[Freeipa-devel] Client-side command in the IPA framework

Fri Feb 28 15:15:36 UTC 2014

On Fri, 28 Feb 2014, Nathaniel McCallum wrote:
>On Fri, 2014-02-28 at 16:43 +0200, Alexander Bokovoy wrote:
>> On Fri, 28 Feb 2014, Nathaniel McCallum wrote:
>> >On Fri, 2014-02-28 at 10:47 +0100, Petr Vobornik wrote:
>> >> On 28.2.2014 04:02, Rob Crittenden wrote:
>> >> > Alexander Bokovoy wrote:
>> >> >> On Thu, 27 Feb 2014, Nathaniel McCallum wrote:
>> >> >>> So the recent discussion on importing tokens led me to write a script to
>> >> >>> parse RFC 6030 xml files into IPA token data. This all works well. But
>> >> >>> now I need to integrate it into the IPA framework.
>> >> >>>
>> >> >>> This command will parse one or more xml files, creating a set of tokens
>> >> >>> to be added. Given that we already have otptoken-add on the server-side,
>> >> >>> it seems to me that all work needs to be done on the client-side. How do
>> >> >>> I create a new client-side command that calls existing server-side API?
>> >> >> subclass from frontend.Local, override run() or forward() method and
>> >> >> perform batch
>> >> >> operation of otptoken_add from there.
>> >> >>
>> >> >> See cli.help, for example.
>> >> >
>> >> > If you do an override, do forward() for cli-specific work.
>> >> >
>> >> > But you should do as little as possible for reasons you already stated:
>> >> > the UI. Anything you do in forward Petr will need to implement in the UI.
>> >> >
>> >> > Unfortunately we don't yet have a nice way to handle files. We have
>> >> > tickets open at https://fedorahosted.org/freeipa/ticket/1225 and
>> >> > https://fedorahosted.org/freeipa/ticket/2933
>> >> >
>> >> > If this file is something that would be pasted into a big text field
>> >> > then you can probably handle it in a similarly clumsy way that we do
>> >> > CSRs in the cert plugin.
>> >> >
>> >> > rob
>> >>
>> >> +1 for parsing it on server. Otherwise every client, not just CLI or Web
>> >> UI, would have to reimplement the same logic - having it on server will
>> >> support better integration with third party products.
>> >>
>> >> Parsing on client would be understandable if there was some middle step
>> >> which would require some action from user, i.e, pick only some tokens to
>> >> import.
>> >
>> >If we parse on the server side, how do we handle the long-running
>> >operation? Think of the case of importing hundreds or thousands of
>> >tokens...
>> Why then to do it as a IPA CLI command at all?
>> This is an administrative task which can be done with a separate
>> ipa-otp-import command, designated to run on IPA masters.
>
>Agreed.
>
>1. Is there a framework for this? Or should it just be an independent
>script?
We don't really have a framework for administrative tools. You may start
with install/tools/ipa-adtrust-install, it is main part is relatively
independent of the task (which is in ipaserver/install/adtrustinstance.py)

>2. How can I use the ipalib API? Specifically, I'd like to call
>otptoken-add and pass the --key parameter with a value (not possible
>from the command line).
Look in ipa-adtrust-install's main():

     # Initialize the ipalib api
     cfg = dict(
                in_server=True,
                debug=options.debug,
               )
     api.bootstrap(**cfg)
     api.finalize()
.......
     try:
         ctx = krbV.default_context()
         ccache = ctx.default_ccache()
         principal = ccache.principal()
     except krbV.Krb5Error, e:
         sys.exit("Must have Kerberos credentials to setup AD trusts on server")

     try:
         api.Backend.ldap2.connect(ccache)
     except errors.ACIError, e:
         sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
     except errors.DatabaseError, e:
         sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")

     try:
         user = api.Command.user_show(unicode(principal[0]))['result']
         group = api.Command.group_show(u'admins')['result']
         if not (user['uid'][0] in group['member_user'] and
                 group['cn'][0] in user['memberof_group']):
             raise errors.RequirementError(name='admins group membership')
     except errors.RequirementError, e:
         sys.exit("Must have administrative privileges to setup AD trusts on server")
     except Exception, e:
         sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))

and so on.
-- 
/ Alexander Bokovoy