
>
> Rebuild auto membership for specified entries.
> Options:
>   -h, --help            show this help message and exit
>   --type=['group', 'hostgroup']
>                         Grouping to which the rule applies  <--completely stray
>   --users=STR           Users for which the rebuild task will be run
>   --hosts=STR           Hosts for which the rebuild task will be run
>
>
> We should probably also do not mention specified entries here.
>
> As for option help, maybe the following would better show that it can be run
> for all entries?
>
>   --type=['group', 'hostgroup']
>                         Rebuild membership for all members of a grouping
>   --users=STR           Rebuild membership for specified users
>   --hosts=STR           Rebuild membership for specified hosts

Agreed, labels fixed as per your suggestions.

>
> This makes me thinking we may want to forbid entering both --type and
> --users/--hosts - i.e. either rebuild all or just selected ones - to make the
> selection even more clear. But I am open to discussion on this one.

Validation prevents any invalid combination of options (e.g. --type=group and
--hosts used together, or --type=hostgroup and --users used together). If, for
example, --users is specified, then --type=group is allowed but not required. I
think it's clear enough.

>
> 4) 0069: Add Automember Export Updates Task is currently redundant. I think we
> should either have permissions for all 3 possible tasks or for just the one we use.

I removed the unused permission.

>
> 5) 0069: permissions should be of SYSTEM type as the ACI is out of SUFFIX, so
> that user does not try to modify them (will be able to in future versions).
> Adding Petr3 to CC for heads up on this one.

Fixed.

>
> Martin

Thanks for the review, the updated patchset is attached.


-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0069-03-Add-a-privilege-and-a-permission-needed-for-automemb.patch
Type: text/x-patch
Size: 1879 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/5f4025b7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0068-04-Add-automember-rebuild-command.patch
Type: text/x-patch
Size: 8164 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/5f4025b7/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0071-Fix-error-message-when-adding-duplicate-automember-r.patch
Type: text/x-patch
Size: 3819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/5f4025b7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0070-04-Add-unit-tests-for-automember-rebuild-command.patch
Type: text/x-patch
Size: 21152 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/5f4025b7/attachment-0003.bin>

More information about the Freeipa-devel mailing list