[Freeipa-devel] [PATCH] - Add DRM to IPA

Petr Viktorin pviktori at redhat.com
Thu Jul 17 19:08:02 UTC 2014 

On 07/16/2014 02:55 PM, Petr Viktorin wrote:
> On 07/14/2014 11:45 AM, Ade Lee wrote:
>> Hi all,
>>
>> I have rebased all the previous patches against master, and have
>> squashed them all into a single patch.
>> Its a large patch, but as many folks have already reviewed the
>> constituent precursor patches, most if it
>> should be familiar and easier to review.
>
> I think it would be nice to have the fixes that aren't related to DRM
> (e.g. style issues) separate, so the patch can be reverted easily. But,
> what's done is done. Thanks for the cleanup!
>
>> The main difference with what was specified before is that the DRM
>> database is installed as a subtree
>> to o=ipaca.  This means that no new replication agreements will be
>> needed to replicate DRM data.
>> Replication agreements set up for the Dogtag CA will automatically
>> replicate DRM data.
>>
>> In order for this patch to work, a new 10.2 build of Dogtag 10.2 is
>> needed - with specific changes to
>> allow the ability to install a database as a subtree of an existing
>> tree.  At this time, these
>> changes have not yet been checked into the dogtag source.   You can
>> obtain such a build from:
>>
>> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
>>
>> Please review,
>
>
> I've started reading the code; here are my thoughts on the first part:
>
> In ipa-ca-install and ipa-replica-install, you only ever set
> "REPLICA_INFO_TOP_DIR" to None. In Python, "global" has module scope,
> it's not for the entire process. (And it's bad practice anyway.)
> You'll need to pass it around explicitly, perhaps store it in
> ReplicaConfig.
>
> It would be nice to use the admintool framework for the new script,
> instead of copying the old boilerplate code again. See e.g.
> ipa-server-certinstall for an example.
>
> Logging functions interpolate their arguments, so you should use e.g.
>      root_logger.critical("failed to configure %s instance %s",
> subsystem, e)
> instead of using the % operator.

Also, in e.g.
     root_logger.debug(
         'Unable to determine PIN for the Dogtag instance: %s' % str(e))
the "s" in "%s" means "convert to string", so explicit str() isn't 
necessary.

> installutils.create_replica_config: Any time you call sys.exit(), please
> log a message so we know why the log file ends.
>
> In ipa-drm-install, why do you read /etc/ipa/default.conf manually? The
> information is available in api.env once api is finalized.
>
> In ipa-server-install, do we want to display the message about backing
> up /root/drmcert.p12 even if DRM is not installed?
>
> Please use path constants from ipaplatform.base.paths, or add new ones
> if necessary, instead of DogtagInstance.{AGENT_P12_PATH,AGENT_P12_PATH}.
> In ipa-upgradeconfig, you hardcoded '/etc/named.keytab'. Please change
> that back to paths.NAMED_KEYTAB.
> Same in CAInstance.uninstall with "/usr/bin/pkiremove".
>
> In ipa-upgradeconfig.find_subject_base, the docstring should mention to
> DsInstance.find_subject_base's docstring rather than being a copy; we
> dont' want them getting out of sync.
>
> In DsInstance.find_subject_base, don't use a bare `except:`, at least do
> `except Exception:`, so you don't e.g. disable Ctrl+C.
>
> In CADSInstance.uninstall, you don't need the _running and _user_exists
> variables at all, just call the functions.
> Same in CAInstance.__create_ra_agent_db for _stdout, _stderr, _returncode.
> Same in CAInstance.uninstall for _user_exists.
>
> In DogtagInstance, stop_tracking_certificates was moved here from
> cainstance, but it no longer stops tracking ipaCert in HTTPD_ALIAS_DIR.
> Is that intended?
>
> In CAInstance.__init__, when calling DogtagInstance.__init__, consider
> using super, and naming the arguments for clarity:
>      super(CAInstance, self).__init__(
>          realm=realm,
>          subsystem="CA",
>          service_desc="certificate server",
>          dogtag_constants=dogtag_constants,
>      )
Same in DogtagInstance, DRMInstance.

> Since CAInstance inherits from DogtagInstance, the `enable`,
> `start_instance`, `stop_instance`, `http_proxy` methods that just call
> the superclass are unnecessary.
> IMO the comment from CAInstance.__enable was important, it should be in
> DogtagInstance.enable.
>
> In DogtagInstance.spawn_instance, it's not nice to modify lists the
> caller pased in. Take a copy of the nolog first. Ideally combine that
> with the conversion to tuple, and allow any sequence to be passed in:
>      nolog_list = tuple(nolog_list) + (self.admin_password,
> self.dm_password)
>
> In CAInstance.__create_ca_user, it's better to use functions instead of
> staticmethods, unless you'll want to override them in subclasses (which
> you're explicitly discouraging here, by using the double underscore).
> Anyway I don't get why you want these to be staticmethods.
>

dogtaginstance.py, drminstance.py: Avoid star imports, especially in new 
code. AFAICS you're only using root_logger from ipapython.ipa_log_manager.
Also consider using an class-specific logger:
     class DogtagInstance(...):
         def __init__(...):
             ...
             self.log = ipa_log_manager.log_mgr.get_logger(self)

         later:
             self.log.error("Unable to determine PIN for the Dogtag 
instance:", e)

About the "# noinspection PyBroadException" comments -- we already use 
pylint, I don't think we want instructions for other linters in the code.

In DogtagInstance.get_admin_cert:
     admin_cert = entry_attrs.get('usercertificate')[0]
This relies on the order of values returned by LDAP. If the choice of 
certificate doesn't matter here, leave a comment.

drminstance.py: Please remove the `if __name__ == '__main__':` section 
at the end. If this needs to be tested, provide a real test; if it's 
example usage put it in the docs/docstring; if it's a personal tool just 
keep it to yourself.

In DRMInstance.__init__, the docstring is wrong; __init__ doesn't return 
anything.

In dogtag.py, this change breaks the formatting:
> -    |staus                    |string         |cert_request_status|unicode [1]_     |
> +    |status                    |string         |cert_request_status|unicode [1]_     |

In drm.__init__, use `os.path.join(api.env.dot_ipa, 'alias')` instead of 
joining manually. There are also hardcoded paths, put them in the 
platform paths module.

-- 
Petr³

More information about the Freeipa-devel mailing list