[Freeipa-devel] [PATCH] 0133 Use standard_list_of_entries for trust-resolve
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 15 20:27:33 UTC 2014
On Wed, 15 Jan 2014, Martin Kosek wrote:
>----- Original Message -----
>> From: "Alexander Bokovoy" <abokovoy at redhat.com>
>> To: "Sumit Bose" <sbose at redhat.com>
>> Cc: freeipa-devel at redhat.com
>> Sent: Wednesday, January 15, 2014 7:00:57 PM
>> Subject: Re: [Freeipa-devel] [PATCH] 0133 Use standard_list_of_entries for trust-resolve
>>
>> On Wed, 15 Jan 2014, Sumit Bose wrote:
>> >On Wed, Jan 15, 2014 at 07:24:00PM +0200, Alexander Bokovoy wrote:
>> >> On Wed, 15 Jan 2014, Alexander Bokovoy wrote:
>> >> >Hi!
>> >> >
>> >> >When looking into https://fedorahosted.org/freeipa/ticket/4113, I
>> >> >decided to use output.standard_list_of_entries instead of a locally
>> >> >defined list of entries. This solves the problem with wrong exit code in
>> >> >CLI when non-resolvable SID is given, but only for a single SID. If
>> >> >multiple SID specified and some of them were not resolved, the exit code
>> >> >will still be 0 (success) but truncated flag will be set. This
>> >> >corresponds to the framework behavior in other cases.
>> >> Thanks to Sumit, here is updated patch because I forgot to run makeapi
>> >> ;(
>> >>
>> >> :)
>> >
>> >Currently I see:
>> >
>> >[sbose at ipa18-devel freeipa]$ ipa trust-resolve --sids sdfasdf
>> >-------------------------------
>> >Resolved 0 security identifiers
>> >-------------------------------
>> >----------------------------
>> >Number of entries returned 0
>> >----------------------------
>> >[sbose at ipa18-devel freeipa]$ echo $?
>> >1
>> >
>> >Would it be possible to return only one of the summaries to the user?
>> >Otherwise the patch works as expected and the output is better than the
>> >empty one before.
>> May be invert summary and tell how many security identifiers were not
>> resolved?
>
>I am personally not convinced this is the right way to fix #4113, for
>several reasons:
>
>1) The output modification will most probably break FreeIPA 3.2.x or
>FreeIPA 3.3.x clients who expect different output (the command was
>introduced in https://fedorahosted.org/freeipa/ticket/3302).
This command is only used within Web UI. It is not supposed to be used
by CLI for anything, it was marked for CLI only for some QE request at
the time we still had issues with SID resolution in sssd. I'd rather
mark it NO_CLI=True because it is really a tool for Web UI asynchronous
resolution of SIDs to names for external members of groups.
>2) I do not think this output is really giving better experience for
>users. When I get 0 results, does it mean that SID is wrong? Or it is
>correct but not existent in AD? Or is it correct, existent in AD but
>SSSD is broken?
>Instead of checking $?, I would rather expect appropriate errors to be
>returned - errors.NotFound, errors.ValidationError. Maybe we should
>return entries for all SIDs but instead of filling sid, name and type
>for each entry, we would fill "sid" and "error" with appropriate error.
>Would that help?
This will be overkill for Web UI where it is really not needed. All we
need is a list of resolved SIDs as names. Missing name will simply leave
SID in the UI.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list