[Freeipa-devel] Client-side command in the IPA framework

Rob Crittenden rcritten at redhat.com
Fri Feb 28 15:01:06 UTC 2014 

Petr Spacek wrote:
> On 28.2.2014 15:25, Nathaniel McCallum wrote:
>> On Fri, 2014-02-28 at 10:47 +0100, Petr Vobornik wrote:
>>> On 28.2.2014 04:02, Rob Crittenden wrote:
>>>> Alexander Bokovoy wrote:
>>>>> On Thu, 27 Feb 2014, Nathaniel McCallum wrote:
>>>>>> So the recent discussion on importing tokens led me to write a
>>>>>> script to
>>>>>> parse RFC 6030 xml files into IPA token data. This all works well.
>>>>>> But
>>>>>> now I need to integrate it into the IPA framework.
>>>>>>
>>>>>> This command will parse one or more xml files, creating a set of
>>>>>> tokens
>>>>>> to be added. Given that we already have otptoken-add on the
>>>>>> server-side,
>>>>>> it seems to me that all work needs to be done on the client-side.
>>>>>> How do
>>>>>> I create a new client-side command that calls existing server-side
>>>>>> API?
>>>>> subclass from frontend.Local, override run() or forward() method and
>>>>> perform batch
>>>>> operation of otptoken_add from there.
>>>>>
>>>>> See cli.help, for example.
>>>>
>>>> If you do an override, do forward() for cli-specific work.
>>>>
>>>> But you should do as little as possible for reasons you already stated:
>>>> the UI. Anything you do in forward Petr will need to implement in
>>>> the UI.
>>>>
>>>> Unfortunately we don't yet have a nice way to handle files. We have
>>>> tickets open at https://fedorahosted.org/freeipa/ticket/1225 and
>>>> https://fedorahosted.org/freeipa/ticket/2933
>>>>
>>>> If this file is something that would be pasted into a big text field
>>>> then you can probably handle it in a similarly clumsy way that we do
>>>> CSRs in the cert plugin.
>>>>
>>>> rob
>>>
>>> +1 for parsing it on server. Otherwise every client, not just CLI or Web
>>> UI, would have to reimplement the same logic - having it on server will
>>> support better integration with third party products.
>>>
>>> Parsing on client would be understandable if there was some middle step
>>> which would require some action from user, i.e, pick only some tokens to
>>> import.
>>
>> If we parse on the server side, how do we handle the long-running
>> operation? Think of the case of importing hundreds or thousands of
>> tokens...
>
> My experience is that operation on server side can run for (at least)
> few minutes without a problem. I haven't try longer periods but we can
> check that.

It can run for hours. Migration performance in IPA used to be rather 
pitiful and migrating several thousand users could easily take 5+ hours. 
IIRC sometimes the client would time out but the server side would still 
complete, you just got no feedback.

rob

More information about the Freeipa-devel mailing list