[Freeipa-devel] [PATCH] 0133 Use standard_list_of_entries for trust-resolve
Martin Kosek
mkosek at redhat.com
Wed Jan 15 20:01:49 UTC 2014
----- Original Message -----
> From: "Alexander Bokovoy" <abokovoy at redhat.com>
> To: "Sumit Bose" <sbose at redhat.com>
> Cc: freeipa-devel at redhat.com
> Sent: Wednesday, January 15, 2014 7:00:57 PM
> Subject: Re: [Freeipa-devel] [PATCH] 0133 Use standard_list_of_entries for trust-resolve
>
> On Wed, 15 Jan 2014, Sumit Bose wrote:
> >On Wed, Jan 15, 2014 at 07:24:00PM +0200, Alexander Bokovoy wrote:
> >> On Wed, 15 Jan 2014, Alexander Bokovoy wrote:
> >> >Hi!
> >> >
> >> >When looking into https://fedorahosted.org/freeipa/ticket/4113, I
> >> >decided to use output.standard_list_of_entries instead of a locally
> >> >defined list of entries. This solves the problem with wrong exit code in
> >> >CLI when non-resolvable SID is given, but only for a single SID. If
> >> >multiple SID specified and some of them were not resolved, the exit code
> >> >will still be 0 (success) but truncated flag will be set. This
> >> >corresponds to the framework behavior in other cases.
> >> Thanks to Sumit, here is updated patch because I forgot to run makeapi
> >> ;(
> >>
> >> :)
> >
> >Currently I see:
> >
> >[sbose at ipa18-devel freeipa]$ ipa trust-resolve --sids sdfasdf
> >-------------------------------
> >Resolved 0 security identifiers
> >-------------------------------
> >----------------------------
> >Number of entries returned 0
> >----------------------------
> >[sbose at ipa18-devel freeipa]$ echo $?
> >1
> >
> >Would it be possible to return only one of the summaries to the user?
> >Otherwise the patch works as expected and the output is better than the
> >empty one before.
> May be invert summary and tell how many security identifiers were not
> resolved?
I am personally not convinced this is the right way to fix #4113, for several reasons:
1) The output modification will most probably break FreeIPA 3.2.x or FreeIPA 3.3.x clients who expect different output (the command was introduced in https://fedorahosted.org/freeipa/ticket/3302).
2) I do not think this output is really giving better experience for users. When I get 0 results, does it mean that SID is wrong? Or it is correct but not existent in AD? Or is it correct, existent in AD but SSSD is broken?
Instead of checking $?, I would rather expect appropriate errors to be returned - errors.NotFound, errors.ValidationError. Maybe we should return entries for all SIDs but instead of filling sid, name and type for each entry, we would fill "sid" and "error" with appropriate error. Would that help?
Martin
More information about the Freeipa-devel
mailing list