[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

Wed Mar 12 11:25:13 UTC 2014

On 03/12/2014 12:02 PM, Petr Viktorin wrote:
> On 03/10/2014 08:55 PM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 02/27/2014 10:18 PM, Rob Crittenden wrote:
>>>>> Rob Crittenden wrote:
>>>>> Updated patch based on feedback from Foreman team. I added a new URI,
>>>>> /features, which Foreman uses to determine what capabilities a proxy
>>>>> has.
>>>>>
>>>>> rob
>>>>
>>>> On my VMs, where the first request is handled properly but the server
>>>> hangs on the second one. I gave you access to the machines for
>>>> investigation.
>>>
>>> Sent you something out-of-band but in short, I wasn't able to reproduce
>>> on your reproducing VMs :-( Ping me tomorrow and we'll try it together.
> 
> It ended up a combination of my mistake and a bug in GSSProxy. At least you
> found the bug. https://fedorahosted.org/gss-proxy/ticket/121
> 
>>>> Please add the Python libraries (python-cherrypy, python-requests,
>>>> python-kerberos) to BuildRequires. Otherwise the build fails due to
>>>> pylint errors.
>>>
>>> Fixed.
>>>
>>>>
>>>> In the man page:
>>>>
>>>>> +Create a host or user whose credentials will be used by the server to
>>>>> make requests and add it to the role:
>>>>> +
>>>>> + $ ipa user\-add \-\-first=Smartproxy \-\-last=Serversmartproxy
>>>>> + $ ipa role\-add\-member \-\-users=smartproxy 'Smartproxy management'
>>>>
>>>> the first command should be
>>>>      ipa user-add smartproxy --first=Smartproxy --last=Serversmartproxy
>>>> since by default the username is 'sserversmartproxy'.
>>>
>>> The problem was a missing space before smartproxy. I have the login name
>>> last in this example. Fixed.
>>>
>>>>
>>>> A nitpick regarding the systemd service: according to [0], Type=forking
>>>> should be avoided. Is there a reason against setting Type=simple, and
>>>> removing the PID file?
>>>
>>> Because I wasn't able to get this working with cherrypy daemon mode.
>>> AFAICT it forks itself and systemd wouldn't end up with the right pid so
>>> can't stop the service.
>>
>> And now the updated patch. The changes are super-minor.
>>
>> rob
>>
> 
> One last nitpick: the IPAErrors get encoded as JSON but the Content-Encoding is
> set to text/html. It's a one-line change so I went ahead and tested with it.
> ACK from me if you agree.
> 
> I spoke to Martin and he's still not satisfied with needing the COPR repo on
> f20. I think we can live with it though.
> 

Yes, he is not. I still think it is very inconvenient to unconditionally force
everyone to import some COPR repo on all machines where he want to build and
use FreeIPA even though they do not need freeipa-server-smartproxy at all.

Here is an idea - add a conditional switch to freeipa.spec similar to
CLIENT_ONLY which would control building the smartproxy and make it off by
default. It would be only turned on for our F21 builds in the future.

This is something I could live with.

Martin