From lslebodn at redhat.com Wed Apr 1 06:34:29 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 1 Apr 2015 08:34:29 +0200 Subject: [Freeipa-devel] [RFC] COPR drop support for old distribution Message-ID: <20150401063428.GA30096@mail.corp.redhat.com> ehlo, CentOS 7.1 was finally released[1]. Yupi. Fedora 21 was rewleased[2] few months ago. People can use FreeIPA 4.1 without any problem. So there's no more reason to maintain COPR repositories for older distributions. It will significantly reduce extra dependencies in repositories. It would be better to focus on backporting FreeIPA 4.2 in COPR. I know it has not been released yet. LS [1] http://lists.centos.org/pipermail/centos-announce/2015-April/021010.html [2] https://fedoraproject.org/wiki/Releases/21/Schedule From mkosek at redhat.com Wed Apr 1 07:06:57 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 09:06:57 +0200 Subject: [Freeipa-devel] [QE] Test categorization into tiers and acceptance testing - tagging proposals In-Reply-To: <1427806072.2800.36.camel@redhat.com> References: <1427806072.2800.36.camel@redhat.com> Message-ID: <551B9911.3060201@redhat.com> On 03/31/2015 02:47 PM, Martin Koci wrote: > Hi all, > I'd like to open discussion on test categorization into tiers and > acceptance testing, respectively test tagging which should help us to > accomplish following goals: > > 1) Acceptance test - other FreeIPA partner projects (389/DS/PKI) should > be able to have an "Acceptance test" that would run basic *stable* test > suite that would check if anything significant broke. It should be fast > enough so that the projects can run it in a Jenkins CI after commits. > > If we also have tags @dogtag or @sssd, the projects could simply run > just the tests affecting the projects -> faster execution. > > 2) FreeIPA test run optimization. Currently, all FreeIPA tests are > running when new commit is pushed. This takes lot of resources. It would > be nice to at least be able to NOT run Tier 2 tests if Tier1 tests are > failing. Or it would be nice to not run some very expensive tests after > each commit, but maybe once per day/week. > > *TIERS* > So after discussions with couple of developers and QE's we have created > and summarized following proposal for sorting current IPA tests into > tiers. > > Currently used tests reside in freeipa/ipatests. From these the only > unit tests (tier 0 candidate) are test_{ipalib,ipapython} with the > exception of test_ipalib/test_rpc.py which requires kerberos. > > The rest of the tests either require ipa/lite-server or are an > integration test. The rest of the tests (majority XML RPC, UI > tests, ...) then fall under the definition of Tier 1 test, as they > require at least running IPA instance and admin TGT. > > As for the tagging of the test cases, pytest's capabilities can be used > [2]. Though pytest.mark currently does not work with declarative tests > (it marks all of them), when the test is an ordinary function/method the > marking works as expected. The declarative tests could be rewritten in > the future to more pytest specific form, e.g. > test_xmlrpc/test_host_plugin.py > > Official guideline for this categorization will be created on the > upstream wiki once we agree on that. > > > *ACCEPTANCE TESTING* > As for the acceptance testing Similar to `Test categorization into > tiers` (1) proposal, there is a need to define a subset of freeipa tests > that could be run by other projects or users to find out whether or not > their changes (e.g. new build, feature) works with IPA. > > This run could be composed from tier {0,1} execution followed by a > subset of integration tests test cases. The proposed mechanism for this > is the same as in [4], using pytest.mark to select the classes/tests to > run in this context. > > What I'd like to ask you here is to share any ideas on the form of the > acceptance run as well as to help me identify the areas (and tests) that > are considered important and should be a part of this test set. > > *TAGGING* > Tagging the actual tests classes with pytest decorator > (http://pytest.org/latest/mark.html). would be better than let > developers manually maintain lists of tests for different projects. The > benefit for pytest mark kept in the code is that whatever we do with the > test class (rename, move, merge), the tag goes with it, not extra list > needs to be maintained. > > As for tagging itself, the original idea which Martin Kosek was > proposing was to use just the "acceptance" tag for marking the base T2 > tests that would be part of FreeIPA acceptance tests. > > However, it seems there is a value in tagging the tests that exercise > also certain sub-component of FreeIPA - SSSD, Dogtag. As long as we do > not get too wild with the tags, it should be OK. > > So we could agreed on followings tags: > - tier0, tier1, tier2 > - acceptance > - sssd > - dogtag > > This would lead to e.g. > > @pytest.mark.dogtag > @pytest.mark.acceptance > @pytest.mark.tier2 > class TestExternalCA(IntegrationTest): > ... > > or simpler > > @dogtag > @acceptance > @tier2 > class TestExternalCA(IntegrationTest): > > Hope it's not too long and that it makes sense. It makes a lot of sense to me (it should, since I contributed to this proposal too). So I will be looking forward to other developers thought on this. If there are no objections, we could start with the actual patches and have them properly reviewed. > Can I get your thoughts on this, please? > Thank you. > > Regards, > /koca > > *[1] - https://fedorahosted.org/freeipa/ticket/4922 > *[2] - http://pytest.org/latest/mark.html From mbabinsk at redhat.com Wed Apr 1 13:01:45 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 01 Apr 2015 15:01:45 +0200 Subject: [Freeipa-devel] [PATCH] webui: use no_members option in entity select search In-Reply-To: <551AAC38.3070507@redhat.com> References: <551AAC38.3070507@redhat.com> Message-ID: <551BEC39.9060003@redhat.com> On 03/31/2015 04:16 PM, Petr Vobornik wrote: > Obtaining member information for entity selects is not needed and it > causes unwanted performance hit, especially with larger groups. > > This patch removes it. > > https://fedorahosted.org/freeipa/ticket/4948 > > Works as expected and the speedup is substantial (ca 10x faster lookup of default group in user group rules for 16 groups with 100 members each). ACK. -- Martin^3 Babinsky From jhrozek at redhat.com Wed Apr 1 13:35:09 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Apr 2015 15:35:09 +0200 Subject: [Freeipa-devel] One-way trust design In-Reply-To: <20150223160253.GX25455@redhat.com> References: <20150223160253.GX25455@redhat.com> Message-ID: <20150401133509.GA3668@hendrix.redhat.com> Thank you, the design page reads well to me. I had a short chat with Alexander where we cleared up some confusion. On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote: > == New design == > In order to support one-way trust to Active Directory, we need to switch > SSSD in IPA master mode to use TDO credentials when resolving AD users > and groups. This is a high level description of the design, and majority > of work to allow the switch will be done by SSSD team. Corresponding > ticket tracker on SSSD side is > [https://fedorahosted.org/sssd/ticket/2579 ticket 2579], the text below > is an overview of the design. > > On each IPA master SSSD runs in "IPA master mode". This mode means that > in case of existing trust to AD forest, SSSD will directly resolve AD > users and groups against Active Directory Domain Controllers. To perform > user/group resolution, SSSD needs to authenticate against AD LDAP > servers and it does so using Kerberos authentication based on a > host/ipa.master at IPA.REALM service ticket. The ticket towards AD LDAP > services is issued by FreeIPA KDC with the help of cross-realm trust > credentials. > > For one-way trust SSSD cannot use this approach because Active Directory > Domain Controllers do not trust FreeIPA realm and, therefore, no > cross-realm trust credentials exist in AD for FreeIPA realm. However, > SSSD can use TDO object which always exists in AD for the trusting > domain (cross-forest trust is done by forest root domains' trust). This > means the ticket SSSD would need to request belongs to a different realm > (AD forest root realm) rather than to FreeIPA realm. > > As FreeIPA supports multiple trusts to separate Active Directory > forests, a support for multiple separate tickets is required. SSSD will > need to gain ability to use different credentials caches to store TDO > tickets and use different keytabs with TDO credentials to obtain the > ticket from an Active Directory Domain Controllers. > > In order to separate privilege access, FreeIPA masters have to provide > keytabs for SSSD running on IPA masters, one keytab per trusted AD > forest, so that SSSD could request the keys when required. I will experiment with retrieving keytabs manually for now to simulate this part, then I'll write up a more detailed design on how to handle the one-way trusts. > > Additionally, FreeIPA management framework will need to change its > defaults from producing a two-way trust to a one-way trust. Two-way > trust will be added back when support for Global Catalog service will be > added so that Active Directory resources could be properly accessed and > access to them discretionally granted to FreeIPA users and groups. From mbabinsk at redhat.com Wed Apr 1 15:07:43 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 01 Apr 2015 17:07:43 +0200 Subject: [Freeipa-devel] [PATCH 0026] ipa-server-install: deprecate manual setting of master KDC password Message-ID: <551C09BF.5050107@redhat.com> https://fedorahosted.org/freeipa/ticket/4516 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0026-1-ipa-server-install-deprecate-manual-setting-of-maste.patch Type: text/x-patch Size: 3255 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 1 15:16:57 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 01 Apr 2015 17:16:57 +0200 Subject: [Freeipa-devel] [PATCH 0223] Fix ldap2 do not create shared instance by default Message-ID: <551C0BE9.10000@redhat.com> Since API is not singleton anymore, ldap2 instance should not be shared between all APIs. Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0223-Fix-ldap2-shared-instance.patch Type: text/x-patch Size: 4045 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 1 15:22:03 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 01 Apr 2015 17:22:03 +0200 Subject: [Freeipa-devel] [PATCHES 0213 - 0221] Server Upgrade: LDAPI, Update plugins In-Reply-To: <551145BB.3090909@redhat.com> References: <55102781.5060809@redhat.com> <551126AF.3040207@redhat.com> <551145BB.3090909@redhat.com> Message-ID: <551C0D1B.4@redhat.com> On 24/03/15 12:08, Martin Basti wrote: > On 24/03/15 09:56, Martin Basti wrote: >> On 23/03/15 15:47, Martin Basti wrote: >>> Hello, >>> >>> The patches: >>> * allows to specify order of update plugins in update files. >>> * requires to use LDAPI by ipa-ldap-updater >>> >>> patches attached >>> >>> >>> >> Rebased patches attached. >> >> -- >> Martin Basti >> >> > I accidentally merged two patches into one in previos rebase. > > So properly rebased patches attached. > > -- > Martin Basti > > Patch 221 updated: use option to require root user Requires patch mbasti-223 to work with replica install Patches attached -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0213.4-Server-Upgrade-use-only-LDAPI-connection.patch Type: text/x-patch Size: 5558 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0214.4-Server-Upgrade-remove-unused-code-in-upgrade.patch Type: text/x-patch Size: 2422 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0215.4-Server-Upgrade-Apply-plugin-updates-immediately.patch Type: text/x-patch Size: 27197 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0216.4-Server-Upgrade-specify-order-of-plugins-in-update-fi.patch Type: text/x-patch Size: 48340 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0217.4-Server-Upgrade-plugins-should-use-ldapupdater-API-in.patch Type: text/x-patch Size: 14855 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0218.4-Server-Upgrade-Handle-connection-better-in-updates_f.patch Type: text/x-patch Size: 1072 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0219.4-Server-Upgrade-use-ldap2-connection-in-fix_replica_a.patch Type: text/x-patch Size: 1334 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0220.4-Server-Upgrade-restart-DS-using-ipaplatfom-service.patch Type: text/x-patch Size: 3730 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0221.4-Server-Upgrade-only-root-can-run-updates.patch Type: text/x-patch Size: 2946 bytes Desc: not available URL: From tbordaz at redhat.com Wed Apr 1 15:40:25 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 01 Apr 2015 17:40:25 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior Message-ID: <551C1169.9060906@redhat.com> Hello, In user life cycle, Active entries are moved to Delete container and Delete entries can be moved back to Staging container. This requires a LDAP modrdn with new superior that is not supported in ldap2. thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0004-User-life-cycle-allows-MODRDN-from-ldap2.patch Type: text/x-patch Size: 2414 bytes Desc: not available URL: From pspacek at redhat.com Wed Apr 1 15:48:46 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Apr 2015 17:48:46 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <551A72DB.3020105@redhat.com> References: <551A72DB.3020105@redhat.com> Message-ID: <551C135E.1000106@redhat.com> On 31.3.2015 12:11, Petr Vobornik wrote: > The major change is that DN is no longer internally composed of RDNs and AVAs > but it rather keeps the data in open ldap format - the same as output of > str2dn function. Therefore, for immutable DNs, no other transformations are > required on instantiation. Note: I guess that this is an python-ldap format rather than OpenLDAP format. It would be handy to fix commands for further generations to save them some banging with their heads against a wall of confusion. -- Petr^2 Spacek From jcholast at redhat.com Thu Apr 2 07:47:33 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 09:47:33 +0200 Subject: [Freeipa-devel] [PATCH] 809 speed up convert_attribute_members In-Reply-To: <551A72CE.2070403@redhat.com> References: <551A72CE.2070403@redhat.com> Message-ID: <551CF415.3070100@redhat.com> Hi, Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): > A workaround to avoid usage of slow LDAPEntry._sync_attr #4946. > > I originally wanted to avoid DN processing as well but we can't do that > because of DNs which are encoded - e.g. contains '+' or ','. Therefore > patch 811 - faster DN implementation is very useful. Also patch 809 is > useful to avoid high load of 389. > > https://fedorahosted.org/freeipa/ticket/4965 1) + dn = container_dns.get(ldap_obj_name, None) + if not dn: + ldap_obj = self.api.Object[ldap_obj_name] + dn = DN(ldap_obj.container_dn, api.env.basedn) + container_dns[ldap_obj_name] = dn + return dn a) The second argument of .get() is None by default b) "not dn" matches None as well as empty DNs, use "dn is not None" (it's not that there could be empty DNs here, but let's not give a potential reader the wrong idea) c) It would be better to catch KeyError rather than call .get() and check the result: try: dn = container_dns[ldap_obj_name] except KeyError: dn = ... container_dns[ldap_obj_name] = dn 2) Does get_new_attr() actually provide any speed up? Unless I'm missing something, it just mirrors the virtual member attributes already readily available from entry_attrs in new_attrs. 3) get_container_dn() and get_new_attr() do not need to be functions, since each is called just from a single spot. 4) "memberdn = DN(member)" could be one for loop up. Here's what I ended up with trying to fix the above (untested): for attr in self.attribute_members: try: value = entry_attrs.raw[attr] except KeyError: continue del entry_attrs[attr] ldap_objs = {} for ldap_obj_name in self.attribute_members[attr]: ldap_obj = self.api.Object[ldap_obj_name] container_dn = DN(ldap_obj.container_dn, api.env.basedn) ldap_objs[container_dn] = ldap_obj for member in value: memberdn = DN(member) try: ldap_obj = ldap_objs[DN(*memberdn[1:])] except KeyError: continue new_attr = '%s_%s' % (attr, ldap_obj.name) new_value = ldap_obj.get_primary_key_from_dn(memberdn) entry_attrs.setdefault(new_attr, []).append(new_value) Honza -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 08:43:10 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 10:43:10 +0200 Subject: [Freeipa-devel] [PATCH 0212] Server Upgrade: Fix comments In-Reply-To: <55116535.6000900@redhat.com> References: <551024D7.1080906@redhat.com> <55112663.1060101@redhat.com> <551144B2.2060706@redhat.com> <55116535.6000900@redhat.com> Message-ID: <551D011E.6060103@redhat.com> Dne 24.3.2015 v 14:23 David Kupka napsal(a): > On 03/24/2015 12:04 PM, Martin Basti wrote: >> On 24/03/15 09:54, Martin Basti wrote: >>> On 23/03/15 15:36, Martin Basti wrote: >>>> Attached patch fixes comments which I forgot to edit in 'make upgrade >>>> deterministic' patchset >>>> >>>> >>>> >>> I missed some dictionaries which should be lists. >>> >>> Updated patch attached. >>> >>> -- >>> Martin Basti >>> >>> >> Updated patch attached >> > > Thanks for the patch, LGTM, ACK. > Pushed to master: b5e941d49b3571a3f257be645dabb429754c94b0 -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 08:45:35 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 10:45:35 +0200 Subject: [Freeipa-devel] [PATCH 0222] DNSSEC: do not log into files In-Reply-To: <5519399B.4020208@redhat.com> References: <551426E4.2070906@redhat.com> <5519399B.4020208@redhat.com> Message-ID: <551D01AF.2090404@redhat.com> Dne 30.3.2015 v 13:55 Petr Spacek napsal(a): > On 26.3.2015 16:33, Martin Basti wrote: >> We want to log DNSSEC daemons only into console (journald). >> >> This patch also fixes unexpected log file in >> /var/lib/softhsm/.ipa/log/default.log >> >> Patch attached. > > ACK > Pushed to: master: 1216da8b9f2100cacebbeb8fe2dd91e22b954ba7 ipa-4-1: e27b9d18cee86b7634a0ec23042985c23096098e -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 08:52:38 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 10:52:38 +0200 Subject: [Freeipa-devel] [PATCH 0001] ipatests: port of p11helper test from github In-Reply-To: <5519348A.70504@redhat.com> References: <5502ED38.9020302@redhat.com> <5506B87B.6050600@redhat.com> <5506E983.4020807@redhat.com> <55070370.1010200@redhat.com> <5507F62E.9080004@redhat.com> <55114D0E.8000705@redhat.com> <5511698C.3060305@redhat.com> <55118563.2010503@redhat.com> <5515527D.1010805@redhat.com> <55190934.5090108@redhat.com> <5519348A.70504@redhat.com> Message-ID: <551D0356.40405@redhat.com> Hi, we reply below original message on freeipa-devel, please follow this convention next time, thank you. Dne 30.3.2015 v 13:33 Milan Kubik napsal(a): > Hi, > > thanks for the review and sparing me few rounds for these modifications. :) > > ACK for the improvements. > > Milan > > On 03/30/2015 10:28 AM, Martin Basti wrote: >> On 27/03/15 13:52, Milan Kubik wrote: >>> Hi, >>> >>> On 03/24/2015 04:40 PM, Martin Basti wrote: >>>> On 24/03/15 14:41, Milan Kubik wrote: >>>>> Hello, >>>>> >>>>> thanks for the review. >>>>> >>>>> On 03/24/2015 12:39 PM, Martin Basti wrote: >>>>>> On 17/03/15 10:38, Milan Kubik wrote: >>>>>>> Hi, >>>>>>> >>>>>>> On 03/16/2015 05:23 PM, Martin Basti wrote: >>>>>>>> On 16/03/15 15:32, Milan Kubik wrote: >>>>>>>>> On 03/16/2015 12:03 PM, Milan Kubik wrote: >>>>>>>>>> On 03/13/2015 02:59 PM, Milan Kubik wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> this is a patch with port of [1] to pytest. >>>>>>>>>>> >>>>>>>>>>> [1]: >>>>>>>>>>> https://github.com/spacekpe/freeipa-pkcs11/blob/master/python/run.py >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Cheers, >>>>>>>>>>> Milan >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Added few more asserts in methods where the test could fail >>>>>>>>>> and cause other errors. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> New version of the patch after brief discussion with Martin >>>>>>>>> Basti. Removed unnecessary variable assignments and separated a >>>>>>>>> new test case. >>>>>>>>> >>>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> thank you for the patch. >>>>>>>> I have a few nitpicks: >>>>>>>> 1) >>>>>>>> You can remove this and use just hexlify(s) >>>>>>>> +def str_to_hex(s): >>>>>>>> + return ''.join("{:02x}".format(ord(c)) for c in s) >>>>>>> done >>>>>>>> >>>>>>>> 2) >>>>>>>> + def test_find_secret_key(self, p11): >>>>>>>> + assert p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, >>>>>>>> label=u"???-aest") >>>>>>>> >>>>>>>> In tests before you tested the exact number of expected IDs >>>>>>>> returned by find_keys method, why not here? >>>>>>> Lack of attention. >>>>>>> Fixed the assert in `test_search_for_master_key` which does the >>>>>>> same thing. Merged `test_find_secret_key` with >>>>>>> `test_search_for_master_key` where it belongs. >>>>>>>> >>>>>>>> Martin^2 >>>>>>> >>>>>>> Milan >>>>>>> >>>>>>> >>>>>> Thank you for patches, just two nitpicks: >>>>>> >>>>>> 1) >>>>>> Can you use the ipaplatform.paths constant? This is platform specific. >>>>>> LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so" >>>>>> LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so" >>>>>> >>>>>> Respectively use just LIBSOFTHSM2_SO, on 64bit systems it is >>>>>> automatically mapped into LIBSOFTHSM2_SO_64 >>>>>> >>>>>> instead of: >>>>>> + >>>>>> +libsofthsm = "/usr/lib64/pkcs11/libsofthsm2.so" >>>>>> + >>>>>> >>>>> Done. >>>>>> 2) >>>>>> Can you please check if keys were really deleted? >>>>>> + def test_delete_key(self, p11): >>>>> Done. >>>>>> -- >>>>>> Martin Basti >>>>> >>>>> I also moved `test_search_for_master_key` right after >>>>> `test_generate_master_key` and changed the assert message to a more >>>>> specific one. >>>>> >>>>> Cheers, >>>>> Milan >>>> Please fix this: >>>> >>>> 1) >>>> $ git am >>>> freeipa-mkubik-0001-5-ipatests-port-of-p11helper-test-from-github.patch >>>> Applying: ipatests: port of p11helper test from github >>>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:228: new >>>> blank line at EOF. >>>> + >>>> warning: 1 line adds whitespace errors. >>>> >>> fixed (TIL: vim doesn't show the last empty line) >>>> 2) Please respect PEP8 if it is possible >>> Mostly done, there are few instances of long variable names off by >>> few characters. >>>> >>>> 3) >>>> I'm still not sure with this: >>>> assert len(master_key) == 0, "The master key should be deleted." >>>> >>>> following example is more pythonic >>>> assert not master_key, "The master key...." >>>> >>> Changed to the latter variant. >>>> 4) >>>> Related to 3), should we test return value, if correct type was >>>> returned? >>>> assert isinstance(master_key, list) and not master_key, "....." >>>> I do not insist on this. >>>> >>>> Otherwise it works as expected. >>>> -- >>>> Martin Basti >>> >>> Milan >> >> Hello, >> >> I did few modifications: >> >> * new license header >> * PEP8 fixes >> * variables instead of magic constants for key labels an IDs >> >> Patch attached >> >> Do you accept my modifications? >> Martin^2 >> -- >> Martin Basti Pushed to master: 59f024487e0bcaedb773fd4066b2f95c733278c6 -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 08:57:01 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 10:57:01 +0200 Subject: [Freeipa-devel] [PATCH] 0001-2 ipatests: SOA record Maintenance tests In-Reply-To: <55157D39.6030104@redhat.com> References: <68938500.2798491.1427206014857.JavaMail.zimbra@redhat.com> <55118529.8010708@redhat.com> <829878591.5551196.1427470466314.JavaMail.zimbra@redhat.com> <55157D39.6030104@redhat.com> Message-ID: <551D045D.5050300@redhat.com> Dne 27.3.2015 v 16:54 Martin Basti napsal(a): > On 27/03/15 16:34, Ale? Mare?ek wrote: >> Greetings! >> Martin, thanks for your review and comments! >> I changed the name of the patch and setup my git variables properly. I >> also re-tested it and got all passed. I'm sending a new patch that is >> attached. >> >> ----- Original Message ----- >>> From: "Martin Basti" >>> To: "Ale? Mare?ek" , freeipa-devel at redhat.com >>> Sent: Tuesday, March 24, 2015 4:39:21 PM >>> Subject: Re: [Freeipa-devel] [PATCH] 0001 ipatests: SOA record >>> Maintenance tests >>> >>> On 24/03/15 15:06, Ale? Mare?ek wrote: >>>> Greetings! >>>> This is my very first patch, ticket#4746. >>>> >>>> Have a nice day! >>>> - alich - >>>> >>>> >>> Thank you for the patch. Just nitpicks: >>> >>> 1) >>> + cleanup_commands = [ >>> + ('dnszone_del', [zone6], {'continue': True}), >>> + ('dnszone_del', [zone6b], {'continue': True}), >>> + ] >>> >>> would be better do it in this way, continue option will to try remove >>> all zones: >>> + cleanup_commands = [ >>> + ('dnszone_del', [zone6, zone6b], {'continue': True}), >>> + ] >>> >> Done. >> >>> 2) >>> I'm fine with zone6b, but was there any reason to create zone6b, instead >>> of reusing zone 1 or 2 or 3? >> Because of some updates needs, I didn't want to break anything >> existing thus I created new. >> >>> 3) >>> Please fix whitespace errors. >>> $ git am >>> freeipa-alich-0001-ipatests-added-tests-for-SOA-record-Maintenance.patch >>> Applying: ipatests - added tests for SOA record Maintenance >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:482: trailing >>> whitespace. >>> >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:758: new blank >>> line at EOF. >>> + >>> warning: 2 lines add whitespace errors. >>> >> Done. >> $ git am freeipa-alich-0001-2-Ipatests-DNS-SOA-Record-Maintenance.patch >> Applying: Ipatests DNS SOA Record Maintenance >> $ >> >>> 4) >>> I know the dns plugin tests are so far from PEP8, but try to keep PEP8 >>> in new code >> Done, only 1 line persisted that I didn't want to break: >> zone6_unresolvable_ns_relative_dnsname = >> DNSName(zone6_unresolvable_ns_relative) >> >>> Otherwise test works as expected. >>> >>> Martin^2 >>> >>> -- >>> Martin Basti >>> >>> >> Thanks! >> - alich - > Thank you, ACK. > Pushed to: master: ca96ecbf40038d09814f99f19bf47246352dfa0c ipa-4-1: 8f94ac1e7c24b3bf33c5211d3e327c9a51390fb1 -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 08:59:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 10:59:45 +0200 Subject: [Freeipa-devel] [PATCH 0024] do not log BINDs to non-existent users as errors In-Reply-To: <55193D50.7020208@redhat.com> References: <5512DD48.4010000@redhat.com> <55193D50.7020208@redhat.com> Message-ID: <551D0501.6050600@redhat.com> Dne 30.3.2015 v 14:10 Petr Spacek napsal(a): > On 25.3.2015 17:07, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/4889 > > ACK > Pushed to: master: 4192cce80eb22172696b11bf24457f7467b711fc ipa-4-1: ede3298fdf8092567b7cfec4053c0db45725f882 -- Jan Cholasta From pviktori at redhat.com Thu Apr 2 09:54:10 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 02 Apr 2015 11:54:10 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <551A72DB.3020105@redhat.com> References: <551A72DB.3020105@redhat.com> Message-ID: <551D11C2.4070902@redhat.com> On 03/31/2015 12:11 PM, Petr Vobornik wrote: > The only different thing is a lack of utf-8 encoded str support(as > input). I don't know how much important the support is. I don't think that support is too important (assuming IPA doesn't use it!). However, the behavior with this patch is dangerous. It allows unicode and ASCII strings, but fails on non-ASCII strings. That means things will usually work, but as soon as a non-ASCII component is introduced at the wrong place, you get an error. Restoring support for utf-8 encoded str looks easy to do; here's a patch you can squash in. Or did I miss something? > maybe it could be attached to ticket > https://fedorahosted.org/freeipa/ticket/4947 > ----- > DN code was optimized to be faster if DNs are created from string. This > is the major use case, since most DNs come from LDAP. > > With this patch, DN creation is almost 8-10x faster (with 30K-100K DNs). > > Second mojor use case - deepcopy in LDAPEntry is about 20x faster - done > by custom __deepcopy__ function. > > The major change is that DN is no longer internally composed of RDNs > and AVAs but it rather keeps the data in open ldap format - the same as > output of str2dn function. Therefore, for immutable DNs, no other > transformations are required on instantiation. > > The format is: > > DN: [RDN, RDN,...] > RDN: [AVA, AVA,...] > AVA: ['utf-8 encoded str - attr', 'utf-8 encode str -value', FLAG] > FLAG: int > > Further indexing of DN object constructs an RDN which is just an > encapsulation of the RDN part of open ldap representation. Indexing of > RDN constructs AVA in the same fashion. > > Obtained EditableAVA, EditableRDN from EditableDN shares the respected > lists of the open ldap repr. so that the change of value or attr is > reflected in parent object. Looks good. A couple of comments: RDN.to_openldap: _avas always has 3 components, right? I'd prefer `list(a)` over `[a[0], a[1], a[2]]`. Similarly for tuple in in __add__ and RDN._avas_from_sequence. DN._rdns_from_value: the error message at the end is wrong, RDN is also accepted. (And, `type(value)` would be more informative than `value.__class__.__name__`.) You can optimize __deepcopy__ for immutable DNs even further: just return self! In DN.find & rfind, RDNs are not accepted but the error message says they are. You removed the newline at end of file. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Restore-support-for-creating-DNs-from-utf-8-encoded-.patch Type: text/x-patch Size: 6630 bytes Desc: not available URL: From jcholast at redhat.com Thu Apr 2 11:31:56 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 13:31:56 +0200 Subject: [Freeipa-devel] [PATCH 0021] fix improper handling of boolean option during KRA install In-Reply-To: <5512D8D5.8040509@redhat.com> References: <55085B78.1040201@redhat.com> <5512D8D5.8040509@redhat.com> Message-ID: <551D28AC.9030508@redhat.com> Dne 25.3.2015 v 16:48 Martin Basti napsal(a): > On 17/03/15 17:51, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/4530 >> >> >> > ACK > > -- > Martin Basti > > > Pushed to master: c311af06f60cfdb73be9c0aecb9ddc559db1a055 -- Jan Cholasta From jcholast at redhat.com Thu Apr 2 12:11:50 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 14:11:50 +0200 Subject: [Freeipa-devel] [PATCH 0223] Fix ldap2 do not create shared instance by default In-Reply-To: <551C0BE9.10000@redhat.com> References: <551C0BE9.10000@redhat.com> Message-ID: <551D3206.1020102@redhat.com> Hi, Dne 1.4.2015 v 17:16 Martin Basti napsal(a): > Since API is not singleton anymore, ldap2 instance should not be shared > between all APIs. > > Patch attached. > Works for me. However, it's not the ldap2 instance that was shared, but rather the underlying LDAP connection. Honza -- Jan Cholasta From mbasti at redhat.com Thu Apr 2 12:18:58 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 02 Apr 2015 14:18:58 +0200 Subject: [Freeipa-devel] [PATCH 0223] Fix ldap2 do not create shared instance by default In-Reply-To: <551D3206.1020102@redhat.com> References: <551C0BE9.10000@redhat.com> <551D3206.1020102@redhat.com> Message-ID: <551D33B2.9020008@redhat.com> On 02/04/15 14:11, Jan Cholasta wrote: > Hi, > > Dne 1.4.2015 v 17:16 Martin Basti napsal(a): >> Since API is not singleton anymore, ldap2 instance should not be shared >> between all APIs. >> >> Patch attached. >> > > Works for me. However, it's not the ldap2 instance that was shared, > but rather the underlying LDAP connection. > > Honza > Reworded patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0223.2-Fix-ldap2-shared-connection.patch Type: text/x-patch Size: 4047 bytes Desc: not available URL: From jcholast at redhat.com Thu Apr 2 12:27:18 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 02 Apr 2015 14:27:18 +0200 Subject: [Freeipa-devel] [PATCH 0223] Fix ldap2 do not create shared instance by default In-Reply-To: <551D33B2.9020008@redhat.com> References: <551C0BE9.10000@redhat.com> <551D3206.1020102@redhat.com> <551D33B2.9020008@redhat.com> Message-ID: <551D35A6.4040704@redhat.com> Dne 2.4.2015 v 14:18 Martin Basti napsal(a): > On 02/04/15 14:11, Jan Cholasta wrote: >> Hi, >> >> Dne 1.4.2015 v 17:16 Martin Basti napsal(a): >>> Since API is not singleton anymore, ldap2 instance should not be shared >>> between all APIs. >>> >>> Patch attached. >>> >> >> Works for me. However, it's not the ldap2 instance that was shared, >> but rather the underlying LDAP connection. >> >> Honza >> > Reworded patch attached. > Thanks, ACK. Pushed to master: b92136cba287e38d9c2f41c3163f5a6b0b62ca17 -- Jan Cholasta From pviktori at redhat.com Thu Apr 2 12:35:03 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 02 Apr 2015 14:35:03 +0200 Subject: [Freeipa-devel] [PATCH] 0688 rename_managed: Remove use of EditableDN Message-ID: <551D3777.3020300@redhat.com> This removes the last use of dn.Editable* from IPA code. For cases where an EditableDN was used, lists/generators of RDNs tend to work better IMO. When this is merged, Editable* can be removed (which I don't want to do right now since there's a patch on review that would conflict). -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0688-rename_managed-Remove-use-of-EditableDN.patch Type: text/x-patch Size: 4671 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 2 14:59:58 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 02 Apr 2015 16:59:58 +0200 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: References: Message-ID: <551D596E.3040802@redhat.com> On 30/03/15 15:25, Gabe Alford wrote: > Hello, > > With the merging of ticket 4842 > , I believe that half of > ticket 3092 has been > done. This patch just adds a message that says that NTP configuration > was skipped which I believe should finish 3092 > . > > Thanks, > > Gabe > > Hello, thank you for the patch. 1) IMO there should be: if *not* options.conf_ntp 2) wouldnt be better to use just else? Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From redhatrises at gmail.com Thu Apr 2 15:47:33 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 2 Apr 2015 09:47:33 -0600 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: <551D596E.3040802@redhat.com> References: <551D596E.3040802@redhat.com> Message-ID: On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti wrote: > On 30/03/15 15:25, Gabe Alford wrote: > > Hello, > > With the merging of ticket 4842 > , I believe that half of > ticket 3092 has been done. > This patch just adds a message that says that NTP configuration was skipped > which I believe should finish 3092 > . > > Thanks, > > Gabe > > > Hello, thank you for the patch. > > 1) > IMO there should be: > if *not* options.conf_ntp > So, if --no-ntp is not specified, print message that the client is skipping NTP sync? > 2) > wouldnt be better to use just else? > I actually ran ipa-client-install with no options on a system where I used 'else', and it printed the skipping NTP sync when it should not have. That is why the patch does not use 'else'. > > Martin > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Apr 3 03:37:05 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 02 Apr 2015 22:37:05 -0500 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <550FE5EB.1070606@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> Message-ID: <551E0AE1.8040500@redhat.com> Hi, Attached are new patches replacing all old ones. Please take a look at them. They should applied in this order: 365, 353-8, 355-6, 357-3, 359-2, 360-1, 364-1, 361-1. I'm planning to merge the vault and vault container object and use the vault type attribute to distinguish between the two. See more discussion about that below. On 3/23/2015 5:07 AM, Jan Cholasta wrote: >>> Patch 353: >>> >>> 1) Please follow PEP8 in new code. >>> > Well, I did not use pylint, but pep8: > > >> Is there an existing ticket for fixing PEP8 errors? Let's use that for >> fixing the errors in the existing code. > > There is no ticket, but we still follow PEP8 in new code, so please do > that. It shouldn't be too hard. Fixed. >>> 3) The container_vault config option should be renamed to >>> container_vaultcontainer, as it is used in the vaultcontainer plugin, >>> not the vault plugin. >> >> It was named container_vault because it defines the DN for of the >> subtree that contains all vault-related entries. I moved the base_dn >> variable from vaultcontainer object to the vault object for clarity. > > That does not make much sense to me. Vault objects are contained in > their respective vaultcontainer objects, not directly in cn=vaults. The cn=vaults itself is actually a vault container (i.e. ipaVaultContainer). Theoretically you could store a vault in any container including cn=vaults, but we just don't want people to use it that way. I think this is consistent with other plugins. For example, the container_user points to cn=users, which is an nsContainer. There is no concept of 'user container' other than the cn=users itself. But even if there is one, the container_user will still be stored in the user class. When the vault & vaultcontainer is merged, this will no longer be an issue. >>> 4) The vault object should be child of the vaultcontainer object. >>> >>> Not only is this correct from the object model perspective, but it would >>> also make all the container_id hacks go away. >> >> It's a bit difficult because it will affect how the container & vault >> ID's are represented on the CLI. > > Yes, but the API should be done right (without hacks) first. You can > tune the CLI after that if you want. I think the current framework is rather limiting. It's kind of hard to build an interface that looks exactly what you want then add the implementation later to match the interface because many things are interrelated. In this particular case the object hierarchy on the server side would affect how the vault ID will be represented on the client side. >> In the design the container ID would be a single value like this: >> >> $ ipa vault-add /services/server.example.com/HTTP >> >> And if the vault ID is relative (without initial slash), it will be >> appended to the user's private container (i.e. /users//): >> >> $ ipa vault-add PrivateVault >> >> The implementation is not complete yet. Currently it accepts this format: >> >> $ ipa vault-add [--container ] >> >> and I'm still planning to add this: >> >> $ ipa vault-add This is actually now done in the latest patch. Internally the ID is still split into name & parent ID. >> If the vault must be a child of vaultcontainer, and the vaultcontainer >> must be a child of a vaultcontainer, does it mean the vault ID would >> have to be split into separate arguments like this? >> >> $ ipa vaultcontainer-add services server.example.com HTTP >> >> If that's the case we'd lose the ability to specify a relative vault ID. > > Yes, that's the case. > > But I don't think relative IDs should be a problem, we can do this: > > $ ipa vaultcontainer-add a b c # absolute > $ ipa vaultcontainer-add . c # relative I think a "." will be confusing because there's no concept of "current vaultcontainer" like "current directory". > or this: > > $ ipa vaultcontainer-add '' a b c # absolute > $ ipa vaultcontainer-add c # relative An empty string is also confusing and can be problematic to distinguish with missing argument. > or this: > > $ ipa vaultcontainer-add a b c # absolute > $ ipa vaultcontainer-add c --relative # relative > > or this: > > $ ipa vaultcontainer-add a b c --absolute # absolute > $ ipa vaultcontainer-add c # relative Per discussion in the IPA-CS meeting, we'd rather keep the "/" for vault ID delimiters because the spaces will be confusing to users, but we'll not use absolute ID anymore. It's not implemented yet, but here is the plan. By default the vault will be created in the user's private container: $ ipa vault-add PrivateVault For shared vaults, instead of specifying an absolute ID we can specify a --shared option: $ ipa vault-add --shared projects/IPA Same thing with service vaults: $ ipa vault-add --service server.example.com/LDAP To access a vault in another user's private container: $ ipa vault-show --user testuser PrivateVault >>> 11) No clever optimizations like this please: >>> >>> + # vault DN cannot be the container base DN >>> + if len(dn) == len(api.Object.vaultcontainer.base_dn): >>> + raise ValueError('Invalid vault DN: %s' % dn) >>> >>> Compare the DNs by value instead. >> >> Actually the DN values have already been compared in the code right >> above it: >> >> # make sure the DN is a vault DN >> if not dn.endswith(self.api.Object.vaultcontainer.base_dn): >> raise ValueError('Invalid vault DN: %s' % dn) >> >> This code confirms that the incoming vault DN is within the vault >> subtree. After that, the DN length comparison above is just to make sure >> the incoming vault DN is not the root of the vault subtree itself. It >> doesn't need to compare the values again. > > I see. You can combine both of the checks into one: > > if not dn.endswith(self.api.Object.vaultcontainer.base_dn, 1): > raise ValueError(...) Changed, but this might not be necessary once the vault & vaultcontainer are merged. >> 6) The `container` param of vault should actually be an option in >> vault_* commands. >> >> Also it should be renamed to `container_id`, for consistency with >> vaultcontainer. > > Fixed. It was actually made to be consistent with the 'parent' > attribute in the vaultcontainer class. Now the 'parent' has been > renamed to 'parent_id' as well. Since we're going to merge vault & vaultcontainer, I've renamed vault's container_id to parent_id. >>> 14) Use File instead of Str for input files: >>> >>> + Str('in?', >>> + cli_name='in', >>> + doc=_('File containing data to archive'), >>> + ), >> >> The File type doesn't work with binary files because it tries to decode >> the content. > > OK. I know File is broken and plan to fix it in the future. Just add a > comment saying that it should be a File, but it's broken, OK? Added the notes. >>> 16) You do way too much stuff in vault_add.forward(). Only code that >>> must be done on the client needs to be there, i.e. handling of the >>> "data", "text" and "in" options. >>> >>> The vault_archive call must be in vault_add.execute(), otherwise a) we >>> will be making 2 RPC calls from the client and b) it won't be called at >>> all when api.env.in_server is True. >> >> This is done by design. The vault_add.forward() generates the salt and >> the keys. The vault_archive.forward() will encrypt the data. These >> operations have to be done on the client side to secure the transport of >> the data from the client through the server and finally to KRA. This >> mechanism prevents the server from looking at the unencrypted data. > > OK, but that does not justify that it's broken in server-side API. It > can and should be done so that it works the same way on both client and > server. > > I think the best solution would be to split the command into two > commands, server-side vault_archive_raw to archive already encrypted > data, and client-side vault_archive to encrypt data and archive them > with vault_archive_raw in its .execute(). Same thing for vault_retrieve. Actually I think it's better to just merge the add and archive, reducing the number of RPC calls. The vault_archive now will support two types of operations: (a) Archive data into a new vault (it will create the vault just before archiving the data): $ ipa vault-archive testvault --create --in data ... (b) Archive data into an existing vault: $ ipa vault-archive testvault --in data ... The vault_add is now just a wrapper for the vault_archive(a). > BTW, I also think it would be better if there were 2 separate sets of > commands for binary and textual data > (vault_{archive,retrieve}_{data,text}) rather than trying to handle > everything in vault_{archive,retrieve}. I don't think we want to provide a separate command of every possible data type & operation combination. Users would get confused. The archive & retrieve commands should be able to handle all current & future data types with options. >> The add & archive combination was added for convenience, not for >> optimization. This way you would be able to archive data into a new >> vault using a single command. Without this, you'd have to execute two >> separate commands: add & archive, which will result in 2 RPC calls >> anyway. > > I think I would prefer if it was separate, as that would be consistent > with other plugins (e.g. for objects with members, we don't allow adding > members directly in -add, you have to use -add-member after -add). The vault data is similar to group description, not group members. When creating a group we can supply the description. If not specified it will be blank. Archiving vault data is similar to updating the group description. Vault secrets on the other hand is similar to group members. You will see that in the other patch. >>> 17) Why are vaultcontainer objects automatically created in vault_add? >>> >>> If you have to automatically create them, you also have to automatically >>> delete them when the command fails. But that's a hassle, so I would just >>> not create them automatically. >> >> The vaultcontainer is created automatically to provide a private >> container (i.e. /users//) for the each user if they need it. >> Without this, the admin will have to create the container manually first >> before a user can create a vault, which would be an unreasonable >> requirement. If the vault_add fails, it's ok to leave the private >> container intact because it can be used again if the user tries to >> create a vault again later and it will not affect other users. If the >> user is deleted, the private container will be deleted too. >> >> The code was fixed to create the container only if they are adding a >> vault/vault container into the user's private container. If they are >> adding into other container, the container must already exist. > > This sounds like a job fit for the managed entries plugin. Have you > tried using it for this? I'm not that familiar with that yet. I think we can make that improvement later once we know if it fits the needs. Right now we'll keep it simple. >>> 18) Why are vaultcontainer objects automatically created in vault_find? >>> >>> This is just plain wrong and has to be removed, now. >> >> The code was supposed to create the user's private container like in >> #17, but the behavior has been changed. If the container being searched >> is the user's private container, it will ignore the container not found >> error and return zero results as if the private container already >> exists. For other containers the container must already exist. For this >> to work I had to add a handle_not_found() into LDAPSearch so the plugins >> can customize the proper search response for the missing private >> container. > > No ad-hoc refactoring please. If you want to refactor anything, it > should be first designed properly and put in a separate patch. > > Anyway, what should actually happen here is that if parent object is not > found, its object plugin's handle_not_found is called, i.e. something > like this: > > parent = self.obj.parent_object > if parent: > self.api.Object[parent].handle_not_found(*args[:-1]) > else: > raise errors.NotFound( > reason=self.obj.container_not_found_msg % { > 'container': self.obj.container_dn, > } > ) It will not work because vault doesn't have a parent object. I'm adding handle_not_found() into LDAPCreate and LDAPSearch in the first patch. >>> 21) vault_archive is not a retrieve operation, it should be based on >>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it does >>> not do anything with LDAP. The same applies to vault_retrieve. >> >> The vault_archive does not actually modify the LDAP entry because it >> stores the data in KRA. It is actually an LDAPRetrieve operation because >> it needs to get the vault info before it can perform the archival >> operation. Same thing with vault_retrieve. > > It is not a LDAPRetrieve operation, because it has different semantics. > Please use Command as base class and either use ldap2 for direct LDAP or > call vault_show instead of hacking around LDAPRetrieve. It's been changed to inherit from LDAPQuery instead. >>> 22) vault_archive will break with binary data that is not UTF-8 encoded >>> text. >>> >>> This is where it occurs: >>> >>> + vault_data[u'data'] = unicode(data) >>> >>> Generally, don't use unicode() on str values and str() on unicode values >>> directly, always use .decode() and .encode(). The unicode(s, encoding) is actually equivalent to s.decode(encoding), so the following code will not solve the problem: vault_data[u'data'] = data.decode() As you said, decode() will only work if the data being decoded actually follows the encoding rules (i.e. already UTF-8 encoded). >> It needs to be a Unicode because json.dumps() doesn't work with binary >> data. Fixed by adding base-64 encoding. The base-64 encoding is necessary to convert random binaries into ASCII so it can be decoded into Unicode. Here is the current code: vault_data[u'data'] = unicode(base64.b64encode(data)) which is equivalent to: vault_data[u'data'] = base64.b64encode(data).decode() > If something str needs to be unicode, you should use .decode() to > explicitly specify the encoding, instead of relying on unicode() to pick > the correct one. Since we know this is ASCII data we can now specify UTF-8 encoding. vault_data[u'data'] = base64.b64encode(data).decode('utf-8') But for anything that comes from user input (e.g. filenames, passwords), it's better to use the default encoding because that can be configured by the user. > Anyway, I think a better solution than base64 would be to use the > "raw_unicode_escape" encoding: As explained above, base-64 encoding is necessary because random binaries don't follow any encoding rules. I'd rather not use raw_unicode_escape because it's not really a text data. Here's how it's now implemented: > if data: > data = data.decode('raw_unicode_escape') Input data is already in binaries, no conversion needed. > elif text: > data = text Input text will be converted to binaries with default encoding: data = text.encode() > elif input_file: > with open(input_file, 'rb') as f: > data = f.read() > data = data.decode('raw_unicode_escape') Input contains binary data, no conversion needed. > else: > data = u'' If not specified, the data will be empty string: data = '' The data needs to be converted into binaries so it can be encrypted before transport (depending on the vault type): data = self.obj.encrypt(data, ...) > vault_data[u'data'] = data Then for transport the data is base-64 encoded first, then converted into Unicode: vault_data[u'data'] = base64.b64encode(data).decode('utf-8') >>> 26) Instead of the delete_entry refactoring in baseldap and >>> vaultcontainer_add, you can put this in vaultcontainer_add's >>> pre_callback: >>> >>> try: >>> ldap.get_entries(dn, scope=ldap.SCOPE_ONELEVEL, attrs_list=[]) >>> except errors.NotFound: >>> pass >>> else: >>> if not options.get('force', False): >>> raise errors.NotAllowedOnNonLeaf() >> >> I suppose you meant vaultcontainer_del. Fixed, but this will generate an >> additional search for each delete. >> >> I'm leaving the changes baseldap because it may be useful later and it >> doesn't change the behavior of the current code. > > Again, no ad-hoc refactoring please. The refactoring has also been moved into a separate patch. Just a note, I still don't think a plugin should do a search and maybe generate a NotAllowedOnLeaf exception on each delete operation. The exception should have been generated automatically by the DS. But we can discuss that separately. >>> 28) The vault and vaultcontainer plugins seem to be pretty similar, I >>> think it would make sense to put common stuff in a base class and >>> inherit vault and vaultcontainer from that. >> >> I plan to refactor the common code later. Right now the focus is to get >> the functionality working correctly first. > > Please do it now, "later" usually means "never". It shouldn't be too > hard and I can give you a hand with it if you want. As mentioned above, I'm considering merging the vault & vault container classes, so no need to refactor the common code out of these classes. This will be delivered as a separate patch later. Thanks. -- Endi S. Dewata -------------- next part -------------- >From 7003767c159e8c75fa02ff5c3ffde971ff665ef1 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 21 Oct 2014 10:57:08 -0400 Subject: [PATCH] Added initial vault implementation. The initial implementation of vaults and vault containers has been added. Some test scripts have been added as well. The remaining functionalities will be added in subsequent patches. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 177 +++- install/share/60basev3.ldif | 2 + install/updates/40-vault.update | 23 + install/updates/Makefile.am | 1 + ipa-client/man/default.conf.5 | 1 + ipalib/constants.py | 1 + ipalib/plugins/user.py | 43 +- ipalib/plugins/vault.py | 956 +++++++++++++++++++++ ipalib/plugins/vaultcontainer.py | 503 +++++++++++ ipatests/test_xmlrpc/test_vault_plugin.py | 394 +++++++++ ipatests/test_xmlrpc/test_vaultcontainer_plugin.py | 436 ++++++++++ 11 files changed, 2533 insertions(+), 4 deletions(-) create mode 100644 install/updates/40-vault.update create mode 100644 ipalib/plugins/vault.py create mode 100644 ipalib/plugins/vaultcontainer.py create mode 100644 ipatests/test_xmlrpc/test_vault_plugin.py create mode 100644 ipatests/test_xmlrpc/test_vaultcontainer_plugin.py diff --git a/API.txt b/API.txt index 0c7eda9f5b9176aa6e97ef03f26b0bf0a885fe4e..ebae899fe93fd742b052de9ca5e63ad567c437ef 100644 --- a/API.txt +++ b/API.txt @@ -4351,9 +4351,10 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: user_del -args: 1,2,3 +args: 1,3,3 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Flag('force?', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) @@ -4513,6 +4514,180 @@ option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_add +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('data?', cli_name='data') +option: Str('description?', cli_name='desc') +option: Str('in?', cli_name='in') +option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('text?', cli_name='text') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_archive +args: 1,13,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('create?', autofill=True, default=False) +option: Bytes('data?', cli_name='data') +option: Str('description?', cli_name='desc') +option: Str('in?', cli_name='in') +option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') +option: Str('nonce?', cli_name='nonce') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('session_key?', cli_name='session_key') +option: Str('text?', cli_name='text') +option: Str('vault_data?', cli_name='vault_data') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_del +args: 1,3,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('parent_id?', cli_name='parent_id') +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: vault_find +args: 1,10,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('vault_id', attribute=False, autofill=False, cli_name='vault_id', multivalue=False, query=True, required=False) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: vault_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('vault_id', attribute=False, autofill=False, cli_name='vault_id', multivalue=False, required=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_retrieve +args: 1,8,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('out?', cli_name='out') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('session_key?', cli_name='session_key') +option: Flag('show_text?', autofill=True, default=False) +option: Flag('stdout?', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vault_transport_cert +args: 0,2,1 +option: Str('out?', cli_name='out') +option: Str('version?', exclude='webui') +output: Output('result', None, None) +command: vaultcontainer_add +args: 1,8,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('container_id', attribute=False, cli_name='container_id', multivalue=False, required=False) +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vaultcontainer_del +args: 1,4,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Flag('force?', autofill=True, default=False) +option: Str('parent_id?', cli_name='parent_id') +option: Str('version?', exclude='webui') +output: Output('result', , None) +output: Output('summary', (, ), None) +output: ListOfPrimaryKeys('value', None, None) +command: vaultcontainer_find +args: 1,10,4 +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('cn', attribute=True, autofill=False, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) +option: Str('container_id', attribute=False, autofill=False, cli_name='container_id', multivalue=False, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Int('sizelimit?', autofill=False, minvalue=0) +option: Int('timelimit?', autofill=False, minvalue=0) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: vaultcontainer_mod +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('container_id', attribute=False, autofill=False, cli_name='container_id', multivalue=False, required=False) +option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr', exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vaultcontainer_show +args: 1,5,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) capability: messages 2.52 capability: optional_uid_params 2.54 capability: permissions2 2.69 diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 4efb1fe8ba8a91d3a8b920d39d217124066728c0..c04f8d5d096bc3d91aec3e2f1703f658d76d3779 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -77,3 +77,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update new file mode 100644 index 0000000000000000000000000000000000000000..dac2f67112dc33f012c6d559285464fb7c944d1a --- /dev/null +++ b/install/updates/40-vault.update @@ -0,0 +1,23 @@ +dn: cn=vaults,$SUFFIX +default: objectClass: top +default: objectClass: ipaVaultContainer +default: cn: vaults +default: description: Root vault container + +dn: cn=services,cn=vaults,$SUFFIX +default: objectClass: top +default: objectClass: ipaVaultContainer +default: cn: services +default: description: Services vault container + +dn: cn=shared,cn=vaults,$SUFFIX +default: objectClass: top +default: objectClass: ipaVaultContainer +default: cn: shared +default: description: Shared vault container + +dn: cn=users,cn=vaults,$SUFFIX +default: objectClass: top +default: objectClass: ipaVaultContainer +default: cn: users +default: description: Users vault container diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 40de5635621071d34b6475d51ca598ed41a8ba09..34bb0981c44a3fcc3242401873769f332b95988b 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -32,6 +32,7 @@ app_DATA = \ 40-dns.update \ 40-automember.update \ 40-otp.update \ + 40-vault.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index dbc8a5b4647439de4de7c01152d098eb0561e236..0973f1a07179ad64daa326a02803cdc9ba1870aa 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -221,6 +221,7 @@ The following define the containers for the IPA server. Containers define where container_sudocmdgroup: cn=sudocmdgroups,cn=sudo container_sudorule: cn=sudorules,cn=sudo container_user: cn=users,cn=accounts + container_vault: cn=vaults container_virtual: cn=virtual operations,cn=etc .SH "FILES" diff --git a/ipalib/constants.py b/ipalib/constants.py index 50a2b1f7aa7f0d447bacfd005b102c7451e670ce..baaf9be8d0329e89cb92a03de302095fe7acb847 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -97,6 +97,7 @@ DEFAULT_CONFIG = ( ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))), ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))), ('container_dns', DN(('cn', 'dns'))), + ('container_vault', DN(('cn', 'vaults'))), ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))), ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))), ('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))), diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index abe5ee26b8e48681eeb0cbb3bcff8617e212225c..6caca14767b4fd6fbfc4a6ae2d3ea243eaa424cc 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -883,17 +883,48 @@ class user_add(LDAPCreate): class user_del(LDAPDelete): __doc__ = _('Delete a user.') + takes_options = LDAPDelete.takes_options + ( + Flag( + 'force?', + doc=_('Force deletion'), + autofill=False, + ), + ) + msg_summary = _('Deleted user "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): assert isinstance(dn, DN) check_protected_member(keys[-1]) + force = options.get('force', False) + + # Find all tokens owned and managed by this user. + owner = self.api.Object.user.get_primary_key_from_dn(dn) + otptokens = self.api.Command.otptoken_find(ipatokenowner=owner)['result'] + + if len(otptokens) and not force: + raise errors.NotAllowedOnNonLeaf( + message=_('User owns OTP tokens. ' + 'Specify --force to force deletion.')) + + # Find user's private vault container. + vaultcontainer_id = self.api.Object.vaultcontainer.get_private_id(owner) + vaultcontainer = None + try: + vaultcontainer = self.api.Command.vaultcontainer_show( + vaultcontainer_id)['result'] + + if vaultcontainer and not force: + raise errors.NotAllowedOnNonLeaf( + message=_('User owns private vaults. ' + 'Specify --force to force deletion.')) + except errors.NotFound: + pass + # Delete all tokens owned and managed by this user. # Orphan all tokens owned but not managed by this user. - owner = self.api.Object.user.get_primary_key_from_dn(dn) - results = self.api.Command.otptoken_find(ipatokenowner=owner)['result'] - for token in results: + for token in otptokens: orphan = not [x for x in token.get('managedby_user', []) if x == owner] token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn']) if orphan: @@ -901,6 +932,12 @@ class user_del(LDAPDelete): else: self.api.Command.otptoken_del(token) + # Delete user's private vault container. + if vaultcontainer: + self.api.Command.vaultcontainer_del( + vaultcontainer_id, + force=force) + return dn diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py new file mode 100644 index 0000000000000000000000000000000000000000..9945581bed2844e753e8b0ec9ac12af2374ab7bd --- /dev/null +++ b/ipalib/plugins/vault.py @@ -0,0 +1,956 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import base64 +import json +import os +import sys +import tempfile + +import nss.nss as nss + +import pki.account +import pki.crypto +import pki.key + +from ipalib.frontend import Command +from ipalib import api, errors +from ipalib import Str, Bytes, Flag +from ipalib import output +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPQuery, LDAPMultiQuery +from ipalib.request import context +from ipalib.plugins.user import split_principal +from ipalib import _, ngettext +from ipaplatform.paths import paths +from ipapython.dn import DN +import ipapython.nsslib + +__doc__ = _(""" +Vaults +""") + _(""" +Manage vaults. +""") + _(""" +EXAMPLES: +""") + _(""" + List private vaults: + ipa vault-find +""") + _(""" + List shared vaults: + ipa vault-find /shared +""") + _(""" + Add a standard vault: + ipa vault-add MyVault +""") + _(""" + Show a vault: + ipa vault-show MyVault +""") + _(""" + Modify a vault: + ipa vault-mod MyVault --desc "My vault" +""") + _(""" + Archive data into standard vault: + ipa vault-archive MyVault --in data.bin +""") + _(""" + Retrieve data from standard vault: + ipa vault-retrieve MyVault --out data.bin +""") + _(""" + Delete a vault: + ipa vault-del MyVault +""") + +register = Registry() + + + at register() +class vault(LDAPObject): + __doc__ = _(""" + Vault object. + """) + + base_dn = DN(api.env.container_vault, api.env.basedn) + + object_name = _('vault') + object_name_plural = _('vaults') + + object_class = ['ipaVault'] + default_attributes = [ + 'cn', + 'vault_id', + 'description', + ] + search_display_attributes = [ + 'cn', + 'vault_id', + 'description', + ] + + label = _('Vaults') + label_singular = _('Vault') + + takes_params = ( + Str( + 'cn', + cli_name='vault_name', + label=_('Vault name'), + primary_key=True, + pattern='^[a-zA-Z0-9_.-/]+$', + pattern_errmsg='may only include letters, numbers, _, ., -, and /', + maxlength=255, + ), + Str( + 'vault_id?', + cli_name='vault_id', + label=_('Vault ID'), + doc=_('Vault ID'), + flags={'no_option', 'virtual_attribute'}, + ), + Str( + 'description?', + cli_name='desc', + label=_('Description'), + doc=_('Vault description'), + ), + ) + + def get_dn(self, *args, **options): + """ + Generates vault DN from vault ID. + """ + + # get vault ID from parameters + vault_name = args[0] + parent_id = self.api.Object.vaultcontainer.normalize_id( + options.get('parent_id')) + + vault_id = self.merge_id(vault_name, parent_id) + vault_id = self.absolute_id(vault_id) + + dn = self.base_dn + + # for each name in the ID, prepend the base DN + for name in vault_id.split(u'/'): + if name: + dn = DN(('cn', name), dn) + + return dn + + def get_id(self, dn): + """ + Generates vault ID from vault DN. + """ + + # make sure the DN is a vault DN + if not dn.endswith(self.base_dn, 1): + raise ValueError('Invalid vault DN: %s' % dn) + + # construct the vault ID from the bottom up + id = u'' + for rdn in dn[:-len(self.base_dn)]: + name = rdn['cn'] + id = u'/' + name + id + + return id + + def split_id(self, id): + """ + Splits a vault ID into (vault name, parent ID) tuple. + """ + + if not id: + return (None, None) + + # split ID into parent ID and vault name + parts = id.rsplit(u'/', 1) + + if len(parts) == 2: + vault_name = parts[1] + parent_id = u'%s/' % parts[0] + + else: + vault_name = parts[0] + parent_id = None + + if not vault_name: + vault_name = None + + return (vault_name, parent_id) + + def merge_id(self, vault_name, parent_id): + """ + Merges a vault name and a parent ID into a vault ID. + """ + + if not vault_name: + id = parent_id + + elif vault_name.startswith('/') or not parent_id: + id = vault_name + + else: + id = parent_id + vault_name + + return id + + def absolute_id(self, id): + """ + Generate absolute vault ID. + """ + + if not id: + return self.api.Object.vaultcontainer.get_private_id() + + # if it's an absolute ID, do nothing + if id.startswith(u'/'): + return id + + # otherwise, prepend with user's private container ID + return self.api.Object.vaultcontainer.get_private_id() + id + + def normalize_params(self, *args, **options): + """ + Normalizes the vault ID in the parameters. + """ + + vault_id = self.parse_params(*args, **options) + (vault_name, parent_id) = self.split_id(vault_id) + return self.update_params(vault_name, parent_id, *args, **options) + + def parse_params(self, *args, **options): + """ + Extracts the vault name and parent ID in the parameters. + """ + + # get vault name and parent ID from parameters + vault_name = args[0] + parent_id = self.api.Object.vaultcontainer.normalize_id( + options.get('parent_id')) + + return self.merge_id(vault_name, parent_id) + + def update_params( + self, new_vault_name, new_parent_id, *args, **options): + """ + Stores vault name and parent ID back into the parameters. + """ + + args_list = list(args) + args_list[0] = new_vault_name + args = tuple(args_list) + + options['parent_id'] = new_parent_id + + return (args, options) + + def create_entry(self, dn, description=None): + """ + Creates vault entry and its parents. + """ + + rdn = dn[0] + entry = self.backend.make_entry( + dn, + { + 'objectclass': self.object_class, + 'cn': rdn['cn'], + 'description': description, + }) + + # if entry can be added return + try: + self.backend.add_entry(entry) + return + + except errors.NotFound: + pass + + # otherwise, create parent entry first + parent_dn = DN(*dn[1:]) + self.api.Object.vaultcontainer.create_entry(parent_dn) + + # then create the entry itself + self.backend.add_entry(entry) + + def get_kra_id(self, id): + """ + Generates a client key ID to store/retrieve data in KRA. + """ + return 'ipa:' + id + + + at register() +class vault_add(LDAPQuery): + __doc__ = _('Create a new vault.') + + takes_options = LDAPQuery.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Str( + 'description?', + cli_name='desc', + doc=_('Vault description'), + ), + Str( + 'ipavaulttype?', + cli_name='type', + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), + Bytes( + 'data?', + cli_name='data', + doc=_('Binary data to archive'), + ), + Str( + 'text?', + cli_name='text', + doc=_('Text data to archive'), + ), + Str( # TODO: use File parameter + 'in?', + cli_name='in', + doc=_('File containing data to archive'), + ), + ) + + has_output = output.standard_entry + + msg_summary = _('Added vault "%(value)s"') + + def forward(self, *args, **options): + + options['create'] = True + + try: + response = self.api.Command.vault_archive(*args, **options) + + except errors.DuplicateEntry: + self.obj.handle_duplicate_entry(*args) + + response['summary'] = self.msg_summary % response + return response + + + at register() +class vault_del(LDAPDelete): + __doc__ = _('Delete a vault.') + + takes_options = LDAPDelete.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = _('Deleted vault "%(value)s"') + + def get_args(self): + # maintain single-valued primary key + return super(LDAPMultiQuery, self).get_args() + + def params_2_args_options(self, **params): + (args, options) = super(vault_del, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback(self, ldap, dn, *args, **options): + assert isinstance(dn, DN) + + vault_id = self.obj.get_id(dn) + + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.obj.get_kra_id(vault_id) + + # deactivate vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + kra_account.logout() + + return True + + + at register() +class vault_find(LDAPSearch): + __doc__ = _('Search for vaults.') + + takes_options = LDAPSearch.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = ngettext( + '%(count)d vault matched', + '%(count)d vaults matched', + 0, + ) + + def params_2_args_options(self, **params): + (args, options) = super(vault_find, self)\ + .params_2_args_options(**params) + parent_id = self.obj.parse_params(*args, **options) + parent_id = self.api.Object.vaultcontainer.normalize_id( + parent_id) + return self.obj.update_params(None, parent_id, *args, **options) + + def pre_callback( + self, ldap, filter, attrs_list, base_dn, scope, + *args, **options): + + assert isinstance(base_dn, DN) + + base_dn = self.obj.get_dn(*args, **options) + + return (filter, base_dn, scope) + + def post_callback(self, ldap, entries, truncated, *args, **options): + + for entry in entries: + entry['vault_id'] = self.obj.get_id(entry.dn) + + return truncated + + def handle_not_found(self, *args, **options): + + dn = self.obj.get_dn(*args, **options) + parent_id = self.obj.get_id(dn) + parent_id = self.api.Object.vaultcontainer.normalize_id( + parent_id) + + # vault container is user's private container, ignore + if parent_id == self.api.Object.vaultcontainer.get_private_id(): + return + + # otherwise, raise an error + raise errors.NotFound( + reason=self.obj.parent_not_found_msg % { + 'parent': parent_id, + 'oname': self.api.Object.vaultcontainer.object_name, + } + ) + + + at register() +class vault_mod(LDAPUpdate): + __doc__ = _('Modify a vault.') + + takes_options = LDAPUpdate.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = _('Modified vault "%(value)s"') + + def params_2_args_options(self, **params): + (args, options) = super(vault_mod, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback(self, ldap, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return dn + + + at register() +class vault_show(LDAPRetrieve): + __doc__ = _('Display information about a vault.') + + takes_options = LDAPRetrieve.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vault_show, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback(self, ldap, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return dn + + + at register() +class vault_transport_cert(Command): + __doc__ = _('Retrieve vault transport certificate.') + + takes_options = ( + Str( + 'out?', + cli_name='out', + doc=_('Output file to store the transport certificate'), + ), + ) + + has_output_params = ( + Str( + 'certificate', + label=_('Certificate'), + ), + ) + + def forward(self, *args, **options): + + file = options.get('out') + + # don't send these parameters to server + if 'out' in options: + del options['out'] + + response = super(vault_transport_cert, self).forward(*args, **options) + + if file: + with open(file, 'w') as f: + f.write(response['result']['certificate']) + + return response + + def execute(self, *args, **options): + + kra_client = self.api.Backend.kra.get_client() + transport_cert = kra_client.system_certs.get_transport_cert() + return { + 'result': { + 'certificate': transport_cert.encoded + } + } + + + at register() +class vault_archive(LDAPQuery): + __doc__ = _('Archive data into a vault.') + + takes_options = LDAPQuery.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Flag( + 'create?', + doc=_('Create new vault'), + ), + Str( + 'description?', + cli_name='desc', + doc=_('Vault description'), + ), + Str( + 'ipavaulttype?', + cli_name='type', + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), + Bytes( + 'data?', + cli_name='data', + doc=_('Binary data to archive'), + ), + Str( + 'text?', + cli_name='text', + doc=_('Text data to archive'), + ), + Str( # TODO: use File parameter + 'in?', + cli_name='in', + doc=_('File containing data to archive'), + ), + Str( + 'session_key?', + cli_name='session_key', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + Str( + 'vault_data?', + cli_name='vault_data', + doc=_( + 'Vault data encrypted with session key' + ' and encoded in base-64'), + ), + Str( + 'nonce?', + cli_name='nonce', + doc=_('Nonce encrypted encoded in base-64'), + ), + ) + + has_output = output.standard_entry + + msg_summary = _('Archived data into vault "%(value)s"') + + def params_2_args_options(self, **params): + (args, options) = super(vault_archive, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def forward(self, *args, **options): + + data = options.get('data') + text = options.get('text') + input_file = options.get('in') + + # don't send these parameters to server + if 'data' in options: + del options['data'] + if 'text' in options: + del options['text'] + if 'in' in options: + del options['in'] + + # get data + if data: + if text or input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + elif text: + if input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + data = text.encode() + + elif input_file: + with open(input_file, 'rb') as f: + data = f.read() + + else: + data = '' + + # initialize NSS database + crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) + crypto.initialize() + ipapython.nsslib.current_dbdir = paths.IPA_NSSDB_DIR + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_transport_cert(out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # generate session key + session_key = crypto.generate_session_key() + + # wrap session key with transport certificate + wrapped_session_key = crypto.asymmetric_wrap( + session_key, + nss_transport_cert + ) + + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + nonce = crypto.generate_nonce_iv() + options['nonce'] = base64.b64encode(nonce).decode('utf-8') + + vault_data = {} + vault_data[u'data'] = base64.b64encode(data).decode('utf-8') + + json_vault_data = json.dumps(vault_data) + + # wrap vault_data with session key + wrapped_vault_data = crypto.symmetric_wrap( + json_vault_data, + session_key, + nonce_iv=nonce + ) + + options['vault_data'] = base64.b64encode(wrapped_vault_data)\ + .decode('utf-8') + + return super(vault_archive, self).forward(*args, **options) + + def execute(self, *args, **options): + + dn = self.obj.get_dn(*args, **options) + vault_id = self.obj.get_id(dn) + (vault_name, parent_id) = self.obj.split_id(vault_id) + + create = options.get('create') + + if create: + description = options.get('description') + + # creating new vault + self.obj.create_entry( + dn, + description=description, + ) + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.obj.get_kra_id(vault_id) + + # deactivate existing vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + for key_info in response.key_infos: + kra_client.keys.modify_key_status( + key_info.get_key_id(), + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + wrapped_session_key = base64.b64decode(options['session_key']) + nonce = base64.b64decode(options['nonce']) + + # forward wrapped data to KRA + wrapped_vault_data = base64.b64decode(options['vault_data']) + + kra_client.keys.archive_encrypted_data( + client_key_id, + pki.key.KeyClient.PASS_PHRASE_TYPE, + wrapped_vault_data, + wrapped_session_key, + None, + nonce, + ) + + kra_account.logout() + + response = {} + response['result'] = vault + response['value'] = vault_name + response['summary'] = self.msg_summary % response + + return response + + + at register() +class vault_retrieve(LDAPQuery): + __doc__ = _('Retrieve a data from a vault.') + + takes_options = LDAPQuery.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Flag( + 'show_text?', + doc=_('Show text data'), + autofill=False, + ), + Flag( + 'stdout?', + doc=_('Show data on standard output'), + autofill=False, + ), + Str( + 'out?', + cli_name='out', + doc=_('File to store retrieved data'), + ), + Str( + 'session_key?', + cli_name='session_key', + doc=_( + 'Session key wrapped with transport certificate' + ' and encoded in base-64'), + ), + ) + + has_output = output.standard_entry + + has_output_params = LDAPQuery.has_output_params + ( + Bytes( + 'data', + label=_('Data'), + ), + Bytes( + 'text', + label=_('Text'), + ), + ) + + msg_summary = _('Retrieved data from vault "%(value)s"') + + def params_2_args_options(self, **params): + (args, options) = super(vault_retrieve, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def forward(self, *args, **options): + + show_text = options.get('show_text') + stdout = options.get('stdout') + output_file = options.get('out') + + # don't send these parameters to server + if 'show_text' in options: + del options['show_text'] + if 'stdout' in options: + del options['stdout'] + if 'out' in options: + del options['out'] + + # initialize NSS database + crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) + crypto.initialize() + ipapython.nsslib.current_dbdir = paths.IPA_NSSDB_DIR + + # generate session key + session_key = crypto.generate_session_key() + + # retrieve transport certificate + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + self.api.Command.vault_transport_cert(out=unicode(filename)) + transport_cert_der = nss.read_der_from_file(filename, True) + nss_transport_cert = nss.Certificate(transport_cert_der) + + finally: + os.remove(filename) + + # wrap session key with transport certificate + wrapped_session_key = crypto.asymmetric_wrap( + session_key, + nss_transport_cert + ) + + # send retrieval request to server + options['session_key'] = base64.b64encode(wrapped_session_key)\ + .decode('utf-8') + + response = super(vault_retrieve, self).forward(*args, **options) + + result = response['result'] + nonce = base64.b64decode(result['nonce']) + + # unwrap data with session key + wrapped_vault_data = base64.b64decode(result['vault_data']) + + json_vault_data = crypto.symmetric_unwrap( + wrapped_vault_data, + session_key, + nonce_iv=nonce) + + vault_data = json.loads(json_vault_data) + data = base64.b64decode(vault_data[u'data'].encode('utf-8')) + + if stdout: + sys.stdout.write(data) + response['result'] = {} + response['summary'] = None + + elif output_file: + with open(output_file, 'w') as f: + f.write(data) + + elif show_text: + response['result']['text'] = unicode(data) + + else: + response['result']['data'] = data + + return response + + def execute(self, *args, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(*args, **options) + vault_id = self.obj.get_id(dn) + (vault_name, parent_id) = self.obj.split_id(vault_id) + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + wrapped_session_key = base64.b64decode(options['session_key']) + + # connect to KRA + kra_client = self.api.Backend.kra.get_client() + + kra_account = pki.account.AccountClient(kra_client.connection) + kra_account.login() + + client_key_id = self.obj.get_kra_id(vault_id) + + # find vault record in KRA + response = kra_client.keys.list_keys( + client_key_id, + pki.key.KeyClient.KEY_STATUS_ACTIVE) + + if not len(response.key_infos): + raise errors.NotFound(reason=_('Missing archived data.')) + + key_info = response.key_infos[0] + + # retrieve encrypted data from KRA + key = kra_client.keys.retrieve_key( + key_info.get_key_id(), + wrapped_session_key) + + vault['vault_data'] = base64.b64encode( + key.encrypted_data).decode('utf-8') + vault['nonce'] = base64.b64encode(key.nonce_data).decode('utf-8') + + kra_account.logout() + + response = {} + response['result'] = vault + response['value'] = vault_name + response['summary'] = self.msg_summary % response + + return response diff --git a/ipalib/plugins/vaultcontainer.py b/ipalib/plugins/vaultcontainer.py new file mode 100644 index 0000000000000000000000000000000000000000..577d9d8a3cde5e3e55401f51d343a07bb2a1687d --- /dev/null +++ b/ipalib/plugins/vaultcontainer.py @@ -0,0 +1,503 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import base64 + +from ipalib import api, errors +from ipalib import Str, Flag +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPMultiQuery +from ipalib.request import context +from ipalib.plugins.user import split_principal +from ipalib import _, ngettext +from ipapython.dn import DN + +__doc__ = _(""" +Vault containers +""") + _(""" +Manage vault containers. +""") + _(""" +EXAMPLES: +""") + _(""" + List private vault containers: + ipa vaultcontainer-find +""") + _(""" + List top-level vault containers: + ipa vaultcontainer-find / +""") + _(""" + List shared vault containers: + ipa vaultcontainer-find /shared +""") + _(""" + Add a vault container: + ipa vaultcontainer-add MyContainer +""") + _(""" + Show a vault container: + ipa vaultcontainer-show MyContainer +""") + _(""" + Modify a vault container: + ipa vaultcontainer-mod MyContainer --desc "My container" +""") + _(""" + Delete a vault container: + ipa vaultcontainer-del MyContainer +""") + +register = Registry() + + + at register() +class vaultcontainer(LDAPObject): + __doc__ = _(""" + Vault container object. + """) + + object_name = _('vault container') + object_name_plural = _('vault containers') + + object_class = ['ipaVaultContainer'] + default_attributes = [ + 'cn', + 'container_id', + 'description', + ] + search_display_attributes = [ + 'cn', + 'container_id', + 'description', + ] + + label = _('Vault Containers') + label_singular = _('Vault Container') + + takes_params = ( + Str( + 'cn', + cli_name='container_name', + label=_('Container name'), + primary_key=True, + pattern='^[a-zA-Z0-9_.-/]+$', + pattern_errmsg='may only include letters, numbers, _, ., -, and /', + maxlength=255, + ), + Str( + 'container_id?', + cli_name='container_id', + label=_('Container ID'), + doc=_('Container ID'), + flags={'no_option', 'virtual_attribute'}, + ), + Str( + 'description?', + cli_name='desc', + label=_('Description'), + doc=_('Container description'), + ), + ) + + def get_dn(self, *args, **options): + """ + Generates vault container DN from container ID. + """ + + # get container ID from parameters + container_name = args[0] + parent_id = self.normalize_id(options.get('parent_id')) + + container_id = self.merge_id(container_name, parent_id) + container_id = self.absolute_id(container_id) + + dn = self.api.Object.vault.base_dn + + # for each name in the ID, prepend the base DN + for name in container_id.split(u'/'): + if name: + dn = DN(('cn', name), dn) + + return dn + + def get_id(self, dn): + """ + Generates container ID from container DN. + """ + + # make sure the DN is a container DN + if not dn.endswith(self.api.Object.vault.base_dn, 1): + raise ValueError('Invalid container DN: %s' % dn) + + # construct container ID from the bottom up + id = u'/' + for rdn in dn[:-len(self.api.Object.vault.base_dn)]: + name = rdn['cn'] + id = u'/' + name + id + + return id + + def get_private_id(self, username=None): + """ + Returns user's private container ID (i.e. /users//). + """ + + if not username: + principal = getattr(context, 'principal') + (username, realm) = split_principal(principal) + + return u'/users/' + username + u'/' + + def normalize_id(self, id): + """ + Normalizes container ID. + """ + + # make sure ID ends with slash + if id and not id.endswith(u'/'): + return id + u'/' + + return id + + def absolute_id(self, id): + """ + Generate absolute container ID. + """ + + # if ID is empty, return user's private container ID + if not id: + return self.get_private_id() + + # if it's an absolute ID, do nothing + if id.startswith(u'/'): + return id + + # otherwise, prepend with user's private container ID + return self.get_private_id() + id + + def split_id(self, id): + """ + Splits a normalized container ID into (container name, parent ID) + tuple. + """ + + # handle root ID + if id == u'/': + return (None, u'/') + + # split ID into parent ID, container name, and empty string + parts = id.rsplit(u'/', 2) + + if len(parts) == 3: + container_name = parts[1] + parent_id = u'%s/' % parts[0] + + elif len(parts) == 2: + container_name = parts[0] + parent_id = None + + if not container_name: + container_name = None + + return (container_name, parent_id) + + def merge_id(self, container_name, parent_id): + """ + Merges a container name and a parent ID into a container ID. + """ + + if not container_name: + id = parent_id + + elif container_name.startswith('/') or not parent_id: + id = container_name + + else: + id = parent_id + container_name + + return self.normalize_id(id) + + def normalize_params(self, *args, **options): + """ + Normalizes the container ID in the parameters. + """ + + container_id = self.parse_params(*args, **options) + (container_name, parent_id) = self.split_id(container_id) + return self.update_params(container_name, parent_id, *args, **options) + + def parse_params(self, *args, **options): + """ + Extracts the container name and parent ID in the parameters. + """ + + container_name = args[0] + parent_id = self.normalize_id(options.get('parent_id')) + + return self.merge_id(container_name, parent_id) + + def update_params( + self, new_container_name, new_parent_id, *args, **options): + """ + Stores container name and parent ID back into the parameters. + """ + + args_list = list(args) + args_list[0] = new_container_name + args = tuple(args_list) + + options['parent_id'] = new_parent_id + + return (args, options) + + def create_entry(self, dn): + """ + Creates a container entry and its parents. + """ + + rdn = dn[0] + entry = self.backend.make_entry( + dn, + { + 'objectclass': self.object_class, + 'cn': rdn['cn'], + }) + + # if entry can be added return + try: + self.backend.add_entry(entry) + return + + except errors.NotFound: + pass + + # otherwise, create parent entry first + parent_dn = DN(*dn[1:]) + self.create_entry(parent_dn) + + # then create the entry itself + self.backend.add_entry(entry) + + + at register() +class vaultcontainer_add(LDAPCreate): + __doc__ = _('Create a new vault container.') + + takes_options = LDAPCreate.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = _('Added vault container "%(value)s"') + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_add, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def pre_callback( + self, ldap, dn, entry_attrs, attrs_list, + *args, **options): + assert isinstance(dn, DN) + + container_id = self.obj.get_id(dn) + (container_name, parent_id) = self.obj.split_id(container_id) + + # parent is user's private container, create parent + if parent_id == self.obj.get_private_id(): + try: + self.obj.create_entry(DN(*dn[1:])) + except errors.DuplicateEntry: + pass + + return dn + + def post_callback(self, ldap, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return dn + + def handle_not_found(self, *args, **options): + + dn = self.obj.get_dn(*args, **options) + container_id = self.obj.get_id(dn) + (container_name, parent_id) = self.obj.split_id(container_id) + + raise errors.NotFound( + reason=self.obj.parent_not_found_msg % { + 'parent': parent_id, + 'oname': self.obj.object_name, + } + ) + + + at register() +class vaultcontainer_del(LDAPDelete): + __doc__ = _('Delete a vault container.') + + takes_options = LDAPDelete.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Flag( + 'force?', + doc=_('Force deletion'), + autofill=False, + ), + ) + + msg_summary = _('Deleted vault container "%(value)s"') + + def get_args(self): + # maintain single-valued primary key + return super(LDAPMultiQuery, self).get_args() + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_del, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def pre_callback(self, ldap, dn, *args, **options): + assert isinstance(dn, DN) + + try: + entries = ldap.get_entries( + dn, scope=ldap.SCOPE_ONELEVEL, attrs_list=[]) + except errors.NotFound: + pass + else: + if not options.get('force', False): + raise errors.NotAllowedOnNonLeaf( + message=_('Container is not empty. ' + 'Specify --force to force deletion.')) + print 'Deleting %d entries' % len(entries) + + return dn + + + at register() +class vaultcontainer_find(LDAPSearch): + __doc__ = _('Search for vault containers.') + + takes_options = LDAPSearch.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = ngettext( + '%(count)d vault container matched', + '%(count)d vault containers matched', + 0, + ) + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_find, self)\ + .params_2_args_options(**params) + parent_id = self.obj.parse_params(*args, **options) + return self.obj.update_params(None, parent_id, *args, **options) + + def pre_callback( + self, ldap, filter, attrs_list, base_dn, scope, + *args, **options): + assert isinstance(base_dn, DN) + + base_dn = self.obj.get_dn(*args, **options) + + return (filter, base_dn, scope) + + def post_callback(self, ldap, entries, truncated, *args, **options): + + for entry in entries: + entry['container_id'] = self.obj.get_id(entry.dn) + + return truncated + + def handle_not_found(self, *args, **options): + + dn = self.obj.get_dn(*args, **options) + parent_id = self.obj.get_id(dn) + + # parent is user's private container, ignore + if parent_id == self.obj.get_private_id(): + return + + # otherwise, raise an error + raise errors.NotFound( + reason=self.obj.parent_not_found_msg % { + 'parent': parent_id, + 'oname': self.obj.object_name, + } + ) + + + at register() +class vaultcontainer_mod(LDAPUpdate): + __doc__ = _('Modify a vault container.') + + takes_options = LDAPUpdate.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + msg_summary = _('Modified vault container "%(value)s"') + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_mod, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback(self, ldap, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return dn + + + at register() +class vaultcontainer_show(LDAPRetrieve): + __doc__ = _('Display information about a vault container.') + + takes_options = LDAPRetrieve.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_show, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback(self, ldap, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return dn diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py new file mode 100644 index 0000000000000000000000000000000000000000..1b3d864bfdb2c911cdb9021d79f9ce07eb72b06e --- /dev/null +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -0,0 +1,394 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +Test the `ipalib/plugins/vault.py` module. +""" + +from ipalib import api, errors +from xmlrpc_test import Declarative, fuzzy_string + +test_vault = u'test_vault' +shared_test_vault = u'/shared/%s' % test_vault + +binary_data = '\x01\x02\x03\x04' +text_data = u'secret' + + +class test_vault_plugin(Declarative): + + cleanup_commands = [ + ('vault_del', [test_vault], {'continue': True}), + ('vault_del', [shared_test_vault], {'continue': True}), + ] + + tests = [ + + { + 'desc': 'Create test vault', + 'command': ( + 'vault_add', + [test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': 'Added vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + }, + }, + }, + + { + 'desc': 'Create duplicate vault', + 'command': ( + 'vault_add', + [test_vault], + {}, + ), + 'expected': errors.DuplicateEntry( + message=u'vault with name "%s" already exists' % test_vault), + }, + + { + 'desc': 'Find test vaults', + 'command': ( + 'vault_find', + [], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault matched', + 'result': [ + { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + }, + ], + }, + }, + + { + 'desc': 'Show test vault', + 'command': ( + 'vault_show', + [test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': None, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + }, + }, + }, + + { + 'desc': 'Modify test vault', + 'command': ( + 'vault_mod', + [test_vault], + { + 'description': u'Test vault', + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Modified vault "%s"' % test_vault, + 'result': { + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'description': [u'Test vault'], + }, + }, + }, + + { + 'desc': 'Archive binary data', + 'command': ( + 'vault_archive', + [test_vault], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Archived data into vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'description': [u'Test vault'], + }, + }, + }, + + { + 'desc': 'Retrieve binary data', + 'command': ( + 'vault_retrieve', + [test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Retrieved data from vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'description': [u'Test vault'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive text data', + 'command': ( + 'vault_archive', + [test_vault], + { + 'text': text_data, + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Archived data into vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'description': [u'Test vault'], + }, + }, + }, + + { + 'desc': 'Retrieve text data', + 'command': ( + 'vault_retrieve', + [test_vault], + { + 'show_text': True, + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Retrieved data from vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'description': [u'Test vault'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'text': text_data, + }, + }, + }, + + { + 'desc': 'Delete test vault', + 'command': ( + 'vault_del', + [test_vault], + {}, + ), + 'expected': { + 'value': [test_vault], + 'summary': u'Deleted vault "%s"' % test_vault, + 'result': { + 'failed': (), + }, + }, + }, + + { + 'desc': 'Delete non-existent vault', + 'command': ( + 'vault_del', + [test_vault], + {}, + ), + 'expected': errors.NotFound( + reason=u'%s: vault not found' % test_vault), + }, + + { + 'desc': 'Create shared vault', + 'command': ( + 'vault_add', + [shared_test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Added vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': shared_test_vault, + }, + }, + }, + + { + 'desc': 'Find shared vaults', + 'command': ( + 'vault_find', + [u'/shared/'], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault matched', + 'result': [ + { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': shared_test_vault, + }, + ], + }, + }, + + { + 'desc': 'Show shared vault', + 'command': ( + 'vault_show', + [shared_test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': None, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': shared_test_vault, + }, + }, + }, + + { + 'desc': 'Modify shared vault', + 'command': ( + 'vault_mod', + [shared_test_vault], + { + 'description': u'Test vault', + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Modified vault "%s"' % test_vault, + 'result': { + 'cn': [test_vault], + 'vault_id': shared_test_vault, + 'description': [u'Test vault'], + }, + }, + }, + + { + 'desc': 'Archive binary data in shared vault', + 'command': ( + 'vault_archive', + [shared_test_vault], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Archived data into vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': shared_test_vault, + 'description': [u'Test vault'], + }, + }, + }, + + { + 'desc': 'Retrieve binary data in shared vault', + 'command': ( + 'vault_retrieve', + [shared_test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': u'Retrieved data from vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': shared_test_vault, + 'description': [u'Test vault'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Delete shared vault', + 'command': ( + 'vault_del', + [shared_test_vault], + {}, + ), + 'expected': { + 'value': [test_vault], + 'summary': u'Deleted vault "%s"' % test_vault, + 'result': { + 'failed': (), + }, + }, + }, + + ] diff --git a/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py new file mode 100644 index 0000000000000000000000000000000000000000..8cd21458fe1dae64773593dab1a0833e1a233d67 --- /dev/null +++ b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py @@ -0,0 +1,436 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +Test the `ipalib/plugins/vaultcontainer.py` module. +""" + +from ipalib import api, errors +from xmlrpc_test import Declarative + +test_container = u'test_container' +private_container = test_container +shared_test_container = u'/shared/%s' % test_container +service_test_container = u'/services/%s' % test_container + +base_container = u'base_container' +child_container = u'child_container' +grandchild_container = u'grandchild_container' + + +class test_vaultcontainer_plugin(Declarative): + + cleanup_commands = [ + ('vaultcontainer_del', [private_container], {'continue': True}), + ('vaultcontainer_del', [shared_test_container], {'continue': True}), + ('vaultcontainer_del', [service_test_container], {'continue': True}), + ('vaultcontainer_del', [base_container], { + 'force': True, 'continue': True}), + ] + + tests = [ + + { + 'desc': 'Find top-level containers', + 'command': ( + 'vaultcontainer_find', + [], + { + 'parent_id': u'/', + }, + ), + 'expected': { + 'count': 3, + 'truncated': False, + 'summary': u'3 vault containers matched', + 'result': [ + { + 'dn': u'cn=services,cn=vaults,%s' % api.env.basedn, + 'cn': [u'services'], + 'container_id': u'/services/', + 'description': [u'Services vault container'], + }, + { + 'dn': u'cn=shared,cn=vaults,%s' % api.env.basedn, + 'cn': [u'shared'], + 'container_id': u'/shared/', + 'description': [u'Shared vault container'], + }, + { + 'dn': u'cn=users,cn=vaults,%s' % api.env.basedn, + 'cn': [u'users'], + 'container_id': u'/users/', + 'description': [u'Users vault container'], + }, + ], + }, + }, + + { + 'desc': 'Create private container', + 'command': ( + 'vaultcontainer_add', + [private_container], + {}, + ), + 'expected': { + 'value': private_container, + 'summary': 'Added vault container "%s"' % private_container, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (private_container, api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [private_container], + 'container_id': u'/users/admin/%s/' % private_container, + }, + }, + }, + + { + 'desc': 'Create duplicate container', + 'command': ( + 'vaultcontainer_add', + [private_container], + {}, + ), + 'expected': errors.DuplicateEntry( + message=u'vault container with name "%s" already exists' + % private_container), + }, + + { + 'desc': 'Find private containers', + 'command': ( + 'vaultcontainer_find', + [], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault container matched', + 'result': [ + { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (private_container, api.env.basedn), + 'cn': [private_container], + 'container_id': u'/users/admin/%s/' + % private_container, + }, + ], + }, + }, + + { + 'desc': 'Show private container', + 'command': ( + 'vaultcontainer_show', + [private_container], + {}, + ), + 'expected': { + 'value': private_container, + 'summary': None, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (private_container, api.env.basedn), + 'cn': [private_container], + 'container_id': u'/users/admin/%s/' % private_container, + }, + }, + }, + + { + 'desc': 'Modify private container', + 'command': ( + 'vaultcontainer_mod', + [private_container], + { + 'description': u'Private container', + }, + ), + 'expected': { + 'value': private_container, + 'summary': 'Modified vault container "%s"' % private_container, + 'result': { + 'cn': [private_container], + 'container_id': u'/users/admin/%s/' % private_container, + 'description': [u'Private container'], + }, + }, + }, + + { + 'desc': 'Delete private container', + 'command': ( + 'vaultcontainer_del', + [private_container], + {}, + ), + 'expected': { + 'value': [private_container], + 'summary': u'Deleted vault container "%s"' % private_container, + 'result': { + 'failed': (), + }, + }, + }, + + { + 'desc': 'Delete non-existent container', + 'command': ( + 'vaultcontainer_del', + [private_container], + {}, + ), + 'expected': errors.NotFound( + reason=u'%s: vault container not found' % private_container), + }, + + { + 'desc': 'Create shared container', + 'command': ( + 'vaultcontainer_add', + [shared_test_container], + {}, + ), + 'expected': { + 'value': test_container, + 'summary': 'Added vault container "%s"' % test_container, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_container, api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [test_container], + 'container_id': u'/shared/%s/' % test_container, + }, + }, + }, + + { + 'desc': 'Find shared containers', + 'command': ( + 'vaultcontainer_find', + [u'/shared/'], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault container matched', + 'result': [ + { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_container, api.env.basedn), + 'cn': [test_container], + 'container_id': u'/shared/%s/' % test_container, + }, + ], + }, + }, + + { + 'desc': 'Show shared container', + 'command': ( + 'vaultcontainer_show', + [shared_test_container], + {}, + ), + 'expected': { + 'value': test_container, + 'summary': None, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_container, api.env.basedn), + 'cn': [test_container], + 'container_id': u'/shared/%s/' % test_container, + }, + }, + }, + + { + 'desc': 'Modify shared container', + 'command': ( + 'vaultcontainer_mod', + [shared_test_container], + { + 'description': u'shared container', + }, + ), + 'expected': { + 'value': test_container, + 'summary': 'Modified vault container "%s"' % test_container, + 'result': { + 'cn': [test_container], + 'container_id': u'/shared/%s/' % test_container, + 'description': [u'shared container'], + }, + }, + }, + + { + 'desc': 'Delete shared container', + 'command': ( + 'vaultcontainer_del', + [shared_test_container], + {}, + ), + 'expected': { + 'value': [test_container], + 'summary': u'Deleted vault container "%s"' % test_container, + 'result': { + 'failed': (), + }, + }, + }, + + { + 'desc': 'Create service container', + 'command': ( + 'vaultcontainer_add', + [service_test_container], + {}, + ), + 'expected': { + 'value': test_container, + 'summary': 'Added vault container "%s"' % test_container, + 'result': { + 'dn': u'cn=%s,cn=services,cn=vaults,%s' + % (test_container, api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [test_container], + 'container_id': u'/services/%s/' % test_container, + }, + }, + }, + { + 'desc': 'Create base container', + 'command': ( + 'vaultcontainer_add', + [base_container], + {}, + ), + 'expected': { + 'value': base_container, + 'summary': 'Added vault container "%s"' % base_container, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (base_container, api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [base_container], + 'container_id': u'/users/admin/%s/' % base_container, + }, + }, + }, + + { + 'desc': 'Create child container', + 'command': ( + 'vaultcontainer_add', + [child_container], + { + 'parent_id': base_container, + }, + ), + 'expected': { + 'value': child_container, + 'summary': 'Added vault container "%s"' % child_container, + 'result': { + 'dn': u'cn=%s,cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (child_container, base_container, api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [child_container], + 'container_id': u'/users/admin/%s/%s/' + % (base_container, child_container), + }, + }, + }, + + { + 'desc': 'Create grandchild container', + 'command': ( + 'vaultcontainer_add', + [grandchild_container], + { + 'parent_id': base_container + u'/' + child_container, + }, + ), + 'expected': { + 'value': grandchild_container, + 'summary': 'Added vault container "%s"' % grandchild_container, + 'result': { + 'dn': u'cn=%s,cn=%s,cn=%s,cn=admin,cn=users,cn=vaults,%s' + % ( + grandchild_container, + child_container, + base_container, + api.env.basedn), + 'objectclass': (u'ipaVaultContainer', u'top'), + 'cn': [grandchild_container], + 'container_id': u'/users/admin/%s/%s/%s/' + % ( + base_container, + child_container, + grandchild_container), + }, + }, + }, + + { + 'desc': 'Delete base container', + 'command': ( + 'vaultcontainer_del', + [base_container], + {}, + ), + 'expected': errors.NotAllowedOnNonLeaf( + message=u'Container is not empty. ' + u'Specify --force to force deletion.'), + }, + + { + 'desc': 'Delete base container with force', + 'command': ( + 'vaultcontainer_del', + [base_container], + { + 'force': True, + }, + ), + 'expected': { + 'value': [base_container], + 'summary': u'Deleted vault container "%s"' % base_container, + 'result': { + 'failed': (), + }, + }, + }, + + { + 'desc': 'Delete non-existent container', + 'command': ( + 'vaultcontainer_del', + [base_container], + {}, + ), + 'expected': errors.NotFound( + reason=u'%s: vault container not found' % base_container), + }, + + ] -- 2.3.1 -------------- next part -------------- >From b9563e971228339c632f8b318f8fc89f96d81af8 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New commands have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 132 +++++++++++++-- install/share/60basev3.ldif | 4 +- install/updates/40-vault.update | 17 ++ ipalib/plugins/vault.py | 178 +++++++++++++++++++-- ipalib/plugins/vaultcontainer.py | 167 ++++++++++++++++++- ipatests/test_xmlrpc/test_vault_plugin.py | 12 ++ ipatests/test_xmlrpc/test_vaultcontainer_plugin.py | 10 ++ 7 files changed, 487 insertions(+), 33 deletions(-) diff --git a/API.txt b/API.txt index ebae899fe93fd742b052de9ca5e63ad567c437ef..e7e39ec7e64b0e9878ba8a00e89f4124991adc92 100644 --- a/API.txt +++ b/API.txt @@ -4521,7 +4521,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') option: Str('in?', cli_name='in') -option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('text?', cli_name='text') @@ -4529,6 +4529,32 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive args: 1,13,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) @@ -4537,7 +4563,7 @@ option: Flag('create?', autofill=True, default=False) option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') option: Str('in?', cli_name='in') -option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('nonce?', cli_name='nonce') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -4558,11 +4584,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,10,4 +args: 1,11,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -4575,12 +4602,13 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4590,10 +4618,37 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_remove_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_remove_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_retrieve -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('out?', cli_name='out') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -4605,9 +4660,10 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_show -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4621,12 +4677,13 @@ option: Str('out?', cli_name='out') option: Str('version?', exclude='webui') output: Output('result', None, None) command: vaultcontainer_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('container_id', attribute=False, cli_name='container_id', multivalue=False, required=False) option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -4634,6 +4691,32 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vaultcontainer_add_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vaultcontainer_add_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vaultcontainer_del args: 1,4,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) @@ -4645,12 +4728,13 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vaultcontainer_find -args: 1,10,4 +args: 1,11,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) option: Str('container_id', attribute=False, autofill=False, cli_name='container_id', multivalue=False, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -4662,13 +4746,14 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vaultcontainer_mod -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('container_id', attribute=False, autofill=False, cli_name='container_id', multivalue=False, required=False) option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4677,10 +4762,37 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vaultcontainer_remove_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vaultcontainer_remove_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vaultcontainer_show -args: 1,5,3 +args: 1,6,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index c04f8d5d096bc3d91aec3e2f1703f658d76d3779..cdabfac35488bda184af564a174306a681183084 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -77,5 +77,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update index dac2f67112dc33f012c6d559285464fb7c944d1a..95915f77e5366b75de23409e5554598e7495b5df 100644 --- a/install/updates/40-vault.update +++ b/install/updates/40-vault.update @@ -3,6 +3,23 @@ default: objectClass: top default: objectClass: ipaVaultContainer default: cn: vaults default: description: Root vault container +default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,$SUFFIX")(targetattr="*")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Container members can access the container"; allow(read, search, compare) userattr="member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Indirect container members can access the container"; allow(read, search, compare) userattr="member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Container members can access sub-containers"; allow(read, search, compare) userattr="parent[1].member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Indirect container members can access sub-containers"; allow(read, search, compare) userattr="parent[1].member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Container owners can manage the container"; allow(read, search, compare, write) userattr="owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage the container"; allow(read, search, compare, write) userattr="owner#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Container owners can manage sub-containers"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage sub-containers"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container members can access vaults in the container"; allow(read, search, compare) userattr="parent[1].member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container members can access vaults in the container"; allow(read, search, compare) userattr="parent[1].member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) dn: cn=services,cn=vaults,$SUFFIX default: objectClass: top diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 9945581bed2844e753e8b0ec9ac12af2374ab7bd..ae4c6fe5cae4b7d6c41464cebcb3ec820912efe3 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -35,7 +35,8 @@ from ipalib import Str, Bytes, Flag from ipalib import output from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPQuery, LDAPMultiQuery + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPQuery, LDAPMultiQuery,\ + LDAPAddMember, LDAPRemoveMember from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -73,6 +74,18 @@ EXAMPLES: """) + _(""" Delete a vault: ipa vault-del MyVault +""") + _(""" + Add a vault owner: + ipa vault-add-owner MyVault --users testuser +""") + _(""" + Delete a vault owner: + ipa vault-remove-owner MyVault --users testuser +""") + _(""" + Add a vault member: + ipa vault-add-member MyVault --users testuser +""") + _(""" + Delete a vault member: + ipa vault-remove-member MyVault --users testuser """) register = Registry() @@ -94,12 +107,18 @@ class vault(LDAPObject): 'cn', 'vault_id', 'description', + 'owner', + 'member', ] search_display_attributes = [ 'cn', 'vault_id', 'description', ] + attribute_members = { + 'owner': ['user', 'group'], + 'member': ['user', 'group'], + } label = _('Vaults') label_singular = _('Vault') @@ -258,7 +277,7 @@ class vault(LDAPObject): return (args, options) - def create_entry(self, dn, description=None): + def create_entry(self, dn, description=None, owner=None): """ Creates vault entry and its parents. """ @@ -270,6 +289,7 @@ class vault(LDAPObject): 'objectclass': self.object_class, 'cn': rdn['cn'], 'description': description, + 'owner': owner, }) # if entry can be added return @@ -282,7 +302,7 @@ class vault(LDAPObject): # otherwise, create parent entry first parent_dn = DN(*dn[1:]) - self.api.Object.vaultcontainer.create_entry(parent_dn) + self.api.Object.vaultcontainer.create_entry(parent_dn, owner=owner) # then create the entry itself self.backend.add_entry(entry) @@ -309,13 +329,6 @@ class vault_add(LDAPQuery): cli_name='desc', doc=_('Vault description'), ), - Str( - 'ipavaulttype?', - cli_name='type', - doc=_('Vault type'), - default=u'standard', - autofill=True, - ), Bytes( 'data?', cli_name='data', @@ -412,6 +425,17 @@ class vault_find(LDAPSearch): ), ) + has_output_params = LDAPSearch.has_output_params + ( + Str( + 'owner_user', + label=_('Owner users'), + ), + Str( + 'owner_group', + label=_('Owner groups'), + ), + ) + msg_summary = ngettext( '%(count)d vault matched', '%(count)d vaults matched', @@ -502,6 +526,17 @@ class vault_show(LDAPRetrieve): ), ) + has_output_params = LDAPRetrieve.has_output_params + ( + Str( + 'owner_user', + label=_('Owner users'), + ), + Str( + 'owner_group', + label=_('Owner groups'), + ), + ) + def params_2_args_options(self, **params): (args, options) = super(vault_show, self)\ .params_2_args_options(**params) @@ -580,13 +615,6 @@ class vault_archive(LDAPQuery): cli_name='desc', doc=_('Vault description'), ), - Str( - 'ipavaulttype?', - cli_name='type', - doc=_('Vault type'), - default=u'standard', - autofill=True, - ), Bytes( 'data?', cli_name='data', @@ -725,10 +753,16 @@ class vault_archive(LDAPQuery): if create: description = options.get('description') + # get user + principal = getattr(context, 'principal') + (username, realm) = split_principal(principal) + owner_dn = self.api.Object.user.get_dn(username) + # creating new vault self.obj.create_entry( dn, description=description, + owner=owner_dn, ) # retrieve vault info @@ -954,3 +988,113 @@ class vault_retrieve(LDAPQuery): response['summary'] = self.msg_summary % response return response + + + at register() +class vault_add_owner(LDAPAddMember): + __doc__ = _('Add owners to a vault.') + + takes_options = LDAPAddMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + member_attributes = ['owner'] + member_count_out = ('%i owner added.', '%i owners added.') + + def params_2_args_options(self, **params): + (args, options) = super(vault_add_owner, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vault_remove_owner(LDAPRemoveMember): + __doc__ = _('Remove owners from a vault.') + + takes_options = LDAPRemoveMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + member_attributes = ['owner'] + member_count_out = ('%i owner removed.', '%i owners removed.') + + def params_2_args_options(self, **params): + (args, options) = super(vault_remove_owner, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vault_add_member(LDAPAddMember): + __doc__ = _('Add members to a vault.') + + takes_options = LDAPAddMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vault_add_member, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vault_remove_member(LDAPRemoveMember): + __doc__ = _('Remove members from a vault.') + + takes_options = LDAPRemoveMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vault_remove_member, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['vault_id'] = self.obj.get_id(dn) + + return (completed, dn) diff --git a/ipalib/plugins/vaultcontainer.py b/ipalib/plugins/vaultcontainer.py index 577d9d8a3cde5e3e55401f51d343a07bb2a1687d..4aad9b7b25f2f633fa7c2ac21085839241664a5e 100644 --- a/ipalib/plugins/vaultcontainer.py +++ b/ipalib/plugins/vaultcontainer.py @@ -23,7 +23,8 @@ from ipalib import api, errors from ipalib import Str, Flag from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPMultiQuery + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPMultiQuery, LDAPAddMember,\ + LDAPRemoveMember from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -56,6 +57,18 @@ EXAMPLES: """) + _(""" Delete a vault container: ipa vaultcontainer-del MyContainer +""") + _(""" + Add a vault container owner: + ipa vaultcontainer-add-owner MyContainer --users testuser +""") + _(""" + Delete a vault container owner: + ipa vaultcontainer-remove-owner MyContainer --users testuser +""") + _(""" + Add a vault container member: + ipa vaultcontainer-add-member MyContainer --users testuser +""") + _(""" + Delete a vault container member: + ipa vaultcontainer-remove-member MyContainer --users testuser """) register = Registry() @@ -75,12 +88,18 @@ class vaultcontainer(LDAPObject): 'cn', 'container_id', 'description', + 'owner', + 'member', ] search_display_attributes = [ 'cn', 'container_id', 'description', ] + attribute_members = { + 'owner': ['user', 'group'], + 'member': ['user', 'group'], + } label = _('Vault Containers') label_singular = _('Vault Container') @@ -261,7 +280,7 @@ class vaultcontainer(LDAPObject): return (args, options) - def create_entry(self, dn): + def create_entry(self, dn, owner=None): """ Creates a container entry and its parents. """ @@ -272,6 +291,7 @@ class vaultcontainer(LDAPObject): { 'objectclass': self.object_class, 'cn': rdn['cn'], + 'owner': owner, }) # if entry can be added return @@ -284,7 +304,7 @@ class vaultcontainer(LDAPObject): # otherwise, create parent entry first parent_dn = DN(*dn[1:]) - self.create_entry(parent_dn) + self.create_entry(parent_dn, owner=owner) # then create the entry itself self.backend.add_entry(entry) @@ -317,10 +337,17 @@ class vaultcontainer_add(LDAPCreate): container_id = self.obj.get_id(dn) (container_name, parent_id) = self.obj.split_id(container_id) + # get user + principal = getattr(context, 'principal') + (username, realm) = split_principal(principal) + owner_dn = self.api.Object.user.get_dn(username) + entry_attrs['owner'] = owner_dn + # parent is user's private container, create parent if parent_id == self.obj.get_private_id(): try: - self.obj.create_entry(DN(*dn[1:])) + self.obj.create_entry( + DN(*dn[1:]), owner=owner_dn) except errors.DuplicateEntry: pass @@ -405,6 +432,17 @@ class vaultcontainer_find(LDAPSearch): ), ) + has_output_params = LDAPSearch.has_output_params + ( + Str( + 'owner_user', + label=_('Owner users'), + ), + Str( + 'owner_group', + label=_('Owner groups'), + ), + ) + msg_summary = ngettext( '%(count)d vault container matched', '%(count)d vault containers matched', @@ -490,6 +528,17 @@ class vaultcontainer_show(LDAPRetrieve): ), ) + has_output_params = LDAPRetrieve.has_output_params + ( + Str( + 'owner_user', + label=_('Owner users'), + ), + Str( + 'owner_group', + label=_('Owner groups'), + ), + ) + def params_2_args_options(self, **params): (args, options) = super(vaultcontainer_show, self)\ .params_2_args_options(**params) @@ -501,3 +550,113 @@ class vaultcontainer_show(LDAPRetrieve): entry_attrs['container_id'] = self.obj.get_id(dn) return dn + + + at register() +class vaultcontainer_add_owner(LDAPAddMember): + __doc__ = _('Add owners to a vault container.') + + takes_options = LDAPAddMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + member_attributes = ['owner'] + member_count_out = ('%i owner added.', '%i owners added.') + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_add_owner, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vaultcontainer_remove_owner(LDAPRemoveMember): + __doc__ = _('Remove owners from a vault container.') + + takes_options = LDAPRemoveMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + member_attributes = ['owner'] + member_count_out = ('%i owner removed.', '%i owners removed.') + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_remove_owner, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vaultcontainer_add_member(LDAPAddMember): + __doc__ = _('Add members to a vault container.') + + takes_options = LDAPAddMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_add_member, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return (completed, dn) + + + at register() +class vaultcontainer_remove_member(LDAPRemoveMember): + __doc__ = _('Remove members from a vault container.') + + takes_options = LDAPRemoveMember.takes_options + ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + ) + + def params_2_args_options(self, **params): + (args, options) = super(vaultcontainer_remove_member, self)\ + .params_2_args_options(**params) + return self.obj.normalize_params(*args, **options) + + def post_callback( + self, ldap, completed, failed, dn, entry_attrs, *args, **options): + assert isinstance(dn, DN) + + entry_attrs['container_id'] = self.obj.get_id(dn) + + return (completed, dn) diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 1b3d864bfdb2c911cdb9021d79f9ce07eb72b06e..4c46cf7783071873b6accf9b63a0f819b720103e 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -55,6 +55,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, + 'owner_user': [u'admin'], }, }, }, @@ -107,6 +108,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, + 'owner_user': [u'admin'], }, }, }, @@ -127,6 +129,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], }, }, }, @@ -149,6 +152,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], }, }, }, @@ -169,6 +173,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'data': binary_data, @@ -194,6 +199,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], }, }, }, @@ -216,6 +222,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'text': text_data, @@ -265,6 +272,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': shared_test_vault, + 'owner_user': [u'admin'], }, }, }, @@ -306,6 +314,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': shared_test_vault, + 'owner_user': [u'admin'], }, }, }, @@ -326,6 +335,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': shared_test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], }, }, }, @@ -348,6 +358,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': shared_test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], }, }, }, @@ -368,6 +379,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': shared_test_vault, 'description': [u'Test vault'], + 'owner_user': [u'admin'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'data': binary_data, diff --git a/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py index 8cd21458fe1dae64773593dab1a0833e1a233d67..b7c79618a955dc68b89628e402849a865a9e4388 100644 --- a/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py +++ b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py @@ -98,6 +98,7 @@ class test_vaultcontainer_plugin(Declarative): 'objectclass': (u'ipaVaultContainer', u'top'), 'cn': [private_container], 'container_id': u'/users/admin/%s/' % private_container, + 'owner_user': [u'admin'], }, }, }, @@ -152,6 +153,7 @@ class test_vaultcontainer_plugin(Declarative): % (private_container, api.env.basedn), 'cn': [private_container], 'container_id': u'/users/admin/%s/' % private_container, + 'owner_user': [u'admin'], }, }, }, @@ -172,6 +174,7 @@ class test_vaultcontainer_plugin(Declarative): 'cn': [private_container], 'container_id': u'/users/admin/%s/' % private_container, 'description': [u'Private container'], + 'owner_user': [u'admin'], }, }, }, @@ -219,6 +222,7 @@ class test_vaultcontainer_plugin(Declarative): 'objectclass': (u'ipaVaultContainer', u'top'), 'cn': [test_container], 'container_id': u'/shared/%s/' % test_container, + 'owner_user': [u'admin'], }, }, }, @@ -260,6 +264,7 @@ class test_vaultcontainer_plugin(Declarative): % (test_container, api.env.basedn), 'cn': [test_container], 'container_id': u'/shared/%s/' % test_container, + 'owner_user': [u'admin'], }, }, }, @@ -280,6 +285,7 @@ class test_vaultcontainer_plugin(Declarative): 'cn': [test_container], 'container_id': u'/shared/%s/' % test_container, 'description': [u'shared container'], + 'owner_user': [u'admin'], }, }, }, @@ -316,6 +322,7 @@ class test_vaultcontainer_plugin(Declarative): 'objectclass': (u'ipaVaultContainer', u'top'), 'cn': [test_container], 'container_id': u'/services/%s/' % test_container, + 'owner_user': [u'admin'], }, }, }, @@ -335,6 +342,7 @@ class test_vaultcontainer_plugin(Declarative): 'objectclass': (u'ipaVaultContainer', u'top'), 'cn': [base_container], 'container_id': u'/users/admin/%s/' % base_container, + 'owner_user': [u'admin'], }, }, }, @@ -358,6 +366,7 @@ class test_vaultcontainer_plugin(Declarative): 'cn': [child_container], 'container_id': u'/users/admin/%s/%s/' % (base_container, child_container), + 'owner_user': [u'admin'], }, }, }, @@ -388,6 +397,7 @@ class test_vaultcontainer_plugin(Declarative): base_container, child_container, grandchild_container), + 'owner_user': [u'admin'], }, }, }, -- 2.3.1 -------------- next part -------------- >From 4859732dbb43da17cfeaf6a431ee40afb6bbcce1 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 24 Oct 2014 19:53:16 -0400 Subject: [PATCH] Added symmetric and asymmetric vaults. The vault plugin has been modified to support symmetric and asymmetric vaults for additional layer of security. It will use python-cryptography for the crypto functionality. New LDAP attribute types have been added to store vault type, salt and public key. New test cases have been added as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 31 ++- freeipa.spec.in | 2 + install/share/60basev3.ldif | 4 +- ipalib/plugins/vault.py | 441 +++++++++++++++++++++++++++++- ipatests/test_xmlrpc/test_vault_plugin.py | 240 ++++++++++++++++ 5 files changed, 710 insertions(+), 8 deletions(-) diff --git a/API.txt b/API.txt index e7e39ec7e64b0e9878ba8a00e89f4124991adc92..e8912070b96cbb7b53a7811465cfc6cd6bc9059d 100644 --- a/API.txt +++ b/API.txt @@ -4515,14 +4515,19 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,9,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') option: Str('in?', cli_name='in') +option: Bytes('ipapublickey?', cli_name='public_key') +option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('text?', cli_name='text') option: Str('version?', exclude='webui') @@ -4556,16 +4561,22 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,13,3 +args: 1,19,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('create?', autofill=True, default=False) option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') option: Str('in?', cli_name='in') +option: Bytes('ipapublickey?', cli_name='public_key') +option: Str('ipavaultsalt?', cli_name='salt') +option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('nonce?', cli_name='nonce') option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('session_key?', cli_name='session_key') option: Str('text?', cli_name='text') @@ -4584,11 +4595,14 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,11,4 +args: 1,14,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, query=True, required=False) +option: Str('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, query=True, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('pkey_only?', autofill=True, default=False) @@ -4602,12 +4616,15 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,11,3 +args: 1,14,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) +option: Str('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) +option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent_id?', cli_name='parent_id') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -4645,12 +4662,16 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_retrieve -args: 1,9,3 +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('out?', cli_name='out') option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('session_key?', cli_name='session_key') option: Flag('show_text?', autofill=True, default=False) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8d58f2568e1de418c25cb1bd34fc7d4736a15e54..228b7f7ed86eaac58643fd1fce19dccdceb85565 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -94,6 +94,7 @@ BuildRequires: p11-kit-devel BuildRequires: pki-base >= 10.2.1-0.1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder +BuildRequires: python-cryptography %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -150,6 +151,7 @@ Requires: openssl Requires: softhsm >= 2.0.0b1-3 Requires: p11-kit Requires: systemd-python +Requires: python-cryptography Conflicts: %{alt_name}-server Obsoletes: %{alt_name}-server < %{version} diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index cdabfac35488bda184af564a174306a681183084..9e0f70a41ef50e78d4e464bab428325dfb6568fa 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -54,6 +54,8 @@ attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' ) attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') +attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') +attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -77,5 +79,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member $ ipaVaultType $ ipaVaultSalt $ ipaPublicKey ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member ) X-ORIGIN 'IPA v4.2' ) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index ae4c6fe5cae4b7d6c41464cebcb3ec820912efe3..848488d646f87e52ff44dfa95d024372f2c9bd2c 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -18,11 +18,20 @@ # along with this program. If not, see . import base64 +import getpass import json import os import sys import tempfile +from cryptography.fernet import Fernet, InvalidToken +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.serialization import load_pem_public_key,\ + load_pem_private_key + import nss.nss as nss import pki.account @@ -60,6 +69,12 @@ EXAMPLES: Add a standard vault: ipa vault-add MyVault """) + _(""" + Add a symmetric vault: + ipa vault-add MyVault --type symmetric --password-file password.txt +""") + _(""" + Add an asymmetric vault: + ipa vault-add MyVault --type asymmetric --public-key-file public.pem +""") + _(""" Show a vault: ipa vault-show MyVault """) + _(""" @@ -72,6 +87,21 @@ EXAMPLES: Retrieve data from standard vault: ipa vault-retrieve MyVault --out data.bin """) + _(""" + Archive data into symmetric vault: + ipa vault-archive MyVault --in data.bin --password-file password.txt +""") + _(""" + Archive data into asymmetric vault: + ipa vault-archive MyVault --in data.bin +""") + _(""" + Retrieve data from standard vault: + ipa vault-retrieve MyVault --out data.bin +""") + _(""" + Retrieve data from symmetric vault: + ipa vault-retrieve MyVault --out data.bin --password-file password.txt +""") + _(""" + Retrieve data from asymmetric vault: + ipa vault-retrieve MyVault --out data.bin --private-key-file private.pem +""") + _(""" Delete a vault: ipa vault-del MyVault """) + _(""" @@ -109,11 +139,15 @@ class vault(LDAPObject): 'description', 'owner', 'member', + 'ipavaulttype', + 'ipavaultsalt', + 'ipapublickey', ] search_display_attributes = [ 'cn', 'vault_id', 'description', + 'ipavaulttype', ] attribute_members = { 'owner': ['user', 'group'], @@ -146,6 +180,26 @@ class vault(LDAPObject): label=_('Description'), doc=_('Vault description'), ), + Str( + 'ipavaulttype?', + cli_name='type', + label=_('Type'), + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), + Str( + 'ipavaultsalt?', + cli_name='salt', + label=_('Salt'), + doc=_('Vault salt in base-64'), + ), + Bytes( + 'ipapublickey?', + cli_name='public_key', + label=_('Public key'), + doc=_('Vault public key'), + ), ) def get_dn(self, *args, **options): @@ -277,7 +331,8 @@ class vault(LDAPObject): return (args, options) - def create_entry(self, dn, description=None, owner=None): + def create_entry(self, dn, description=None, vault_type=u'standard', + salt=None, public_key=None, owner=None): """ Creates vault entry and its parents. """ @@ -289,6 +344,9 @@ class vault(LDAPObject): 'objectclass': self.object_class, 'cn': rdn['cn'], 'description': description, + 'ipavaulttype': vault_type, + 'ipavaultsalt': salt, + 'ipapublickey': public_key, 'owner': owner, }) @@ -313,6 +371,90 @@ class vault(LDAPObject): """ return 'ipa:' + id + def get_password(self, new=False): + """ + Gets password from user. + """ + + if new: + while True: + password = unicode(getpass.getpass('New password: ')) + password2 = unicode(getpass.getpass('Verify password: ')) + + if password == password2: + return password + + print ' ** Passwords do not match! **' + + return unicode(getpass.getpass('Password: ')) + + def generate_symmetric_key(self, password, salt): + """ + Generates symmetric key from password and salt. + """ + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt=salt, + iterations=100000, + backend=default_backend() + ) + + return base64.b64encode(kdf.derive(password.encode('utf-8'))) + + def encrypt(self, data, symmetric_key=None, public_key=None): + """ + Encrypts data with symmetric key or public key. + """ + if symmetric_key: + fernet = Fernet(symmetric_key) + return fernet.encrypt(data) + + elif public_key: + rsa_public_key = load_pem_public_key( + data=public_key, + backend=default_backend() + ) + return rsa_public_key.encrypt( + data, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + + def decrypt(self, data, symmetric_key=None, private_key=None): + """ + Decrypts data with symmetric key or public key. + """ + if symmetric_key: + try: + fernet = Fernet(symmetric_key) + return fernet.decrypt(data) + except InvalidToken: + raise errors.AuthenticationError( + message=_('Invalid credentials')) + + elif private_key: + try: + rsa_private_key = load_pem_private_key( + data=private_key, + password=None, + backend=default_backend() + ) + return rsa_private_key.decrypt( + data, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + except AssertionError: + raise errors.AuthenticationError( + message=_('Invalid credentials')) + @register() class vault_add(LDAPQuery): @@ -329,6 +471,13 @@ class vault_add(LDAPQuery): cli_name='desc', doc=_('Vault description'), ), + Str( + 'ipavaulttype?', + cli_name='type', + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), Bytes( 'data?', cli_name='data', @@ -344,6 +493,26 @@ class vault_add(LDAPQuery): cli_name='in', doc=_('File containing data to archive'), ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'ipapublickey?', + cli_name='public_key', + doc=_('Vault public key'), + ), + Str( # TODO: use File parameter + 'public_key_file?', + cli_name='public_key_file', + doc=_('File containing the vault public key'), + ), ) has_output = output.standard_entry @@ -615,6 +784,13 @@ class vault_archive(LDAPQuery): cli_name='desc', doc=_('Vault description'), ), + Str( + 'ipavaulttype?', + cli_name='type', + doc=_('Vault type'), + default=u'standard', + autofill=True, + ), Bytes( 'data?', cli_name='data', @@ -649,6 +825,31 @@ class vault_archive(LDAPQuery): cli_name='nonce', doc=_('Nonce encrypted encoded in base-64'), ), + Str( + 'ipavaultsalt?', + cli_name='salt', + doc=_('Vault salt in base-64'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'ipapublickey?', + cli_name='public_key', + doc=_('Vault public key'), + ), + Str( # TODO: use File parameter + 'public_key_file?', + cli_name='public_key_file', + doc=_('File containing the vault public key'), + ), ) has_output = output.standard_entry @@ -662,9 +863,38 @@ class vault_archive(LDAPQuery): def forward(self, *args, **options): + dn = self.obj.get_dn(*args, **options) + vault_id = self.obj.get_id(dn) + + create = options.get('create') data = options.get('data') text = options.get('text') input_file = options.get('in') + password = options.get('password') + password_file = options.get('password_file') + + if create: + vault_type = options.get('ipavaulttype', u'standard') + public_key = options.get('ipapublickey') + public_key_file = options.get('public_key_file') + + else: + vault_type = u'standard' + salt = None + public_key = None + public_key_file = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = base64.b64decode(vault['ipavaultsalt'][0]) + + if 'ipapublickey' in vault: + public_key = vault['ipapublickey'][0].encode('utf-8') # don't send these parameters to server if 'data' in options: @@ -673,6 +903,12 @@ class vault_archive(LDAPQuery): del options['text'] if 'in' in options: del options['in'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'public_key_file' in options: + del options['public_key_file'] # get data if data: @@ -694,6 +930,94 @@ class vault_archive(LDAPQuery): else: data = '' + encrypted_key = None + + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + if create: + # generate vault salt + salt = os.urandom(16) + options['ipavaultsalt'] = base64.b64encode(salt)\ + .decode('utf-8') + + # get new password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = self.obj.get_password(new=True) + + else: + # get existing password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = self.obj.get_password() + + # verify existing password + self.api.Command.vault_retrieve( + vault_id, + password=password) + + # generate encryption key from vault password + encryption_key = self.obj.generate_symmetric_key( + password, salt) + + # encrypt data with encryption key + data = self.obj.encrypt(data, symmetric_key=encryption_key) + + elif vault_type == u'asymmetric': + + # generate encryption key + encryption_key = base64.b64encode(os.urandom(32)) + + if create: + # generate vault salt + salt = os.urandom(16) + options['ipavaultsalt'] = base64.b64encode(salt)\ + .decode('utf-8') + + # get new vault public key + if public_key: + pass + + elif public_key_file: + with open(public_key_file, 'rb') as f: + public_key = f.read() + + else: + raise errors.ValidationError( + name='ipapublickey', + error=_('Missing vault public key')) + + # store vault public key + options['ipapublickey'] = public_key + + # encrypt data with encryption key + data = self.obj.encrypt(data, symmetric_key=encryption_key) + + # encrypt encryption key with public key + encrypted_key = self.obj.encrypt( + encryption_key, public_key=public_key) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + # initialize NSS database crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) crypto.initialize() @@ -728,6 +1052,10 @@ class vault_archive(LDAPQuery): vault_data = {} vault_data[u'data'] = base64.b64encode(data).decode('utf-8') + if encrypted_key: + vault_data[u'encrypted_key'] = base64.b64encode(encrypted_key)\ + .decode('utf-8') + json_vault_data = json.dumps(vault_data) # wrap vault_data with session key @@ -749,9 +1077,12 @@ class vault_archive(LDAPQuery): (vault_name, parent_id) = self.obj.split_id(vault_id) create = options.get('create') + salt = options.get('ipavaultsalt') if create: description = options.get('description') + vault_type = options.get('ipavaulttype') + public_key = options.get('ipapublickey') # get user principal = getattr(context, 'principal') @@ -762,6 +1093,9 @@ class vault_archive(LDAPQuery): self.obj.create_entry( dn, description=description, + vault_type=vault_type, + salt=salt, + public_key=public_key, owner=owner_dn, ) @@ -843,6 +1177,26 @@ class vault_retrieve(LDAPQuery): 'Session key wrapped with transport certificate' ' and encoded in base-64'), ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), ) has_output = output.standard_entry @@ -852,7 +1206,7 @@ class vault_retrieve(LDAPQuery): 'data', label=_('Data'), ), - Bytes( + Str( 'text', label=_('Text'), ), @@ -867,9 +1221,28 @@ class vault_retrieve(LDAPQuery): def forward(self, *args, **options): + dn = self.obj.get_dn(*args, **options) + vault_id = self.obj.get_id(dn) + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = base64.b64decode(vault['ipavaultsalt'][0]) + show_text = options.get('show_text') stdout = options.get('stdout') output_file = options.get('out') + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') # don't send these parameters to server if 'show_text' in options: @@ -878,6 +1251,14 @@ class vault_retrieve(LDAPQuery): del options['stdout'] if 'out' in options: del options['out'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] # initialize NSS database crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) @@ -924,6 +1305,62 @@ class vault_retrieve(LDAPQuery): vault_data = json.loads(json_vault_data) data = base64.b64decode(vault_data[u'data'].encode('utf-8')) + encrypted_key = None + + if 'encrypted_key' in vault_data: + encrypted_key = base64.b64decode(vault_data[u'encrypted_key'] + .encode('utf-8')) + + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get encryption key from vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + # generate encryption key from password + encryption_key = self.obj.generate_symmetric_key(password, salt) + + # decrypt data with encryption key + data = self.obj.decrypt(data, symmetric_key=encryption_key) + + elif vault_type == u'asymmetric': + + # get encryption key with vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + # decrypt encryption key with private key + encryption_key = self.obj.decrypt( + encrypted_key, private_key=private_key) + + # decrypt data with encryption key + data = self.obj.decrypt(data, symmetric_key=encryption_key) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + if stdout: sys.stdout.write(data) response['result'] = {} diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 4c46cf7783071873b6accf9b63a0f819b720103e..218aa49dfd08de5b36a734ea84e7aa58a25a4d1b 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -26,16 +26,107 @@ from xmlrpc_test import Declarative, fuzzy_string test_vault = u'test_vault' shared_test_vault = u'/shared/%s' % test_vault +symmetric_vault = u'symmetric_vault' +asymmetric_vault = u'asymmetric_vault' binary_data = '\x01\x02\x03\x04' text_data = u'secret' +password = u'password' +other_password = u'other_password' + +public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/ +pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe +k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB +tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N +otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO +pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6 +3wIDAQAB +-----END PUBLIC KEY----- +""" + +private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1 ++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2 +38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ +OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr +igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9 +i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi +jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8 +X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7 +8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33 +e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom +fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27 +Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc +k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V +NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC +N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON +axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU +EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+ +YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx +lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh +higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/ +1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh +hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P +D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt +Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ +kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== +-----END RSA PRIVATE KEY----- +""" + +other_public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7E/QLVyKjrgDctZ50U7 +rmtL7Ks1QLoccp9WvZJ6WI1rYd0fX5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkk +Rl/3wK7fWNLenH/+VHOaTQc20exg7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLH +w3zrmrO5SIZ8njxMoDcQJa2vu/t281U/I7ti8ue09FSitIECU05vgmPS+MnXR8HK +PxXqrNkjl29mXNbPiByWwlse3Prwved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1 +O8gRaRg1r+ENVpmMSvXo4+8+bR3rEYddD5zU7nKXafeuthXlXplae/8uZmCiSI63 +TwIDAQAB +-----END PUBLIC KEY----- +""" + +other_private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAv7E/QLVyKjrgDctZ50U7rmtL7Ks1QLoccp9WvZJ6WI1rYd0f +X5FySS4dI6QTNZc6qww8NeNuZtkoxT9m1wkkRl/3wK7fWNLenH/+VHOaTQc20exg +7ztfsO7JIsmKmigtticdR5C4jLfjcOp+WjLHw3zrmrO5SIZ8njxMoDcQJa2vu/t2 +81U/I7ti8ue09FSitIECU05vgmPS+MnXR8HKPxXqrNkjl29mXNbPiByWwlse3Prw +ved9I7fwgpiHJqUBFudD/0tZ4DWyLG7t9wM1O8gRaRg1r+ENVpmMSvXo4+8+bR3r +EYddD5zU7nKXafeuthXlXplae/8uZmCiSI63TwIDAQABAoIBAQCA+0GFR9F+isjx +Xy+qBpKmxLl8kKKvX8r+cSpLOkEqTlW/rqqKgnI0vVuL/L2UJKKsLvpghBxoBZyC +RCvtatBGrhIlS0UrHg/9m73Ek1hylfUUAQokTn4PrkwWJSgmm/xOATmZSs5ymNTn +yFCmXl69sdNR77YvD5bQXeBtOT+bKXy7yQ1TmYPwwSjL+WSlMV6ZfE3HNVmxPTpk +CTFS638cJblWk9MUIy8HIlhu6If2P4RnHr7ZGGivhREayvs0zXcAfqhIyFHruxSE +yYnmqH9paWjv5mP3YyLoKr+NUvvxnBr/9wCTt0TKgG8G6rpkHuPDLQni9wUGnew8 +QdMgFEohAoGBAPH4vaVB5gDVfvIqwJBsBLHpPq72GvxjrM/exD0jIIpXZxz9gCql +CmC5b1RS1uy8PMoc/RO4CE7UTLaTesciP6LjTD1RhH3rLLJO8/iVC1RXgMrCLHLm +ZQnDhIQGGNQxpvBjQy5ZOWat2dFxYhHN630IFPOtrWsOmJ5HsL1JrjzxAoGBAMrO +R1zNwQ42VbJS6AFshZVjmUV2h3REGh4zG/9IqL0Hz493hyCTGoDPLLXIbtkqNqzQ +XibSZ9RMVPKKTiNQTx91DTgh4Anz8xUr84tA2iAf3ayNWKi3Y3GhmP2EWp1qYeom +kV8Uq0lt4dHZuEo3LuqvbtbzlF9qUXqKS5qy6Tg/AoGBAKCp02o2HjzxhS/QeTmr +r1ZeE7PiTzrECAuh01TwzPtuW1XhcEdgfEqK9cPcmT5pIkflBZkhOcr1pdYYiI5O +TEigeY/BX6KoE251hALLG9GtpCN82DyWhAH+oy9ySOwj5793eTT+I2HtD1LE4SQH +QVQsmJTP/fS2pVl7KnwUvy9RAoGBAKzo2qchNewsHzx+uxgbsnkABfnXaP2T4sDE +yqYJCPTB6BFl02vOf9Y6zN/gF8JH333P2bY3xhaXTgXMLXqmSg+D+NVW7HEP8Lyo +UGj1zgN9p74qdODEGqETKiFb6vYzcW/1mhP6x18/tDz658k+611kXZge7O288+MK +bhNjXrx5AoGBAMox25PcxVgOjCd9+LdUcIOG6LQ971eCH1NKL9YAekICnwMrStbK +veCYju6ok4ZWnMiH8MR1jgC39RWtjJZwynCuPXUP2/vZkoVf1tCZyz7dSm8TdS/2 +5NdOHVy7+NQcEPSm7/FmXdpcR9ZSGAuxMBfnEUibdyz5LdJGnFUN/+HS +-----END RSA PRIVATE KEY----- +""" + class test_vault_plugin(Declarative): cleanup_commands = [ ('vault_del', [test_vault], {'continue': True}), ('vault_del', [shared_test_vault], {'continue': True}), + ('vault_del', [symmetric_vault], {'continue': True}), + ('vault_del', [asymmetric_vault], {'continue': True}), ] tests = [ @@ -56,6 +147,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -88,6 +180,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, + 'ipavaulttype': [u'standard'], }, ], }, @@ -109,6 +202,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': u'/users/admin/%s' % test_vault, 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -130,6 +224,7 @@ class test_vault_plugin(Declarative): 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -153,6 +248,7 @@ class test_vault_plugin(Declarative): 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -174,6 +270,7 @@ class test_vault_plugin(Declarative): 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'data': binary_data, @@ -200,6 +297,7 @@ class test_vault_plugin(Declarative): 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -223,6 +321,7 @@ class test_vault_plugin(Declarative): 'vault_id': u'/users/admin/%s' % test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'text': text_data, @@ -273,6 +372,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': shared_test_vault, 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -294,6 +394,7 @@ class test_vault_plugin(Declarative): % (test_vault, api.env.basedn), 'cn': [test_vault], 'vault_id': shared_test_vault, + 'ipavaulttype': [u'standard'], }, ], }, @@ -315,6 +416,7 @@ class test_vault_plugin(Declarative): 'cn': [test_vault], 'vault_id': shared_test_vault, 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -336,6 +438,7 @@ class test_vault_plugin(Declarative): 'vault_id': shared_test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -359,6 +462,7 @@ class test_vault_plugin(Declarative): 'vault_id': shared_test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], }, }, }, @@ -380,6 +484,7 @@ class test_vault_plugin(Declarative): 'vault_id': shared_test_vault, 'description': [u'Test vault'], 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], 'nonce': fuzzy_string, 'vault_data': fuzzy_string, 'data': binary_data, @@ -403,4 +508,139 @@ class test_vault_plugin(Declarative): }, }, + { + 'desc': 'Create symmetric vault', + 'command': ( + 'vault_add', + [symmetric_vault], + { + 'ipavaulttype': u'symmetric', + 'password': password, + 'data': binary_data, + }, + ), + 'expected': { + 'value': symmetric_vault, + 'summary': 'Added vault "%s"' % symmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault, api.env.basedn), + 'cn': [symmetric_vault], + 'vault_id': u'/users/admin/%s' % symmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Retrieve symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault], + { + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault, + 'summary': u'Retrieved data from vault "%s"' % symmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault, api.env.basedn), + 'cn': [symmetric_vault], + 'vault_id': u'/users/admin/%s' % symmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Retrieve symmetric vault with wrong password', + 'command': ( + 'vault_retrieve', + [symmetric_vault], + { + 'password': other_password, + }, + ), + 'expected': errors.AuthenticationError( + message=u'Invalid credentials'), + }, + + { + 'desc': 'Create asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + 'data': binary_data, + }, + ), + 'expected': { + 'value': asymmetric_vault, + 'summary': 'Added vault "%s"' % asymmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault, api.env.basedn), + 'cn': [asymmetric_vault], + 'vault_id': u'/users/admin/%s' % asymmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Retrieve asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault, + 'summary': u'Retrieved data from vault "%s"' + % asymmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault, api.env.basedn), + 'cn': [asymmetric_vault], + 'vault_id': u'/users/admin/%s' % asymmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Retrieve asymmetric vault with wrong private key', + 'command': ( + 'vault_retrieve', + [asymmetric_vault], + { + 'private_key': other_private_key, + }, + ), + 'expected': errors.AuthenticationError( + message=u'Invalid credentials'), + }, + ] -- 2.3.1 -------------- next part -------------- >From 3ee085a500b46fbc7951eef871863c700a63cad5 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 8 Nov 2014 02:04:03 -0500 Subject: [PATCH] Added vault secrets. A new plugin has been added to provide the interface to manage secrets stored in a vault. New test scripts have been added as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 91 +++ ipalib/plugins/vaultsecret.py | 1000 +++++++++++++++++++++++ ipatests/test_xmlrpc/test_vaultsecret_plugin.py | 470 +++++++++++ 3 files changed, 1561 insertions(+) create mode 100644 ipalib/plugins/vaultsecret.py create mode 100644 ipatests/test_xmlrpc/test_vaultsecret_plugin.py diff --git a/API.txt b/API.txt index e8912070b96cbb7b53a7811465cfc6cd6bc9059d..efea0cca83df0ba8d24b4218a809263186da9e0d 100644 --- a/API.txt +++ b/API.txt @@ -4821,6 +4821,97 @@ option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vaultsecret_add +args: 2,12,3 +arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('data?', cli_name='data') +option: Str('description?', cli_name='desc') +option: Str('in?', cli_name='in') +option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('text?', cli_name='text') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vaultsecret_del +args: 2,8,3 +arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vaultsecret_find +args: 2,12,4 +arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +arg: Str('criteria?', noextrawhitespace=False) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('data', attribute=True, autofill=False, cli_name='data', multivalue=False, query=True, required=False) +option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Flag('pkey_only?', autofill=True, default=False) +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('secret_name', attribute=True, autofill=False, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) +option: Str('version?', exclude='webui') +output: Output('count', , None) +output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: Output('truncated', , None) +command: vaultsecret_mod +args: 2,12,3 +arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('data?', cli_name='data') +option: Str('description?', cli_name='desc') +option: Str('in?', cli_name='in') +option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('text?', cli_name='text') +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) +command: vaultsecret_show +args: 2,11,3 +arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) +arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('out?', cli_name='out') +option: Str('parent_id?', cli_name='parent_id') +option: Str('password?', cli_name='password') +option: Str('password_file?', cli_name='password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('show_text?', autofill=True, default=False) +option: Flag('stdout?', autofill=True, default=False) +option: Str('version?', exclude='webui') +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (, ), None) +output: PrimaryKey('value', None, None) capability: messages 2.52 capability: optional_uid_params 2.54 capability: permissions2 2.69 diff --git a/ipalib/plugins/vaultsecret.py b/ipalib/plugins/vaultsecret.py new file mode 100644 index 0000000000000000000000000000000000000000..688b64e03b63061cae13c385825f06b04d97896a --- /dev/null +++ b/ipalib/plugins/vaultsecret.py @@ -0,0 +1,1000 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import base64 +import getpass +import json +import sys + +from ipalib import api, errors +from ipalib import Str, Bytes, Flag +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import LDAPObject, LDAPSearch, LDAPRetrieve +from ipalib import _, ngettext + +__doc__ = _(""" +Vault secrets +""") + _(""" +Manage vault secrets. +""") + _(""" +EXAMPLES: +""") + _(""" + List vault secrets: + ipa vaultsecret-find MyVault +""") + _(""" + Add a vault secret: + ipa vaultsecret-add MyVault MySecret --in data.bin --desc "My vault secret" +""") + _(""" + Retrieve a vault secret: + ipa vaultsecret-show MyVault MySecret --out data.bin +""") + _(""" + Modify a vault secret: + ipa vaultsecret-mod MyVault MySecret --desc "My vault secret" +""") + _(""" + Delete a vault secret: + ipa vaultsecret-del MyVault MySecret +""") + +register = Registry() + + + at register() +class vaultsecret(LDAPObject): + __doc__ = _(""" + Vault secret object. + """) + + parent_object = 'vault' + object_name = _('vault secret') + object_name_plural = _('vault secrets') + + default_attributes = [ + 'cn', + 'description', + 'data', + ] + search_display_attributes = [ + 'cn', + 'description', + ] + + label = _('Vault secrets') + label_singular = _('Vault secret') + + takes_params = ( + Str( + 'secret_name', + cli_name='secret', + label=_('Secret name'), + primary_key=True, + pattern='^[a-zA-Z0-9_.-]+$', + pattern_errmsg='may only include letters, numbers, _, ., and -', + maxlength=255, + ), + Str( + 'description?', + cli_name='desc', + label=_('Description'), + doc=_('Secret description'), + ), + Bytes( + 'data?', + cli_name='data', + label=_('Data'), + doc=_('Binary secret data'), + ), + ) + + def find(self, secrets, secret_name): + """ + Finds a secret with the given name in a list of secrets. + Raises an exception if the secret is not found. + """ + + for secret in secrets: + if secret['secret_name'] == secret_name: + return secret + + raise errors.NotFound( + reason=_('%s: vault secret not found' % secret_name)) + + def parse_result(self, result): + """ + Returns JSON data from vault retrieval result. + """ + + vault_data = result['data'] + + if vault_data: + return json.loads(vault_data) + + return { + 'secrets': [] + } + + + at register() +class vaultsecret_add(LDAPRetrieve): + __doc__ = _('Add a new vault secret.') + + takes_options = ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Str( + 'description?', + cli_name='desc', + doc=_('Secret description'), + ), + Bytes( + 'data?', + cli_name='data', + doc=_('Binary secret data'), + ), + Str( + 'text?', + cli_name='text', + doc=_('Text secret data'), + ), + Str( + 'in?', + cli_name='in', + doc=_('File containing secret data'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), + ) + + msg_summary = _('Added vault secret "%(value)s"') + + def forward(self, *args, **options): + + dn = self.api.Object.vault.get_dn(*args, **options) + vault_id = self.api.Object.vault.get_id(dn) + secret_name = args[1] + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = vault['ipavaultsalt'][0].encode('utf-8') + + description = options.get('description') + data = options.get('data') + text = options.get('text') + input_file = options.get('in') + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + + # don't send these parameters to server + if 'data' in options: + del options['data'] + if 'text' in options: + del options['text'] + if 'in' in options: + del options['in'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] + + # type-specific initialization + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + elif vault_type == u'asymmetric': + + # get vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + + # retrieve secrets + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + # get data + if data: + if text or input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + elif text: + if input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + data = text.encode('utf-8') + + elif input_file: + with open(input_file, 'rb') as f: + data = f.read() + + else: + data = '' + + # add new secret + for secret in secrets: + if secret['secret_name'] == secret_name: + raise errors.DuplicateEntry( + message=_( + 'vault secret with name "%s" already exists' + % secret_name)) + + # store encoded data for storage + secret = { + 'secret_name': secret_name, + 'data': base64.b64encode(data).decode('utf-8'), + } + if description: + secret['description'] = description + + secrets.append(secret) + + # rearchive secrets + vault_data = json.dumps(json_data) + response = self.api.Command.vault_archive( + vault_id, + data=vault_data, + password=password) + + # restore binary data for response + secret['data'] = data + + response = { + 'value': secret_name, + 'summary': u'Added vault secret "%s"' % secret_name, + 'result': secret, + } + + return response + + + at register() +class vaultsecret_del(LDAPRetrieve): + __doc__ = _('Delete a vault secret.') + + takes_options = ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), + ) + + msg_summary = _('Deleted vault secret "%(value)s"') + + def forward(self, *args, **options): + + dn = self.api.Object.vault.get_dn(*args, **options) + vault_id = self.api.Object.vault.get_id(dn) + secret_name = args[1] + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = vault['ipavaultsalt'][0].encode('utf-8') + + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + + # don't send these parameters to server + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] + + # type-specific initialization + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + elif vault_type == u'asymmetric': + + # get vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + + # retrieve secrets + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + # find the secret + secret = None + for s in secrets: + if s['secret_name'] == secret_name: + secret = s + break + + if not secret: + raise errors.NotFound( + reason=_('%s: vault secret not found' % secret_name)) + + # delete secret + secrets.remove(secret) + + # rearchive secrets + vault_data = json.dumps(json_data) + response = self.api.Command.vault_archive( + vault_id, + data=vault_data, + password=password) + + response = { + 'value': secret_name, + 'summary': u'Deleted vault secret "%s"' % secret_name, + 'result': { + 'failed': (), + }, + } + + return response + + + at register() +class vaultsecret_find(LDAPSearch): + __doc__ = _('Search for vault secrets.') + + takes_options = ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), + ) + + def forward(self, *args, **options): + + dn = self.api.Object.vault.get_dn(*args, **options) + vault_id = self.api.Object.vault.get_id(dn) + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = vault['ipavaultsalt'][0].encode('utf-8') + + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + + # don't send these parameters to server + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] + + # type-specific initialization + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + elif vault_type == u'asymmetric': + + # get vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + # decode data for response + for secret in secrets: + secret['data'] = base64.b64decode(secret['data']) + + response = { + 'count': len(secrets), + 'truncated': False, + 'summary': u'%d vault secret matched' % len(secrets), + 'result': secrets, + } + + return response + + + at register() +class vaultsecret_mod(LDAPRetrieve): + __doc__ = _('Modify a vault secret.') + + takes_options = ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Str( + 'description?', + cli_name='desc', + doc=_('Secret description'), + ), + Bytes( + 'data?', + cli_name='data', + doc=_('Binary secret data'), + ), + Str( + 'text?', + cli_name='text', + doc=_('Text secret data'), + ), + Str( # TODO: use File parameter + 'in?', + cli_name='in', + doc=_('File containing secret data'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), + ) + + msg_summary = _('Modified vault secret "%(value)s"') + + def forward(self, *args, **options): + + dn = self.api.Object.vault.get_dn(*args, **options) + vault_id = self.api.Object.vault.get_id(dn) + secret_name = args[1] + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = vault['ipavaultsalt'][0].encode('utf-8') + + description = options.get('description') + data = options.get('data') + text = options.get('text') + input_file = options.get('in') + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + + # don't send these parameters to server + if 'data' in options: + del options['data'] + if 'text' in options: + del options['text'] + if 'in' in options: + del options['in'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] + + # type-specific initialization + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + elif vault_type == u'asymmetric': + + # get vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + + # retrieve secrets + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + # find the secret + secret = self.obj.find(secrets, secret_name) + + # get data + if data: + if text or input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + elif text: + if input_file: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + + data = text.encode() + + elif input_file: + with open(input_file, 'rb') as f: + data = f.read() + + else: + pass + + # retrieve secrets + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + # find the secret + secret = None + for s in secrets: + if s['secret_name'] == secret_name: + secret = s + break + + if not secret: + raise errors.NotFound( + reason=_('%s: vault secret not found' % secret_name)) + + # modify the secret + if description: + secret['description'] = description + if data: + secret['data'] = base64.b64encode(data).decode('utf-8') + + # rearchive secrets + vault_data = json.dumps(json_data) + response = self.api.Command.vault_archive( + vault_id, + data=vault_data, + password=password) + + # decode data for response + secret['data'] = base64.b64decode(secret['data']) + + response = { + 'value': secret_name, + 'summary': u'Modified vault secret "%s"' % secret_name, + 'result': secret, + } + + return response + + + at register() +class vaultsecret_show(LDAPRetrieve): + __doc__ = _('Display information about a vault secret.') + + takes_options = ( + Str( + 'parent_id?', + cli_name='parent_id', + doc=_('Parent ID'), + ), + Flag( + 'show_text?', + doc=_('Show text data'), + autofill=False, + ), + Flag( + 'stdout?', + doc=_('Show data on standard output'), + autofill=False, + ), + Str( + 'out?', + cli_name='out', + doc=_('File to store retrieved data'), + ), + Str( + 'password?', + cli_name='password', + doc=_('Vault password'), + ), + Str( # TODO: use File parameter + 'password_file?', + cli_name='password_file', + doc=_('File containing the vault password'), + ), + Bytes( + 'private_key?', + cli_name='private_key', + doc=_('Vault private key'), + ), + Str( # TODO: use File parameter + 'private_key_file?', + cli_name='private_key_file', + doc=_('File containing the vault private key'), + ), + ) + + has_output_params = ( + Str( + 'text', + label=_('Text'), + ), + ) + + def forward(self, *args, **options): + + dn = self.api.Object.vault.get_dn(*args, **options) + vault_id = self.api.Object.vault.get_id(dn) + secret_name = args[1] + + vault_type = u'standard' + salt = None + + # retrieve vault info + vault = self.api.Command.vault_show(vault_id)['result'] + + if 'ipavaulttype' in vault: + vault_type = vault['ipavaulttype'][0] + + if 'ipavaultsalt' in vault: + salt = vault['ipavaultsalt'][0].encode('utf-8') + + show_text = options.get('show_text') + stdout = options.get('stdout') + output_file = options.get('out') + password = options.get('password') + password_file = options.get('password_file') + private_key = options.get('private_key') + private_key_file = options.get('private_key_file') + + # don't send these parameters to server + if 'show_text' in options: + del options['show_text'] + if 'stdout' in options: + del options['stdout'] + if 'out' in options: + del options['out'] + if 'password' in options: + del options['password'] + if 'password_file' in options: + del options['password_file'] + if 'private_key' in options: + del options['private_key'] + if 'private_key_file' in options: + del options['private_key_file'] + + # type-specific initialization + if vault_type == u'standard': + + pass + + elif vault_type == u'symmetric': + + # get vault password + if password: + pass + + elif password_file: + with open(password_file) as f: + password = unicode(f.read().rstrip('\n')) + + else: + password = unicode(getpass.getpass('Password: ')) + + elif vault_type == u'asymmetric': + + # get vault private key + if private_key: + pass + + elif private_key_file: + with open(private_key_file, 'rb') as f: + private_key = f.read() + + else: + raise errors.ValidationError( + name='private_key', + error=_('Missing vault private key')) + + else: + raise errors.ValidationError( + name='vault_type', + error=_('Invalid vault type')) + + # retrieve secrets + result = self.api.Command.vault_retrieve( + vault_id, + password=password, + private_key=private_key)['result'] + + json_data = self.obj.parse_result(result) + + secrets = json_data['secrets'] + + secret = None + + # find the secret + for s in secrets: + if s['secret_name'] == secret_name: + secret = s + break + + if not secret: + raise errors.NotFound( + reason=_('%s: vault secret not found' % secret_name)) + + # decode data for response + secret['data'] = base64.b64decode(secret['data']) + + response = { + 'value': secret_name, + 'result': secret, + } + + if stdout: + sys.stdout.write(secret['data']) + response['result'] = {} + + elif output_file: + with open(output_file, 'w') as f: + f.write(secret['data']) + response['result'] = {} + + elif show_text: + response['result']['text'] = unicode(secret['data']) + del response['result']['data'] + + else: + pass + + return response diff --git a/ipatests/test_xmlrpc/test_vaultsecret_plugin.py b/ipatests/test_xmlrpc/test_vaultsecret_plugin.py new file mode 100644 index 0000000000000000000000000000000000000000..b8257299510df9efecbbba320c9d22177aad0276 --- /dev/null +++ b/ipatests/test_xmlrpc/test_vaultsecret_plugin.py @@ -0,0 +1,470 @@ +# Authors: +# Endi S. Dewata +# +# Copyright (C) 2015 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +Test the `ipalib/plugins/vaultsecret.py` module. +""" + +from ipalib import api, errors +from xmlrpc_test import Declarative, fuzzy_string + +test_vault = u'test_vault' +shared_test_vault = u'/shared/%s' % test_vault +symmetric_vault = u'symmetric_vault' +asymmetric_vault = u'asymmetric_vault' + +test_secret = u'test_secret' +binary_data = '\x01\x02\x03\x04' +text_data = u'secret' + +password = u'password' + +public_key = """ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/ +pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe +k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB +tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N +otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO +pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6 +3wIDAQAB +-----END PUBLIC KEY----- +""" + +private_key = """ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1 ++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2 +38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ +OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr +igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9 +i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi +jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8 +X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7 +8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33 +e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom +fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27 +Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc +k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V +NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC +N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON +axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU +EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+ +YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx +lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh +higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/ +1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh +hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P +D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt +Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ +kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw== +-----END RSA PRIVATE KEY----- +""" + + +class test_vaultsecret_plugin(Declarative): + + cleanup_commands = [ + ('vault_del', [test_vault], {'continue': True}), + ('vault_del', [shared_test_vault], {'continue': True}), + ('vault_del', [symmetric_vault], {'continue': True}), + ('vault_del', [asymmetric_vault], {'continue': True}), + ] + + tests = [ + + { + 'desc': 'Create test vault', + 'command': ( + 'vault_add', + [test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': 'Added vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/users/admin/%s' % test_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Create secret with binary data', + 'command': ( + 'vaultsecret_add', + [test_vault, test_secret], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create duplicate vault secret', + 'command': ( + 'vaultsecret_add', + [test_vault, test_secret], + {}, + ), + 'expected': errors.DuplicateEntry( + message=u'vault secret with name "%s" already exists' + % test_secret), + }, + + { + 'desc': 'Find vault secrets', + 'command': ( + 'vaultsecret_find', + [test_vault], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault secret matched', + 'result': [ + { + 'secret_name': test_secret, + 'data': binary_data, + }, + ], + }, + }, + + { + 'desc': 'Retrieve secret', + 'command': ( + 'vaultsecret_show', + [test_vault, test_secret], + {}, + ), + 'expected': { + 'value': test_secret, + 'summary': None, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Modify secret', + 'command': ( + 'vaultsecret_mod', + [test_vault, test_secret], + { + 'description': u'Secret', + }, + ), + 'expected': { + 'value': test_secret, + 'summary': u'Modified vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'description': u'Secret', + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create symmetric vault', + 'command': ( + 'vault_add', + [symmetric_vault], + { + 'ipavaulttype': u'symmetric', + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault, + 'summary': 'Added vault "%s"' % symmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault, api.env.basedn), + 'cn': [symmetric_vault], + 'vault_id': u'/users/admin/%s' % symmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Create secret in symmetric vault', + 'command': ( + 'vaultsecret_add', + [symmetric_vault, test_secret], + { + 'password': password, + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + }, + ), + 'expected': { + 'value': asymmetric_vault, + 'summary': 'Added vault "%s"' % asymmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault, api.env.basedn), + 'cn': [asymmetric_vault], + 'vault_id': u'/users/admin/%s' % asymmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Create secret in asymmetric vault', + 'command': ( + 'vaultsecret_add', + [asymmetric_vault, test_secret], + { + 'private_key': private_key, + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Delete secret', + 'command': ( + 'vaultsecret_del', + [test_vault, test_secret], + {}, + ), + 'expected': { + 'value': test_secret, + 'summary': u'Deleted vault secret "%s"' % test_secret, + 'result': { + 'failed': (), + }, + }, + }, + + { + 'desc': 'Delete non-existent vault secret', + 'command': ( + 'vaultsecret_del', + [test_vault, test_secret], + {}, + ), + 'expected': errors.NotFound( + reason=u'%s: vault secret not found' % test_secret), + }, + + { + 'desc': 'Create secret with text data', + 'command': ( + 'vaultsecret_add', + [test_vault, test_secret], + { + 'text': text_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': text_data.encode('utf-8'), + }, + }, + }, + + { + 'desc': 'Retrieve secret as text', + 'command': ( + 'vaultsecret_show', + [test_vault, test_secret], + { + 'show_text': True, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': None, + 'result': { + 'secret_name': test_secret, + 'text': text_data, + }, + }, + }, + + { + 'desc': 'Create shared test vault', + 'command': ( + 'vault_add', + [shared_test_vault], + {}, + ), + 'expected': { + 'value': test_vault, + 'summary': 'Added vault "%s"' % test_vault, + 'result': { + 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + % (test_vault, api.env.basedn), + 'cn': [test_vault], + 'vault_id': u'/shared/%s' % test_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Create shared secret with binary data', + 'command': ( + 'vaultsecret_add', + [shared_test_vault, test_secret], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Find shared vault secrets', + 'command': ( + 'vaultsecret_find', + [shared_test_vault], + {}, + ), + 'expected': { + 'count': 1, + 'truncated': False, + 'summary': u'1 vault secret matched', + 'result': [ + { + 'secret_name': test_secret, + 'data': binary_data, + }, + ], + }, + }, + + { + 'desc': 'Retrieve shared secret', + 'command': ( + 'vaultsecret_show', + [shared_test_vault, test_secret], + {}, + ), + 'expected': { + 'value': test_secret, + 'summary': None, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Modify shared secret', + 'command': ( + 'vaultsecret_mod', + [shared_test_vault, test_secret], + { + 'description': u'Secret', + }, + ), + 'expected': { + 'value': test_secret, + 'summary': u'Modified vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'description': u'Secret', + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Delete shared secret', + 'command': ( + 'vaultsecret_del', + [shared_test_vault, test_secret], + {}, + ), + 'expected': { + 'value': test_secret, + 'summary': u'Deleted vault secret "%s"' % test_secret, + 'result': { + 'failed': (), + }, + }, + }, + + ] -- 2.3.1 -------------- next part -------------- >From 89a0867b7b6f033cace7676abbc11ed111980326 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 21 Feb 2015 17:17:03 -0500 Subject: [PATCH] Added vault escrow. The symmetric and asymmetric vaults have been modified to support escrow for recovery. A new LDAP attribute type has been added to store the escrow public key. New test scripts have been added to test the functionality. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 18 ++-- install/share/60basev3.ldif | 3 +- ipalib/plugins/vault.py | 144 +++++++++++++++++++++++++++--- ipatests/test_xmlrpc/test_vault_plugin.py | 120 +++++++++++++++++++++++++ 4 files changed, 267 insertions(+), 18 deletions(-) diff --git a/API.txt b/API.txt index efea0cca83df0ba8d24b4218a809263186da9e0d..5b7114803ddb48d2f9d846107cc99f7b3dd996d2 100644 --- a/API.txt +++ b/API.txt @@ -4515,12 +4515,14 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,14,3 +args: 1,16,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') +option: Str('escrow_public_key_file?', cli_name='escrow_public_key_file') option: Str('in?', cli_name='in') +option: Bytes('ipaescrowpublickey?', cli_name='escrow_public_key') option: Bytes('ipapublickey?', cli_name='public_key') option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') option: Flag('no_members', autofill=True, default=False, exclude='webui') @@ -4561,13 +4563,15 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,19,3 +args: 1,21,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('create?', autofill=True, default=False) option: Bytes('data?', cli_name='data') option: Str('description?', cli_name='desc') +option: Str('escrow_public_key_file?', cli_name='escrow_public_key_file') option: Str('in?', cli_name='in') +option: Bytes('ipaescrowpublickey?', cli_name='escrow_public_key') option: Bytes('ipapublickey?', cli_name='public_key') option: Str('ipavaultsalt?', cli_name='salt') option: Str('ipavaulttype?', autofill=True, cli_name='type', default=u'standard') @@ -4595,11 +4599,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) +option: Bytes('ipaescrowpublickey', attribute=True, autofill=False, cli_name='escrow_public_key', multivalue=False, query=True, required=False) option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, query=True, required=False) option: Str('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, query=True, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) @@ -4616,12 +4621,13 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False) +option: Bytes('ipaescrowpublickey', attribute=True, autofill=False, cli_name='escrow_public_key', multivalue=False, required=False) option: Bytes('ipapublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) option: Str('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) @@ -4662,9 +4668,11 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_retrieve -args: 1,13,3 +args: 1,15,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('escrow_private_key?', cli_name='escrow_private_key') +option: Str('escrow_private_key_file?', cli_name='escrow_private_key_file') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('out?', cli_name='out') option: Str('parent_id?', cli_name='parent_id') diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 9e0f70a41ef50e78d4e464bab428325dfb6568fa..d0ea7135b724381dc21281870c78b7b5b0f67be1 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') +attributeTypes: (2.16.840.1.113730.3.8.18.2.3 NAME 'ipaEscrowPublicKey' DESC 'IPA escrow public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -79,5 +80,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member $ ipaVaultType $ ipaVaultSalt $ ipaPublicKey ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member $ ipaVaultType $ ipaVaultSalt $ ipaPublicKey $ ipaEscrowPublicKey ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner $ member ) X-ORIGIN 'IPA v4.2' ) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 848488d646f87e52ff44dfa95d024372f2c9bd2c..7978bf29a9be09b8db1726280ca7a5b913876cd7 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -75,6 +75,14 @@ EXAMPLES: Add an asymmetric vault: ipa vault-add MyVault --type asymmetric --public-key-file public.pem """) + _(""" + Add a escrowed symmetric vault: + ipa vault-add MyVault --type symmetric --password-file password.txt\ + --escrow-public-key-file escrow-public.pem +""") + _(""" + Add an escrowed asymmetric vault: + ipa vault-add MyVault --type asymmetric --public-key-file public.pem\ + --escrow-public-key-file escrow-public.pem +""") + _(""" Show a vault: ipa vault-show MyVault """) + _(""" @@ -102,6 +110,14 @@ EXAMPLES: Retrieve data from asymmetric vault: ipa vault-retrieve MyVault --out data.bin --private-key-file private.pem """) + _(""" + Recover data from escrowed symmetric vault: + ipa vault-retrieve MyVault --out data.bin\ + --escrow-private-key-file escrow-private.pem +""") + _(""" + Recover data from escrowed asymmetric vault: + ipa vault-retrieve MyVault --out data.bin\ + --escrow-private-key-file escrow-private.pem +""") + _(""" Delete a vault: ipa vault-del MyVault """) + _(""" @@ -142,6 +158,7 @@ class vault(LDAPObject): 'ipavaulttype', 'ipavaultsalt', 'ipapublickey', + 'ipaescrowpublickey', ] search_display_attributes = [ 'cn', @@ -200,6 +217,12 @@ class vault(LDAPObject): label=_('Public key'), doc=_('Vault public key'), ), + Bytes( + 'ipaescrowpublickey?', + cli_name='escrow_public_key', + label=_('Escrow public key'), + doc=_('Escrow public key'), + ), ) def get_dn(self, *args, **options): @@ -332,7 +355,8 @@ class vault(LDAPObject): return (args, options) def create_entry(self, dn, description=None, vault_type=u'standard', - salt=None, public_key=None, owner=None): + salt=None, public_key=None, escrow_public_key=None, + owner=None): """ Creates vault entry and its parents. """ @@ -347,6 +371,7 @@ class vault(LDAPObject): 'ipavaulttype': vault_type, 'ipavaultsalt': salt, 'ipapublickey': public_key, + 'ipaescrowpublickey': escrow_public_key, 'owner': owner, }) @@ -513,6 +538,16 @@ class vault_add(LDAPQuery): cli_name='public_key_file', doc=_('File containing the vault public key'), ), + Bytes( + 'ipaescrowpublickey?', + cli_name='escrow_public_key', + doc=_('Escrow public key'), + ), + Str( # TODO: use File parameter + 'escrow_public_key_file?', + cli_name='escrow_public_key_file', + doc=_('File containing the escrow public key'), + ), ) has_output = output.standard_entry @@ -850,6 +885,16 @@ class vault_archive(LDAPQuery): cli_name='public_key_file', doc=_('File containing the vault public key'), ), + Bytes( + 'ipaescrowpublickey?', + cli_name='escrow_public_key', + doc=_('Escrow public key'), + ), + Str( # TODO: use File parameter + 'escrow_public_key_file?', + cli_name='escrow_public_key_file', + doc=_('File containing the escrow public key'), + ), ) has_output = output.standard_entry @@ -877,12 +922,16 @@ class vault_archive(LDAPQuery): vault_type = options.get('ipavaulttype', u'standard') public_key = options.get('ipapublickey') public_key_file = options.get('public_key_file') + escrow_public_key = options.get('ipaescrowpublickey') + escrow_public_key_file = options.get('escrow_public_key_file') else: vault_type = u'standard' salt = None public_key = None public_key_file = None + escrow_public_key = None + escrow_public_key_file = None # retrieve vault info vault = self.api.Command.vault_show(vault_id)['result'] @@ -896,6 +945,10 @@ class vault_archive(LDAPQuery): if 'ipapublickey' in vault: public_key = vault['ipapublickey'][0].encode('utf-8') + if 'ipaescrowpublickey' in vault: + escrow_public_key = vault['ipaescrowpublickey'][0]\ + .encode('utf-8') + # don't send these parameters to server if 'data' in options: del options['data'] @@ -909,6 +962,8 @@ class vault_archive(LDAPQuery): del options['password_file'] if 'public_key_file' in options: del options['public_key_file'] + if 'escrow_public_key_file' in options: + del options['escrow_public_key_file'] # get data if data: @@ -931,6 +986,7 @@ class vault_archive(LDAPQuery): data = '' encrypted_key = None + escrowed_key = None if vault_type == u'standard': @@ -979,6 +1035,11 @@ class vault_archive(LDAPQuery): # encrypt data with encryption key data = self.obj.encrypt(data, symmetric_key=encryption_key) + # encrypt encryption key with escrow public key + if escrow_public_key: + escrowed_key = self.obj.encrypt( + encryption_key, public_key=escrow_public_key) + elif vault_type == u'asymmetric': # generate encryption key @@ -1013,6 +1074,11 @@ class vault_archive(LDAPQuery): encrypted_key = self.obj.encrypt( encryption_key, public_key=public_key) + # encrypt encryption key with escrow public key + if escrow_public_key: + escrowed_key = self.obj.encrypt( + encryption_key, public_key=escrow_public_key) + else: raise errors.ValidationError( name='vault_type', @@ -1056,6 +1122,10 @@ class vault_archive(LDAPQuery): vault_data[u'encrypted_key'] = base64.b64encode(encrypted_key)\ .decode('utf-8') + if escrowed_key: + vault_data[u'escrowed_key'] = base64.b64encode(escrowed_key)\ + .decode('utf-8') + json_vault_data = json.dumps(vault_data) # wrap vault_data with session key @@ -1083,6 +1153,7 @@ class vault_archive(LDAPQuery): description = options.get('description') vault_type = options.get('ipavaulttype') public_key = options.get('ipapublickey') + escrow_public_key = options.get('ipaescrowpublickey') # get user principal = getattr(context, 'principal') @@ -1096,6 +1167,7 @@ class vault_archive(LDAPQuery): vault_type=vault_type, salt=salt, public_key=public_key, + escrow_public_key=escrow_public_key, owner=owner_dn, ) @@ -1197,6 +1269,16 @@ class vault_retrieve(LDAPQuery): cli_name='private_key_file', doc=_('File containing the vault private key'), ), + Bytes( + 'escrow_private_key?', + cli_name='escrow_private_key', + doc=_('Escrow vault private key'), + ), + Str( # TODO: use File parameter + 'escrow_private_key_file?', + cli_name='escrow_private_key_file', + doc=_('File containing the escrow vault private key'), + ), ) has_output = output.standard_entry @@ -1243,6 +1325,8 @@ class vault_retrieve(LDAPQuery): password_file = options.get('password_file') private_key = options.get('private_key') private_key_file = options.get('private_key_file') + escrow_private_key = options.get('escrow_private_key') + escrow_private_key_file = options.get('escrow_private_key_file') # don't send these parameters to server if 'show_text' in options: @@ -1259,6 +1343,10 @@ class vault_retrieve(LDAPQuery): del options['private_key'] if 'private_key_file' in options: del options['private_key_file'] + if 'escrow_private_key' in options: + del options['escrow_private_key'] + if 'escrow_private_key_file' in options: + del options['escrow_private_key_file'] # initialize NSS database crypto = pki.crypto.NSSCryptoProvider(paths.IPA_NSSDB_DIR) @@ -1311,48 +1399,80 @@ class vault_retrieve(LDAPQuery): encrypted_key = base64.b64decode(vault_data[u'encrypted_key'] .encode('utf-8')) + escrowed_key = None + + if 'escrowed_key' in vault_data: + escrowed_key = base64.b64decode(vault_data['escrowed_key'] + .encode('utf-8')) + if vault_type == u'standard': pass elif vault_type == u'symmetric': - # get encryption key from vault password + # get encryption key from vault password or escrowed private key if password: - pass + encryption_key = self.obj.generate_symmetric_key( + password, salt) elif password_file: with open(password_file) as f: password = unicode(f.read().rstrip('\n')) + encryption_key = self.obj.generate_symmetric_key( + password, salt) + + elif escrow_private_key: + + encryption_key = self.obj.decrypt( + escrowed_key, private_key=escrow_private_key) + + elif escrow_private_key_file: + with open(escrow_private_key_file, 'rb') as f: + escrow_private_key = f.read() + + encryption_key = self.obj.decrypt( + escrowed_key, private_key=escrow_private_key) + else: password = unicode(getpass.getpass('Password: ')) - - # generate encryption key from password - encryption_key = self.obj.generate_symmetric_key(password, salt) + encryption_key = self.obj.generate_symmetric_key( + password, salt) # decrypt data with encryption key data = self.obj.decrypt(data, symmetric_key=encryption_key) elif vault_type == u'asymmetric': - # get encryption key with vault private key + # get encryption key with vault private key or escrowed private key if private_key: - pass + encryption_key = self.obj.decrypt( + encrypted_key, private_key=private_key) elif private_key_file: with open(private_key_file, 'rb') as f: private_key = f.read() + encryption_key = self.obj.decrypt( + encrypted_key, private_key=private_key) + + elif escrow_private_key: + encryption_key = self.obj.decrypt( + escrowed_key, private_key=escrow_private_key) + + elif escrow_private_key_file: + with open(escrow_private_key_file, 'rb') as f: + escrow_private_key = f.read() + + encryption_key = self.obj.decrypt( + escrowed_key, private_key=escrow_private_key) + else: raise errors.ValidationError( name='private_key', error=_('Missing vault private key')) - # decrypt encryption key with private key - encryption_key = self.obj.decrypt( - encrypted_key, private_key=private_key) - # decrypt data with encryption key data = self.obj.decrypt(data, symmetric_key=encryption_key) diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 218aa49dfd08de5b36a734ea84e7aa58a25a4d1b..3d0dd4473d3bdeb5087a04ed4351ea2a16f8e3a0 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -28,6 +28,8 @@ test_vault = u'test_vault' shared_test_vault = u'/shared/%s' % test_vault symmetric_vault = u'symmetric_vault' asymmetric_vault = u'asymmetric_vault' +escrowed_symmetric_vault = u'escrowed_symmetric_vault' +escrowed_asymmetric_vault = u'escrowed_asymmetric_vault' binary_data = '\x01\x02\x03\x04' text_data = u'secret' @@ -127,6 +129,8 @@ class test_vault_plugin(Declarative): ('vault_del', [shared_test_vault], {'continue': True}), ('vault_del', [symmetric_vault], {'continue': True}), ('vault_del', [asymmetric_vault], {'continue': True}), + ('vault_del', [escrowed_symmetric_vault], {'continue': True}), + ('vault_del', [escrowed_asymmetric_vault], {'continue': True}), ] tests = [ @@ -643,4 +647,120 @@ class test_vault_plugin(Declarative): message=u'Invalid credentials'), }, + { + 'desc': 'Create escrowed symmetric vault', + 'command': ( + 'vault_add', + [escrowed_symmetric_vault], + { + 'ipavaulttype': u'symmetric', + 'password': password, + 'ipaescrowpublickey': other_public_key, + 'data': binary_data, + }, + ), + 'expected': { + 'value': escrowed_symmetric_vault, + 'summary': 'Added vault "%s"' % escrowed_symmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (escrowed_symmetric_vault, api.env.basedn), + 'cn': [escrowed_symmetric_vault], + 'vault_id': u'/users/admin/%s' % escrowed_symmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipaescrowpublickey': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Recover escrowed symmetric vault', + 'command': ( + 'vault_retrieve', + [escrowed_symmetric_vault], + { + 'escrow_private_key': other_private_key, + }, + ), + 'expected': { + 'value': escrowed_symmetric_vault, + 'summary': u'Retrieved data from vault "%s"' + % escrowed_symmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (escrowed_symmetric_vault, api.env.basedn), + 'cn': [escrowed_symmetric_vault], + 'vault_id': u'/users/admin/%s' % escrowed_symmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipaescrowpublickey': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create escrowed asymmetric vault', + 'command': ( + 'vault_add', + [escrowed_asymmetric_vault], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + 'ipaescrowpublickey': other_public_key, + 'data': binary_data, + }, + ), + 'expected': { + 'value': escrowed_asymmetric_vault, + 'summary': 'Added vault "%s"' % escrowed_asymmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (escrowed_asymmetric_vault, api.env.basedn), + 'cn': [escrowed_asymmetric_vault], + 'vault_id': u'/users/admin/%s' % escrowed_asymmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + 'ipaescrowpublickey': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Recover escrowed asymmetric vault', + 'command': ( + 'vault_retrieve', + [escrowed_asymmetric_vault], + { + 'escrow_private_key': other_private_key, + }, + ), + 'expected': { + 'value': escrowed_asymmetric_vault, + 'summary': u'Retrieved data from vault "%s"' + % escrowed_asymmetric_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (escrowed_asymmetric_vault, api.env.basedn), + 'cn': [escrowed_asymmetric_vault], + 'vault_id': u'/users/admin/%s' % escrowed_asymmetric_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + 'ipaescrowpublickey': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + ] -- 2.3.1 -------------- next part -------------- >From 2e71e450a24bc466e136d5dfaeab5ae2c4f3416d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 23 Feb 2015 10:37:25 -0500 Subject: [PATCH] Updated VERSION file. The API version number has been updated for the new password vault. https://fedorahosted.org/freeipa/ticket/3872 --- VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 13c9760c82d587e8fbf9434dc15b58a902d94ba7..9de803316823666e234a1f4ca45f3c3488651e1f 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=115 -# Last change: mbasti - Remove NSEC3PARAM record from dnsrecord-* commands +IPA_API_VERSION_MINOR=116 +# Last change: edewata - Password Vault -- 2.3.1 -------------- next part -------------- >From a442016df1fd785dc1690ddf0dd09d04d78a181f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 16 Mar 2015 05:08:56 -0400 Subject: [PATCH] Added vault copy functionality. The vault plugins have been modified to provide a way to copy data from one vault or vault secret to another. New test scripts have been added as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 32 +- ipalib/plugins/vault.py | 148 +++- ipalib/plugins/vaultsecret.py | 294 ++++++-- ipatests/test_xmlrpc/test_vault_plugin.py | 827 +++++++++++++++++++++ ipatests/test_xmlrpc/test_vaultcontainer_plugin.py | 1 + ipatests/test_xmlrpc/test_vaultsecret_plugin.py | 149 ++++ 6 files changed, 1394 insertions(+), 57 deletions(-) diff --git a/API.txt b/API.txt index 5b7114803ddb48d2f9d846107cc99f7b3dd996d2..b745c623e3be68f9b7a15905022568b3dcb7e868 100644 --- a/API.txt +++ b/API.txt @@ -4515,7 +4515,7 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,16,3 +args: 1,22,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?', cli_name='data') @@ -4531,6 +4531,12 @@ option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('source_password?', cli_name='source_password') +option: Str('source_password_file?', cli_name='source_password_file') +option: Bytes('source_private_key?', cli_name='source_private_key') +option: Str('source_private_key_file?', cli_name='source_private_key_file') +option: Str('source_secret_id?', cli_name='source_secret_id') +option: Str('source_vault_id?', cli_name='source_vault_id') option: Str('text?', cli_name='text') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) @@ -4563,7 +4569,7 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,21,3 +args: 1,27,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('create?', autofill=True, default=False) @@ -4583,6 +4589,12 @@ option: Str('password_file?', cli_name='password_file') option: Str('public_key_file?', cli_name='public_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('session_key?', cli_name='session_key') +option: Str('source_password?', cli_name='source_password') +option: Str('source_password_file?', cli_name='source_password_file') +option: Bytes('source_private_key?', cli_name='source_private_key') +option: Str('source_private_key_file?', cli_name='source_private_key_file') +option: Str('source_secret_id?', cli_name='source_secret_id') +option: Str('source_vault_id?', cli_name='source_vault_id') option: Str('text?', cli_name='text') option: Str('vault_data?', cli_name='vault_data') option: Str('version?', exclude='webui') @@ -4830,7 +4842,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vaultsecret_add -args: 2,12,3 +args: 2,18,3 arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4843,6 +4855,12 @@ option: Str('password_file?', cli_name='password_file') option: Bytes('private_key?', cli_name='private_key') option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('source_password?', cli_name='source_password') +option: Str('source_password_file?', cli_name='source_password_file') +option: Bytes('source_private_key?', cli_name='source_private_key') +option: Str('source_private_key_file?', cli_name='source_private_key_file') +option: Str('source_secret_id?', cli_name='source_secret_id') +option: Str('source_vault_id?', cli_name='source_vault_id') option: Str('text?', cli_name='text') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) @@ -4884,7 +4902,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: vaultsecret_mod -args: 2,12,3 +args: 2,18,3 arg: Str('vaultcn', cli_name='vault', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-/]+$', primary_key=True, query=True, required=True) arg: Str('secret_name', attribute=True, cli_name='secret', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -4897,6 +4915,12 @@ option: Str('password_file?', cli_name='password_file') option: Bytes('private_key?', cli_name='private_key') option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('source_password?', cli_name='source_password') +option: Str('source_password_file?', cli_name='source_password_file') +option: Bytes('source_private_key?', cli_name='source_private_key') +option: Str('source_private_key_file?', cli_name='source_private_key_file') +option: Str('source_secret_id?', cli_name='source_secret_id') +option: Str('source_vault_id?', cli_name='source_vault_id') option: Str('text?', cli_name='text') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 7978bf29a9be09b8db1726280ca7a5b913876cd7..9e569467245ff152dd9f497d09cbc56a937632fd 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -548,6 +548,36 @@ class vault_add(LDAPQuery): cli_name='escrow_public_key_file', doc=_('File containing the escrow public key'), ), + Str( + 'source_vault_id?', + cli_name='source_vault_id', + doc=_('Source vault ID'), + ), + Str( + 'source_secret_id?', + cli_name='source_secret_id', + doc=_('Source secret ID'), + ), + Str( + 'source_password?', + cli_name='source_password', + doc=_('Source vault password'), + ), + Str( # TODO: use File parameter + 'source_password_file?', + cli_name='source_password_file', + doc=_('File containing the source vault password'), + ), + Bytes( + 'source_private_key?', + cli_name='source_private_key', + doc=_('Source vault private key'), + ), + Str( # TODO: use File parameter + 'source_private_key_file?', + cli_name='source_private_key_file', + doc=_('File containing the source vault private key'), + ), ) has_output = output.standard_entry @@ -895,6 +925,36 @@ class vault_archive(LDAPQuery): cli_name='escrow_public_key_file', doc=_('File containing the escrow public key'), ), + Str( + 'source_vault_id?', + cli_name='source_vault_id', + doc=_('Source vault ID'), + ), + Str( + 'source_secret_id?', + cli_name='source_secret_id', + doc=_('Source secret ID'), + ), + Str( + 'source_password?', + cli_name='source_password', + doc=_('Source vault password'), + ), + Str( # TODO: use File parameter + 'source_password_file?', + cli_name='source_password_file', + doc=_('File containing the source vault password'), + ), + Bytes( + 'source_private_key?', + cli_name='source_private_key', + doc=_('Source vault private key'), + ), + Str( # TODO: use File parameter + 'source_private_key_file?', + cli_name='source_private_key_file', + doc=_('File containing the source vault private key'), + ), ) has_output = output.standard_entry @@ -917,6 +977,12 @@ class vault_archive(LDAPQuery): input_file = options.get('in') password = options.get('password') password_file = options.get('password_file') + source_vault_id = options.get('source_vault_id') + source_secret_id = options.get('source_secret_id') + source_password = options.get('source_password') + source_password_file = options.get('source_password_file') + source_private_key = options.get('source_private_key') + source_private_key_file = options.get('source_private_key_file') if create: vault_type = options.get('ipavaulttype', u'standard') @@ -964,24 +1030,102 @@ class vault_archive(LDAPQuery): del options['public_key_file'] if 'escrow_public_key_file' in options: del options['escrow_public_key_file'] + if 'source_vault_id' in options: + del options['source_vault_id'] + if 'source_secret_id' in options: + del options['source_secret_id'] + if 'source_password' in options: + del options['source_password'] + if 'source_password_file' in options: + del options['source_password_file'] + if 'source_private_key' in options: + del options['source_private_key'] + if 'source_private_key_file' in options: + del options['source_private_key_file'] # get data if data: - if text or input_file: + if text or input_file or source_vault_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) elif text: - if input_file: + if input_file or source_vault_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) data = text.encode() elif input_file: + if source_vault_id: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + with open(input_file, 'rb') as f: data = f.read() + elif source_vault_id: + + source_vault = self.api.Command.vault_show( + source_vault_id)['result'] + + if 'ipavaulttype' in source_vault: + source_vault_type = source_vault['ipavaulttype'][0] + + if source_vault_type == u'standard': + + pass + + elif source_vault_type == u'symmetric': + + # get source vault password + if source_password: + pass + + elif source_password_file: + with open(source_password_file) as f: + source_password = unicode(f.read().rstrip('\n')) + + else: + source_password = unicode( + getpass.getpass('Source password: ')) + + elif source_vault_type == u'asymmetric': + + # get source vault private key + if source_private_key: + pass + + elif source_private_key_file: + with open(source_private_key_file, 'rb') as f: + source_private_key = f.read() + + else: + raise errors.ValidationError( + name='source_private_key', + error=_('Missing source vault private key')) + + else: + raise errors.ValidationError( + name='source_vault_type', + error=_('Invalid source vault type')) + + source_result = self.api.Command.vault_retrieve( + source_vault_id, + password=source_password, + private_key=source_private_key)['result'] + + if source_secret_id: + source_json_data = self.api.Object.vaultsecret\ + .parse_result(source_result) + source_secrets = source_json_data['secrets'] + source_secret = self.obj.Object.vaultsecret\ + .find(source_secrets, source_secret_id) + data = base64.b64decode(source_secret['data']) + + else: + data = source_result['data'] + else: data = '' diff --git a/ipalib/plugins/vaultsecret.py b/ipalib/plugins/vaultsecret.py index 688b64e03b63061cae13c385825f06b04d97896a..3d984d9c471847d50a11eaca64b732b00bdb460e 100644 --- a/ipalib/plugins/vaultsecret.py +++ b/ipalib/plugins/vaultsecret.py @@ -179,6 +179,36 @@ class vaultsecret_add(LDAPRetrieve): cli_name='private_key_file', doc=_('File containing the vault private key'), ), + Str( + 'source_secret_id?', + cli_name='source_secret_id', + doc=_('Source secret ID'), + ), + Str( + 'source_vault_id?', + cli_name='source_vault_id', + doc=_('Source vault ID'), + ), + Str( + 'source_password?', + cli_name='source_password', + doc=_('Source vault password'), + ), + Str( # TODO: use File parameter + 'source_password_file?', + cli_name='source_password_file', + doc=_('File containing the source vault password'), + ), + Bytes( + 'source_private_key?', + cli_name='source_private_key', + doc=_('Source vault private key'), + ), + Str( # TODO: use File parameter + 'source_private_key_file?', + cli_name='source_private_key_file', + doc=_('File containing the source vault private key'), + ), ) msg_summary = _('Added vault secret "%(value)s"') @@ -209,6 +239,12 @@ class vaultsecret_add(LDAPRetrieve): password_file = options.get('password_file') private_key = options.get('private_key') private_key_file = options.get('private_key_file') + source_secret_id = options.get('source_secret_id') + source_vault_id = options.get('source_vault_id') + source_password = options.get('source_password') + source_password_file = options.get('source_password_file') + source_private_key = options.get('source_private_key') + source_private_key_file = options.get('source_private_key_file') # don't send these parameters to server if 'data' in options: @@ -225,6 +261,18 @@ class vaultsecret_add(LDAPRetrieve): del options['private_key'] if 'private_key_file' in options: del options['private_key_file'] + if 'source_secret_id' in options: + del options['source_secret_id'] + if 'source_vault_id' in options: + del options['source_vault_id'] + if 'source_password' in options: + del options['source_password'] + if 'source_password_file' in options: + del options['source_password_file'] + if 'source_private_key' in options: + del options['source_private_key'] + if 'source_private_key_file' in options: + del options['source_private_key_file'] # type-specific initialization if vault_type == u'standard': @@ -276,31 +324,99 @@ class vaultsecret_add(LDAPRetrieve): # get data if data: - if text or input_file: + if text or input_file or source_secret_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) elif text: - if input_file: + if input_file or source_secret_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) data = text.encode('utf-8') elif input_file: + if source_secret_id: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + with open(input_file, 'rb') as f: data = f.read() + elif source_secret_id: + + if source_vault_id: + + source_vault = self.api.Command.vault_show( + source_vault_id)['result'] + + if 'ipavaulttype' in source_vault: + source_vault_type = source_vault['ipavaulttype'][0] + + if source_vault_type == u'standard': + + pass + + elif source_vault_type == u'symmetric': + + # get source vault password + if source_password: + pass + + elif source_password_file: + with open(source_password_file) as f: + source_password = unicode(f.read().rstrip('\n')) + + else: + source_password = unicode( + getpass.getpass('Source password: ')) + + elif source_vault_type == u'asymmetric': + + # get source vault private key + if source_private_key: + pass + + elif source_private_key_file: + with open(source_private_key_file, 'rb') as f: + source_private_key = f.read() + + else: + raise errors.ValidationError( + name='source_private_key', + error=_('Missing source vault private key')) + + else: + raise errors.ValidationError( + name='source_vault_type', + error=_('Invalid source vault type')) + + source_result = self.api.Command.vault_retrieve( + source_vault_id, + password=source_password, + private_key=source_private_key)['result'] + + source_json_data = self.obj.parse_result(source_result) + + source_secrets = source_json_data['secrets'] + + else: + source_secrets = secrets + + source_secret = self.obj.find(source_secrets, source_secret_id) + data = base64.b64decode(source_secret['data']) + else: data = '' # add new secret - for secret in secrets: - if secret['secret_name'] == secret_name: - raise errors.DuplicateEntry( - message=_( - 'vault secret with name "%s" already exists' - % secret_name)) + try: + self.obj.find(secrets, secret_name) + raise errors.DuplicateEntry( + message=_('vault secret with name "%s" already exists' + % secret_name)) + except errors.NotFound: + pass # store encoded data for storage secret = { @@ -447,15 +563,7 @@ class vaultsecret_del(LDAPRetrieve): secrets = json_data['secrets'] # find the secret - secret = None - for s in secrets: - if s['secret_name'] == secret_name: - secret = s - break - - if not secret: - raise errors.NotFound( - reason=_('%s: vault secret not found' % secret_name)) + secret = self.obj.find(secrets, secret_name) # delete secret secrets.remove(secret) @@ -653,6 +761,36 @@ class vaultsecret_mod(LDAPRetrieve): cli_name='private_key_file', doc=_('File containing the vault private key'), ), + Str( + 'source_secret_id?', + cli_name='source_secret_id', + doc=_('Source secret ID'), + ), + Str( + 'source_vault_id?', + cli_name='source_vault_id', + doc=_('Source vault ID'), + ), + Str( + 'source_password?', + cli_name='source_password', + doc=_('Source vault password'), + ), + Str( # TODO: use File parameter + 'source_password_file?', + cli_name='source_password_file', + doc=_('File containing the source vault password'), + ), + Bytes( + 'source_private_key?', + cli_name='source_private_key', + doc=_('Source vault private key'), + ), + Str( # TODO: use File parameter + 'source_private_key_file?', + cli_name='source_private_key_file', + doc=_('File containing the source vault private key'), + ), ) msg_summary = _('Modified vault secret "%(value)s"') @@ -683,6 +821,12 @@ class vaultsecret_mod(LDAPRetrieve): password_file = options.get('password_file') private_key = options.get('private_key') private_key_file = options.get('private_key_file') + source_secret_id = options.get('source_secret_id') + source_vault_id = options.get('source_vault_id') + source_password = options.get('source_password') + source_password_file = options.get('source_password_file') + source_private_key = options.get('source_private_key') + source_private_key_file = options.get('source_private_key_file') # don't send these parameters to server if 'data' in options: @@ -699,6 +843,18 @@ class vaultsecret_mod(LDAPRetrieve): del options['private_key'] if 'private_key_file' in options: del options['private_key_file'] + if 'source_secret_id' in options: + del options['source_secret_id'] + if 'source_vault_id' in options: + del options['source_vault_id'] + if 'source_password' in options: + del options['source_password'] + if 'source_password_file' in options: + del options['source_password_file'] + if 'source_private_key' in options: + del options['source_private_key'] + if 'source_private_key_file' in options: + del options['source_private_key_file'] # type-specific initialization if vault_type == u'standard': @@ -753,45 +909,91 @@ class vaultsecret_mod(LDAPRetrieve): # get data if data: - if text or input_file: + if text or input_file or source_secret_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) elif text: - if input_file: + if input_file or source_secret_id: raise errors.MutuallyExclusiveError( reason=_('Input data specified multiple times')) data = text.encode() elif input_file: + if source_secret_id: + raise errors.MutuallyExclusiveError( + reason=_('Input data specified multiple times')) + with open(input_file, 'rb') as f: data = f.read() + elif source_secret_id: + + if source_vault_id: + + source_vault = self.api.Command.vault_show( + source_vault_id)['result'] + + if 'ipavaulttype' in source_vault: + source_vault_type = source_vault['ipavaulttype'][0] + + if source_vault_type == u'standard': + + pass + + elif source_vault_type == u'symmetric': + + # get source vault password + if source_password: + pass + + elif source_password_file: + with open(source_password_file) as f: + source_password = unicode(f.read().rstrip('\n')) + + else: + source_password = unicode( + getpass.getpass('Source password: ')) + + elif source_vault_type == u'asymmetric': + + # get source vault private key + if source_private_key: + pass + + elif source_private_key_file: + with open(source_private_key_file, 'rb') as f: + source_private_key = f.read() + + else: + raise errors.ValidationError( + name='source_private_key', + error=_('Missing source vault private key')) + + else: + raise errors.ValidationError( + name='source_vault_type', + error=_('Invalid source vault type')) + + source_result = self.api.Command.vault_retrieve( + source_vault_id, + password=source_password, + private_key=source_private_key)['result'] + + source_json_data = self.obj.parse_result(source_result) + + source_secrets = source_json_data['secrets'] + + else: + source_secrets = secrets + + source_secret = self.obj.find(source_secrets, source_secret_id) + data = base64.b64decode(source_secret['data']) + else: pass - # retrieve secrets - result = self.api.Command.vault_retrieve( - vault_id, - password=password, - private_key=private_key)['result'] - - json_data = self.obj.parse_result(result) - - secrets = json_data['secrets'] - - # find the secret - secret = None - for s in secrets: - if s['secret_name'] == secret_name: - secret = s - break - - if not secret: - raise errors.NotFound( - reason=_('%s: vault secret not found' % secret_name)) - # modify the secret if description: secret['description'] = description @@ -961,17 +1163,7 @@ class vaultsecret_show(LDAPRetrieve): secrets = json_data['secrets'] - secret = None - - # find the secret - for s in secrets: - if s['secret_name'] == secret_name: - secret = s - break - - if not secret: - raise errors.NotFound( - reason=_('%s: vault secret not found' % secret_name)) + secret = self.obj.find(secrets, secret_name) # decode data for response secret['data'] = base64.b64decode(secret['data']) diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 3d0dd4473d3bdeb5087a04ed4351ea2a16f8e3a0..48f2f99db54e6854c062cd0af487a6b837b9a450 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -26,14 +26,31 @@ from xmlrpc_test import Declarative, fuzzy_string test_vault = u'test_vault' shared_test_vault = u'/shared/%s' % test_vault + +standard_secrets_vault = u'standard_secrets_vault' +symmetric_secrets_vault = u'symmetric_secrets_vault' +asymmetric_secrets_vault = u'asymmetric_secrets_vault' + +standard_vault = u'standard_vault' +standard_vault_copy = u'standard_vault_copy' +standard_vault_copy2 = u'standard_vault_copy2' + symmetric_vault = u'symmetric_vault' +symmetric_vault_copy = u'symmetric_vault_copy' +symmetric_vault_copy2 = u'symmetric_vault_copy2' + asymmetric_vault = u'asymmetric_vault' +asymmetric_vault_copy = u'asymmetric_vault_copy' +asymmetric_vault_copy2 = u'asymmetric_vault_copy2' + escrowed_symmetric_vault = u'escrowed_symmetric_vault' escrowed_asymmetric_vault = u'escrowed_asymmetric_vault' binary_data = '\x01\x02\x03\x04' text_data = u'secret' +test_secret = u'test_secret' + password = u'password' other_password = u'other_password' @@ -127,8 +144,18 @@ class test_vault_plugin(Declarative): cleanup_commands = [ ('vault_del', [test_vault], {'continue': True}), ('vault_del', [shared_test_vault], {'continue': True}), + ('vault_del', [standard_vault], {'continue': True}), + ('vault_del', [standard_secrets_vault], {'continue': True}), + ('vault_del', [standard_vault_copy], {'continue': True}), + ('vault_del', [standard_vault_copy2], {'continue': True}), ('vault_del', [symmetric_vault], {'continue': True}), + ('vault_del', [symmetric_secrets_vault], {'continue': True}), + ('vault_del', [symmetric_vault_copy], {'continue': True}), + ('vault_del', [symmetric_vault_copy2], {'continue': True}), ('vault_del', [asymmetric_vault], {'continue': True}), + ('vault_del', [asymmetric_secrets_vault], {'continue': True}), + ('vault_del', [asymmetric_vault_copy], {'continue': True}), + ('vault_del', [asymmetric_vault_copy2], {'continue': True}), ('vault_del', [escrowed_symmetric_vault], {'continue': True}), ('vault_del', [escrowed_asymmetric_vault], {'continue': True}), ] @@ -513,6 +540,126 @@ class test_vault_plugin(Declarative): }, { + 'desc': 'Create standard vault', + 'command': ( + 'vault_add', + [standard_vault], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': standard_vault, + 'summary': 'Added vault "%s"' % standard_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault, api.env.basedn), + 'cn': [standard_vault], + 'vault_id': u'/users/admin/%s' % standard_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Create a copy of standard vault', + 'command': ( + 'vault_add', + [standard_vault_copy], + { + 'source_vault_id': standard_vault, + }, + ), + 'expected': { + 'value': standard_vault_copy, + 'summary': 'Added vault "%s"' % standard_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy, api.env.basedn), + 'cn': [standard_vault_copy], + 'vault_id': u'/users/admin/%s' % standard_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of standard vault', + 'command': ( + 'vault_retrieve', + [standard_vault_copy], + {}, + ), + 'expected': { + 'value': standard_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % standard_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy, api.env.basedn), + 'cn': [standard_vault_copy], + 'vault_id': u'/users/admin/%s' % standard_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of standard vault', + 'command': ( + 'vault_archive', + [standard_vault_copy], + { + 'source_vault_id': standard_vault, + }, + ), + 'expected': { + 'value': standard_vault_copy, + 'summary': u'Archived data into vault "%s"' + % standard_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy, api.env.basedn), + 'cn': [standard_vault_copy], + 'vault_id': u'/users/admin/%s' % standard_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of standard vault', + 'command': ( + 'vault_retrieve', + [standard_vault_copy], + {}, + ), + 'expected': { + 'value': standard_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % standard_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy, api.env.basedn), + 'cn': [standard_vault_copy], + 'vault_id': u'/users/admin/%s' % standard_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Create symmetric vault', 'command': ( 'vault_add', @@ -579,6 +726,116 @@ class test_vault_plugin(Declarative): }, { + 'desc': 'Create a copy of symmetric vault', + 'command': ( + 'vault_add', + [symmetric_vault_copy], + { + 'ipavaulttype': u'symmetric', + 'password': other_password, + 'source_vault_id': symmetric_vault, + 'source_password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy, + 'summary': 'Added vault "%s"' % symmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy, api.env.basedn), + 'cn': [symmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_copy], + { + 'password': other_password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % symmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy, api.env.basedn), + 'cn': [symmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of symmetric vault', + 'command': ( + 'vault_archive', + [symmetric_vault_copy], + { + 'password': other_password, + 'source_vault_id': symmetric_vault, + 'source_password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy, + 'summary': u'Archived data into vault "%s"' + % symmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy, api.env.basedn), + 'cn': [symmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_copy], + { + 'password': other_password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % symmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy, api.env.basedn), + 'cn': [symmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Create asymmetric vault', 'command': ( 'vault_add', @@ -648,6 +905,119 @@ class test_vault_plugin(Declarative): }, { + 'desc': 'Create a copy of asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault_copy], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': other_public_key, + 'source_vault_id': asymmetric_vault, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy, + 'summary': 'Added vault "%s"' % asymmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy, api.env.basedn), + 'cn': [asymmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [other_public_key], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_copy], + { + 'private_key': other_private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % asymmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy, api.env.basedn), + 'cn': [asymmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [other_public_key], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of asymmetric vault', + 'command': ( + 'vault_archive', + [asymmetric_vault_copy], + { + 'source_vault_id': asymmetric_vault, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy, + 'summary': u'Archived data into vault "%s"' + % asymmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy, api.env.basedn), + 'cn': [asymmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [other_public_key], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_copy], + { + 'private_key': other_private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy, + 'summary': u'Retrieved data from vault "%s"' + % asymmetric_vault_copy, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy, api.env.basedn), + 'cn': [asymmetric_vault_copy], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [other_public_key], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Create escrowed symmetric vault', 'command': ( 'vault_add', @@ -763,4 +1133,461 @@ class test_vault_plugin(Declarative): }, }, + { + 'desc': 'Create standard secrets vault', + 'command': ( + 'vault_add', + [standard_secrets_vault], + {}, + ), + 'expected': { + 'value': standard_secrets_vault, + 'summary': 'Added vault "%s"' % standard_secrets_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_secrets_vault, api.env.basedn), + 'cn': [standard_secrets_vault], + 'vault_id': u'/users/admin/%s' % standard_secrets_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Create secret in standard vault', + 'command': ( + 'vaultsecret_add', + [standard_secrets_vault, test_secret], + { + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create symmetric secrets vault', + 'command': ( + 'vault_add', + [symmetric_secrets_vault], + { + 'ipavaulttype': u'symmetric', + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_secrets_vault, + 'summary': 'Added vault "%s"' % symmetric_secrets_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_secrets_vault, api.env.basedn), + 'cn': [symmetric_secrets_vault], + 'vault_id': u'/users/admin/%s' % symmetric_secrets_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Create secret in symmetric vault', + 'command': ( + 'vaultsecret_add', + [symmetric_secrets_vault, test_secret], + { + 'data': binary_data, + 'password': password, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create asymmetric secrets vault', + 'command': ( + 'vault_add', + [asymmetric_secrets_vault], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + }, + ), + 'expected': { + 'value': asymmetric_secrets_vault, + 'summary': 'Added vault "%s"' % asymmetric_secrets_vault, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_secrets_vault, api.env.basedn), + 'cn': [asymmetric_secrets_vault], + 'vault_id': u'/users/admin/%s' % asymmetric_secrets_vault, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Create secret in asymmetric vault', + 'command': ( + 'vaultsecret_add', + [asymmetric_secrets_vault, test_secret], + { + 'private_key': private_key, + 'data': binary_data, + }, + ), + 'expected': { + 'value': test_secret, + 'summary': 'Added vault secret "%s"' % test_secret, + 'result': { + 'secret_name': test_secret, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create a copy of secret from standard vault', + 'command': ( + 'vault_add', + [standard_vault_copy2], + { + 'source_vault_id': standard_secrets_vault, + 'source_secret_id': test_secret, + }, + ), + 'expected': { + 'value': standard_vault_copy2, + 'summary': 'Added vault "%s"' % standard_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy2, api.env.basedn), + 'cn': [standard_vault_copy2], + 'vault_id': u'/users/admin/%s' % standard_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of secret from standard vault', + 'command': ( + 'vault_retrieve', + [standard_vault_copy2], + {}, + ), + 'expected': { + 'value': standard_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % standard_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy2, api.env.basedn), + 'cn': [standard_vault_copy2], + 'vault_id': u'/users/admin/%s' % standard_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of secret from standard vault', + 'command': ( + 'vault_archive', + [standard_vault_copy2], + { + 'source_vault_id': standard_secrets_vault, + 'source_secret_id': test_secret, + }, + ), + 'expected': { + 'value': standard_vault_copy2, + 'summary': u'Archived data into vault "%s"' + % standard_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy2, api.env.basedn), + 'cn': [standard_vault_copy2], + 'vault_id': u'/users/admin/%s' % standard_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of secret from standard vault', + 'command': ( + 'vault_retrieve', + [standard_vault_copy2], + {}, + ), + 'expected': { + 'value': standard_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % standard_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (standard_vault_copy2, api.env.basedn), + 'cn': [standard_vault_copy2], + 'vault_id': u'/users/admin/%s' % standard_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'standard'], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create a copy of secret from symmetric vault', + 'command': ( + 'vault_add', + [symmetric_vault_copy2], + { + 'ipavaulttype': u'symmetric', + 'password': password, + 'source_vault_id': symmetric_secrets_vault, + 'source_secret_id': test_secret, + 'source_password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy2, + 'summary': 'Added vault "%s"' % symmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy2, api.env.basedn), + 'cn': [symmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of secret from symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_copy2], + { + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % symmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy2, api.env.basedn), + 'cn': [symmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of secret from symmetric vault', + 'command': ( + 'vault_archive', + [symmetric_vault_copy2], + { + 'password': password, + 'source_vault_id': symmetric_secrets_vault, + 'source_secret_id': test_secret, + 'source_password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy2, + 'summary': u'Archived data into vault "%s"' + % symmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy2, api.env.basedn), + 'cn': [symmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of secret from symmetric vault', + 'command': ( + 'vault_retrieve', + [symmetric_vault_copy2], + { + 'password': password, + }, + ), + 'expected': { + 'value': symmetric_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % symmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (symmetric_vault_copy2, api.env.basedn), + 'cn': [symmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % symmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'symmetric'], + 'ipavaultsalt': [fuzzy_string], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create a copy of secret from asymmetric vault', + 'command': ( + 'vault_add', + [asymmetric_vault_copy2], + { + 'ipavaulttype': u'asymmetric', + 'ipapublickey': public_key, + 'source_vault_id': asymmetric_secrets_vault, + 'source_secret_id': test_secret, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy2, + 'summary': 'Added vault "%s"' % asymmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy2, api.env.basedn), + 'cn': [asymmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Verify the copy creation of secret from asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_copy2], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % asymmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy2, api.env.basedn), + 'cn': [asymmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Archive a copy of secret from asymmetric vault', + 'command': ( + 'vault_archive', + [asymmetric_vault_copy2], + { + 'source_vault_id': asymmetric_secrets_vault, + 'source_secret_id': test_secret, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy2, + 'summary': u'Archived data into vault "%s"' + % asymmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy2, api.env.basedn), + 'cn': [asymmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + }, + }, + }, + + { + 'desc': 'Verify the copy archival of secret from asymmetric vault', + 'command': ( + 'vault_retrieve', + [asymmetric_vault_copy2], + { + 'private_key': private_key, + }, + ), + 'expected': { + 'value': asymmetric_vault_copy2, + 'summary': u'Retrieved data from vault "%s"' + % asymmetric_vault_copy2, + 'result': { + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + % (asymmetric_vault_copy2, api.env.basedn), + 'cn': [asymmetric_vault_copy2], + 'vault_id': u'/users/admin/%s' % asymmetric_vault_copy2, + 'owner_user': [u'admin'], + 'ipavaulttype': [u'asymmetric'], + 'ipavaultsalt': [fuzzy_string], + 'ipapublickey': [public_key], + 'nonce': fuzzy_string, + 'vault_data': fuzzy_string, + 'data': binary_data, + }, + }, + }, + ] diff --git a/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py index b7c79618a955dc68b89628e402849a865a9e4388..bb4a0633a368e276327e230b1b31a3261b9376d5 100644 --- a/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py +++ b/ipatests/test_xmlrpc/test_vaultcontainer_plugin.py @@ -326,6 +326,7 @@ class test_vaultcontainer_plugin(Declarative): }, }, }, + { 'desc': 'Create base container', 'command': ( diff --git a/ipatests/test_xmlrpc/test_vaultsecret_plugin.py b/ipatests/test_xmlrpc/test_vaultsecret_plugin.py index b8257299510df9efecbbba320c9d22177aad0276..9c4ae6ae3e8dac6caa29e0c9679cfea3b1df767b 100644 --- a/ipatests/test_xmlrpc/test_vaultsecret_plugin.py +++ b/ipatests/test_xmlrpc/test_vaultsecret_plugin.py @@ -30,6 +30,8 @@ symmetric_vault = u'symmetric_vault' asymmetric_vault = u'asymmetric_vault' test_secret = u'test_secret' +test_secret_copy = u'test_secret_copy' + binary_data = '\x01\x02\x03\x04' text_data = u'secret' @@ -244,6 +246,48 @@ class test_vaultsecret_plugin(Declarative): }, { + 'desc': 'Create a copy of secret from a standard vault', + 'command': ( + 'vaultsecret_add', + [symmetric_vault, test_secret_copy], + { + 'source_vault_id': test_vault, + 'source_secret_id': test_secret, + 'password': password, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Added vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Update a copy of secret from a standard vault', + 'command': ( + 'vaultsecret_mod', + [symmetric_vault, test_secret_copy], + { + 'source_vault_id': test_vault, + 'source_secret_id': test_secret, + 'password': password, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Modified vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Create asymmetric vault', 'command': ( 'vault_add', @@ -290,6 +334,92 @@ class test_vaultsecret_plugin(Declarative): }, { + 'desc': 'Create a copy of secret from a symmetric vault', + 'command': ( + 'vaultsecret_add', + [asymmetric_vault, test_secret_copy], + { + 'private_key': private_key, + 'source_vault_id': symmetric_vault, + 'source_secret_id': test_secret, + 'source_password': password, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Added vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Update a copy of secret from a symmetric vault', + 'command': ( + 'vaultsecret_mod', + [asymmetric_vault, test_secret_copy], + { + 'private_key': private_key, + 'source_vault_id': symmetric_vault, + 'source_secret_id': test_secret, + 'source_password': password, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Modified vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Create a copy of secret from an asymmetric vault', + 'command': ( + 'vaultsecret_add', + [test_vault, test_secret_copy], + { + 'source_vault_id': asymmetric_vault, + 'source_secret_id': test_secret, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Added vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { + 'desc': 'Update a copy of secret from an asymmetric vault', + 'command': ( + 'vaultsecret_mod', + [test_vault, test_secret_copy], + { + 'source_vault_id': asymmetric_vault, + 'source_secret_id': test_secret, + 'source_private_key': private_key, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Modified vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Delete secret', 'command': ( 'vaultsecret_del', @@ -452,6 +582,25 @@ class test_vaultsecret_plugin(Declarative): }, { + 'desc': 'Create a copy of secret in the same vault', + 'command': ( + 'vaultsecret_add', + [shared_test_vault, test_secret_copy], + { + 'source_secret_id': test_secret, + }, + ), + 'expected': { + 'value': test_secret_copy, + 'summary': 'Added vault secret "%s"' % test_secret_copy, + 'result': { + 'secret_name': test_secret_copy, + 'data': binary_data, + }, + }, + }, + + { 'desc': 'Delete shared secret', 'command': ( 'vaultsecret_del', -- 2.3.1 -------------- next part -------------- >From 196e2178b2f917e91aa72e31eae5c980c2332504 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 27 Mar 2015 12:48:47 -0400 Subject: [PATCH] Refactored baseldap.py. Some classes in baseldap.py have been modified to allow subclasses such as vault plugins to override the default behavior for error handling and subtree deletion if necessary. https://fedorahosted.org/freeipa/ticket/3872 --- ipalib/plugins/baseldap.py | 113 ++++++++++++++++++++++++--------------------- 1 file changed, 61 insertions(+), 52 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 4b1c701924d57919538e0c428ea181c2e898505e..fceaf95f42bef5fa71cbedeb291bd68d2919bc5a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1152,19 +1152,7 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): try: self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs) except errors.NotFound: - parent = self.obj.parent_object - if parent: - raise errors.NotFound( - reason=self.obj.parent_not_found_msg % { - 'parent': keys[-2], - 'oname': self.api.Object[parent].object_name, - } - ) - raise errors.NotFound( - reason=self.obj.container_not_found_msg % { - 'container': self.obj.container_dn, - } - ) + self.handle_not_found(*keys, **options) except errors.DuplicateEntry: self.obj.handle_duplicate_entry(*keys) @@ -1213,6 +1201,21 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): raise exc + def handle_not_found(self, *args, **options): + parent = self.obj.parent_object + if parent: + raise errors.NotFound( + reason=self.obj.parent_not_found_msg % { + 'parent': args[-2], + 'oname': self.api.Object[parent].object_name, + } + ) + raise errors.NotFound( + reason=self.obj.container_not_found_msg % { + 'container': self.obj.container_dn, + } + ) + def interactive_prompt_callback(self, kw): return @@ -1498,48 +1501,50 @@ class LDAPDelete(LDAPMultiQuery): has_output_params = global_output_params - def execute(self, *keys, **options): + def delete_subtree(self, base_dn, *nkeys, **options): ldap = self.obj.backend - - def delete_entry(pkey): - nkeys = keys[:-1] + (pkey, ) - dn = self.obj.get_dn(*nkeys, **options) - assert isinstance(dn, DN) - - for callback in self.get_callbacks('pre'): - dn = callback(self, ldap, dn, *nkeys, **options) - assert isinstance(dn, DN) - - def delete_subtree(base_dn): - assert isinstance(base_dn, DN) - truncated = True - while truncated: - try: - (subentries, truncated) = ldap.find_entries( - None, [''], base_dn, ldap.SCOPE_ONELEVEL - ) - except errors.NotFound: - break - else: - for entry_attrs in subentries: - delete_subtree(entry_attrs.dn) - try: - self._exc_wrapper(nkeys, options, ldap.delete_entry)(base_dn) - except errors.NotFound: - self.obj.handle_not_found(*nkeys) - + assert isinstance(base_dn, DN) + truncated = True + while truncated: try: - self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn) + (subentries, truncated) = ldap.find_entries( + None, [''], base_dn, ldap.SCOPE_ONELEVEL + ) except errors.NotFound: - self.obj.handle_not_found(*nkeys) - except errors.NotAllowedOnNonLeaf: - # this entry is not a leaf entry, delete all child nodes - delete_subtree(dn) + break + else: + for entry_attrs in subentries: + self.delete_subtree(entry_attrs.dn, *nkeys, **options) + try: + self._exc_wrapper(nkeys, options, ldap.delete_entry)(base_dn) + except errors.NotFound: + self.obj.handle_not_found(*nkeys) - for callback in self.get_callbacks('post'): - result = callback(self, ldap, dn, *nkeys, **options) + def delete_entry(self, pkey, *keys, **options): + ldap = self.obj.backend + nkeys = keys[:-1] + (pkey, ) + dn = self.obj.get_dn(*nkeys, **options) + assert isinstance(dn, DN) - return result + for callback in self.get_callbacks('pre'): + dn = callback(self, ldap, dn, *nkeys, **options) + assert isinstance(dn, DN) + + try: + self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn) + except errors.NotFound: + self.obj.handle_not_found(*nkeys) + except errors.NotAllowedOnNonLeaf: + # this entry is not a leaf entry, delete all child nodes + self.delete_subtree(dn, *nkeys, **options) + + for callback in self.get_callbacks('post'): + result = callback(self, ldap, dn, *nkeys, **options) + + return result + + def execute(self, *keys, **options): + ldap = self.obj.backend if self.obj.primary_key and isinstance(keys[-1], (list, tuple)): pkeyiter = keys[-1] @@ -1552,7 +1557,7 @@ class LDAPDelete(LDAPMultiQuery): failed = [] for pkey in pkeyiter: try: - delete_entry(pkey) + self.delete_entry(pkey, *keys, **options) except errors.ExecutionError: if not options.get('continue', False): raise @@ -1998,7 +2003,8 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): except errors.EmptyResult: (entries, truncated) = ([], False) except errors.NotFound: - self.api.Object[self.obj.parent_object].handle_not_found(*args[:-1]) + self.handle_not_found(*args, **options) + (entries, truncated) = ([], False) for callback in self.get_callbacks('post'): truncated = callback(self, ldap, entries, truncated, *args, **options) @@ -2024,6 +2030,9 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): truncated=truncated, ) + def handle_not_found(self, *args, **options): + self.api.Object[self.obj.parent_object].handle_not_found(*args[:-1]) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): assert isinstance(base_dn, DN) return (filters, base_dn, scope) -- 2.3.1 From simo at redhat.com Sun Apr 5 22:53:33 2015 From: simo at redhat.com (Simo Sorce) Date: Sun, 05 Apr 2015 18:53:33 -0400 Subject: [Freeipa-devel] Fix password changes via kadmin Message-ID: <1428274413.19641.118.camel@willson.usersys.redhat.com> Fix for bug 4914. I've tested it locally and seem to do exactly what is needed. I couldn't detect any side effects, except that if you use kadmin to get a randomized password for a service then you'll get a key for all supported types (currently aes256, aes128, des3, rc4, camellia128, camellia256) instead of just the default ones (aes256, aes128, des3, rc4) if you do not specify enctypes. I think that is fine, we use ipa-getkeytab anyway in the normal course of business and that one uses a different code path. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-522-1-Detect-default-encsalts-kadmin-password-change.patch Type: text/x-patch Size: 11733 bytes Desc: not available URL: From simo at redhat.com Mon Apr 6 12:48:51 2015 From: simo at redhat.com (Simo Sorce) Date: Mon, 06 Apr 2015 08:48:51 -0400 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <55192234.6050208@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> Message-ID: <1428324531.19641.123.camel@willson.usersys.redhat.com> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: > On 03/30/2015 07:12 AM, Jan Cholasta wrote: > > Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): > >> On 27.3.2015 14:58, David Kupka wrote: > >>> pylint changed slightly so we must react otherwise we'll be unable to > >>> build freeipa rpms on Fedora 22. This patch should go to master for sure > >>> but I don't know if we want it in 4.1. > >>> > >> > >> ACK > > > > Are all the new disables really just false positives? > > It seems to me as a false positives. > > 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), > otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) > > >>> import ssl > >>> ssl.PROTOCOL_TLSv1 > 3 > > 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), > convertDate] Instance of 'tuple' has no 'tzinfo' member) > ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), > convertDate] Instance of 'tuple' has no 'timetuple' member) > > dateutil.parser.parse() returns datetime.datetime object and it has > both tzinfo and timetuple methods > (https://docs.python.org/2/library/datetime.html#datetime-objects) > > 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), > uri_escape] Slice index is not an int, None, or instance with __index__) > > This is the line lint is complaining about: > out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) > I don't see a chance for 'i' or 'i+1' to be anything else than integers. > > > > >> > >> tested on: > >> - F21: ipa-4-1, master branch > >> - F22: master branch. > >> > >> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 > > This patch doesn't seem to fix all my issues building on F22, so tentative NACK. It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). On a different note, make-lint takes forever to run, do we really need to run it in make rpms ? Shouldn't we rather just run it at make dist time, or whatever we use to generate the release tarballs ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Tue Apr 7 08:32:05 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 10:32:05 +0200 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: References: <551D596E.3040802@redhat.com> Message-ID: <55239605.3080401@redhat.com> On 02/04/15 17:47, Gabe Alford wrote: > On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti > wrote: > > On 30/03/15 15:25, Gabe Alford wrote: >> Hello, >> >> With the merging of ticket 4842 >> , I believe that >> half of ticket 3092 >> has been done. >> This patch just adds a message that says that NTP configuration >> was skipped which I believe should finish 3092 >> . >> >> Thanks, >> >> Gabe >> >> > Hello, thank you for the patch. > > 1) > IMO there should be: > if *not* options.conf_ntp > > > So, if --no-ntp is not specified, print message that the client is > skipping NTP sync? Yes, or did I miss something? I though the message should be shown only if --no-ntp option is used. With your current patch: # ipa-client-install --no-ntp # ipa-client-install Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Skipping synchronizing time with IPA NTP server. But in this case the client did synchronization with NTP (which failed), IMO the message "Skipping ..." should not be there. This message is shown even the synchronization with NTP is successful. > 2) > wouldnt be better to use just else? > > > I actually ran ipa-client-install with no options on a system where I > used 'else', and it printed the skipping NTP sync when it should not have. > That is why the patch does not use 'else'. Interesting, I expected the messages only on client installed on IPA server, or with using --no-ntp option > > > Martin > > -- > Martin Basti > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkubik at redhat.com Tue Apr 7 13:45:08 2015 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 07 Apr 2015 15:45:08 +0200 Subject: [Freeipa-devel] [PATCH 0210] DNSSEC: CI test In-Reply-To: <55102929.9030702@redhat.com> References: <55102929.9030702@redhat.com> Message-ID: <5523DF64.6050405@redhat.com> On 03/23/2015 03:54 PM, Martin Basti wrote: > Hello, > > a patch with DNSSEC CI tests attached. > > * Two types of installation tested > * Tests check if zones are signed on both replica and master > * The root zone test also checks chain of trust > > Can somebody very familiar with pytest do review? I'm not sure If I > used pytest friendly constructions. > > PS: test may failure occasionally due a bug in DNSSEC code, but CI > test itself should be OK > > Useful information: http://www.freeipa.org/page/Howto/DNSSEC > > > Hello, the patch looks good to me. Fix the pep8 complaints please (unused imports and long lines). Thanks, Milan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Apr 7 14:12:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 16:12:19 +0200 Subject: [Freeipa-devel] New installer PoC In-Reply-To: <550FC8E9.4020502@redhat.com> References: <550FC8E9.4020502@redhat.com> Message-ID: <5523E5C3.8030601@redhat.com> On 23/03/15 09:03, Jan Cholasta wrote: > Hi, > > the attached patch contains a new PoC installer for httpd. > > Design goals: > > 1) Make code related to any particular configuration change > co-located, be it install/uninstall/upgrade. > > 2) Get rid of code duplicates. > > 3) Use the same code path for install and upgrade. > > 4) Provide metadata for parameters from which option parsers etc. can > be generated. > > 5) Make installers plugable. This is not really apparent from the > patch, since it only implements installer for a single component, but > I plan to make the whole thing extensible by plugins. > > Honza > > > Looks good to me, after personal discussion with Honza. Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Apr 7 14:33:52 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 07 Apr 2015 16:33:52 +0200 Subject: [Freeipa-devel] Generic support for unknown DNS RR types (RFC 3597) In-Reply-To: <550176A4.5050807@redhat.com> References: <54FF007F.7060701@redhat.com> <1425999202.4735.90.camel@willson.usersys.redhat.com> <54FF0B8A.1090308@redhat.com> <1426005332.4735.92.camel@willson.usersys.redhat.com> <54FF292C.4020805@redhat.com> <1426008965.4735.95.camel@willson.usersys.redhat.com> <54FF36E8.1040707@redhat.com> <1426014271.4735.107.camel@willson.usersys.redhat.com> <55001517.1060501@redhat.com> <55001A49.9050001@redhat.com> <55002A7A.9040409@redhat.com> <5500510F.5000100@redhat.com> <55005363.6000302@redhat.com> <55005516.8090007@redhat.com> <5500658F.2090601@redhat.com> <55006716.4020501@redhat.com> <550176A4.5050807@redhat.com> Message-ID: <5523EAD0.3070001@redhat.com> On 12.3.2015 12:21, Petr Spacek wrote: > On 11.3.2015 17:02, Martin Kosek wrote: >> On 03/11/2015 04:55 PM, Petr Spacek wrote: >>> On 11.3.2015 15:45, Martin Kosek wrote: >>>> On 03/11/2015 03:38 PM, Petr Spacek wrote: >>>>> On 11.3.2015 15:28, Martin Kosek wrote: >>>>>> On 03/11/2015 12:43 PM, Petr Spacek wrote: >>>>>>> On 11.3.2015 11:34, Jan Cholasta wrote: >>>>>>>> Dne 11.3.2015 v 11:12 Petr Spacek napsal(a): >>>>>>>>> On 10.3.2015 20:04, Simo Sorce wrote: >>>>>>>>>> On Tue, 2015-03-10 at 19:24 +0100, Petr Spacek wrote: >>>>>>>>>>> On 10.3.2015 18:36, Simo Sorce wrote: >>>>>>>>>>>> On Tue, 2015-03-10 at 18:26 +0100, Petr Spacek wrote: >>>>>>>>>>>>> On 10.3.2015 17:35, Simo Sorce wrote: >>>>>>>>>>>>>> On Tue, 2015-03-10 at 16:19 +0100, Petr Spacek wrote: >>>>>>>>>>>>>>> On 10.3.2015 15:53, Simo Sorce wrote: >>>>>>>>>>>>>>>> On Tue, 2015-03-10 at 15:32 +0100, Petr Spacek wrote: >>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I would like to discuss Generic support for unknown DNS RR types >>>>>>>>>>>>>>>>> (RFC 3597 >>>>>>>>>>>>>>>>> [0]). Here is the proposal: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> LDAP schema >>>>>>>>>>>>>>>>> =========== >>>>>>>>>>>>>>>>> - 1 new attribute: >>>>>>>>>>>>>>>>> ( NAME 'GenericRecord' DESC 'unknown DNS record, RFC 3597' >>>>>>>>>>>>>>>>> EQUALITY >>>>>>>>>>>>>>>>> caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The attribute should be added to existing idnsRecord object class as >>>>>>>>>>>>>>>>> MAY. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This new attribute should contain data encoded according to ?RFC >>>>>>>>>>>>>>>>> 3597 section >>>>>>>>>>>>>>>>> 5 [5]: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The RDATA section of an RR of unknown type is represented as a >>>>>>>>>>>>>>>>> sequence of white space separated words as follows: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The special token \# (a backslash immediately followed by a hash >>>>>>>>>>>>>>>>> sign), which identifies the RDATA as having the generic encoding >>>>>>>>>>>>>>>>> defined herein rather than a traditional type-specific encoding. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> An unsigned decimal integer specifying the RDATA length in >>>>>>>>>>>>>>>>> octets. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Zero or more words of hexadecimal data encoding the actual RDATA >>>>>>>>>>>>>>>>> field, each containing an even number of hexadecimal digits. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If the RDATA is of zero length, the text representation contains >>>>>>>>>>>>>>>>> only >>>>>>>>>>>>>>>>> the \# token and the single zero representing the length. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Examples from RFC: >>>>>>>>>>>>>>>>> a.example. CLASS32 TYPE731 \# 6 abcd ( >>>>>>>>>>>>>>>>> ef 01 23 45 ) >>>>>>>>>>>>>>>>> b.example. HS TYPE62347 \# 0 >>>>>>>>>>>>>>>>> e.example. IN A \# 4 0A000001 >>>>>>>>>>>>>>>>> e.example. CLASS1 TYPE1 10.0.0.2 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Open questions about LDAP format >>>>>>>>>>>>>>>>> ================================ >>>>>>>>>>>>>>>>> Should we include "\#" constant? We know that the attribute contains >>>>>>>>>>>>>>>>> record in >>>>>>>>>>>>>>>>> RFC 3597 syntax so it is not strictly necessary. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I think it would be better to follow RFC 3597 format. It allows blind >>>>>>>>>>>>>>>>> copy&pasting from other tools, including direct calls to python-dns. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> It also eases writing conversion tools between DNS and LDAP format >>>>>>>>>>>>>>>>> because >>>>>>>>>>>>>>>>> they do not need to change record values. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Another question is if we should explicitly include length of data >>>>>>>>>>>>>>>>> represented >>>>>>>>>>>>>>>>> in hexadecimal notation as a decimal number. I'm very strongly >>>>>>>>>>>>>>>>> inclined to let >>>>>>>>>>>>>>>>> it there because it is very good sanity check and again, it allows >>>>>>>>>>>>>>>>> us to >>>>>>>>>>>>>>>>> re-use existing tools including parsers. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I will ask Uninett.no for standardization after we sort this out >>>>>>>>>>>>>>>>> (they own the >>>>>>>>>>>>>>>>> OID arc we use for DNS records). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Attribute usage >>>>>>>>>>>>>>>>> =============== >>>>>>>>>>>>>>>>> Every DNS RR type has assigned a number [1] which is used on wire. >>>>>>>>>>>>>>>>> RR types >>>>>>>>>>>>>>>>> which are unknown to the server cannot be named by their >>>>>>>>>>>>>>>>> mnemonic/type name >>>>>>>>>>>>>>>>> because server would not be able to do name->number conversion and >>>>>>>>>>>>>>>>> to generate >>>>>>>>>>>>>>>>> DNS wire format. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As a result, we have to encode the RR type number somehow. Let's use >>>>>>>>>>>>>>>>> attribute >>>>>>>>>>>>>>>>> sub-types. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E.g. a record with type 65280 and hex value 0A000001 will be >>>>>>>>>>>>>>>>> represented as: >>>>>>>>>>>>>>>>> GenericRecord;TYPE65280: \# 4 0A000001 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> CLI >>>>>>>>>>>>>>>>> === >>>>>>>>>>>>>>>>> $ ipa dnsrecord-add zone.example owner \ >>>>>>>>>>>>>>>>> --generic-type=65280 --generic-data='\# 4 0A000001' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> $ ipa dnsrecord-show zone.example owner >>>>>>>>>>>>>>>>> Record name: owner >>>>>>>>>>>>>>>>> TYPE65280 Record: \# 4 0A000001 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ACK? :-) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Almost. >>>>>>>>>>>>>>>> We should refrain from using subtypes when not necessary, and in this >>>>>>>>>>>>>>>> case it is not necessary. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Use: >>>>>>>>>>>>>>>> GenericRecord: 65280 \# 4 0A000001 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I was considering that too but I can see two main drawbacks: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1) It does not work very well with DS ACI (targetattrfilter, anyone?). >>>>>>>>>>>>>>> Adding >>>>>>>>>>>>>>> generic write access to GenericRecord == ability to add TLSA records too, >>>>>>>>>>>>>>> which you may not want. IMHO it is perfectly reasonable to limit write >>>>>>>>>>>>>>> access >>>>>>>>>>>>>>> to certain types (e.g. to one from private range). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) We would need a separate substring index for emulating filters like >>>>>>>>>>>>>>> (type==65280). AFAIK GenericRecord;TYPE65280 should work with presence >>>>>>>>>>>>>>> index >>>>>>>>>>>>>>> which will be handy one day when we decide to handle upgrades like >>>>>>>>>>>>>>> GenericRecord;TYPE256->UriRecord. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Another (less important) annoyance is that conversion tools would have to >>>>>>>>>>>>>>> mangle record data instead of just converting attribute name->record >>>>>>>>>>>>>>> type. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I can be convinced that subtypes are not necessary but I do not see clear >>>>>>>>>>>>>>> advantage of avoiding them. What is the problem with subtypes? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Poor support by most clients, so it is generally discouraged. >>>>>>>>>>>>> Hmm, it does not sound like a thing we should care in this case. DNS >>>>>>>>>>>>> tree is >>>>>>>>>>>>> not meant for direct consumption by LDAP clients (compare with cn=compat). >>>>>>>>>>>>> >>>>>>>>>>>>> IMHO the only two clients we should care are FreeIPA framework and >>>>>>>>>>>>> bind-dyndb-ldap so I do not see this as a problem, really. If someone >>>>>>>>>>>>> wants to >>>>>>>>>>>>> access DNS tree by hand - sure, use a standard compliant client! >>>>>>>>>>>>> >>>>>>>>>>>>> Working ACI and LDAP filters sounds like good price for supporting only >>>>>>>>>>>>> standards compliant clients. >>>>>>>>>>>>> >>>>>>>>>>>>> AFAIK OpenLDAP works well and I suspect that ApacheDS will work too because >>>>>>>>>>>>> Eclipse has nice support for sub-types built-in. If I can draw some >>>>>>>>>>>>> conclusions from that, sub-types are not a thing aliens forgot here when >>>>>>>>>>>>> leaving Earth one million years ago :-) >>>>>>>>>>>>> >>>>>>>>>>>>>> The problem with subtypes and ACIs though is that I think ACIs do not >>>>>>>>>>>>>> care about the subtype unless you explicit mention them. >>>>>>>>>>>>> IMHO that is exactly what I would like to see for GenericRecord. It >>>>>>>>>>>>> allows us >>>>>>>>>>>>> to write ACI which allows admins to add any GenericRecord and at the >>>>>>>>>>>>> same time >>>>>>>>>>>>> allows us to craft ACI which allows access only to >>>>>>>>>>>>> GenericRecord;TYPE65280 for >>>>>>>>>>>>> specific group/user. >>>>>>>>>>>>> >>>>>>>>>>>>>> So perhaps bind_dyndb_ldap should refuse to use a generic type that >>>>>>>>>>>>>> shadows DNSSEC relevant records ? >>>>>>>>>>>>> Sorry, this cannot possibly work because it depends on up-to-date >>>>>>>>>>>>> blacklist. >>>>>>>>>>>>> >>>>>>>>>>>>> How would the plugin released in 2015 know that highly sensitive OPENPGPKEY >>>>>>>>>>>>> type will be standardized in 2016 and assigned number XYZ? >>>>>>>>>>>> >>>>>>>>>>>> Ok, show me an example ACI that works and you get my ack :) >>>>>>>>>>> >>>>>>>>>>> Am I being punished for something? :-) >>>>>>>>>>> >>>>>>>>>>> Anyway, this monstrosity: >>>>>>>>>>> >>>>>>>>>>> (targetattr = "objectclass || txtRecord;test")(target = >>>>>>>>>>> "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl >>>>>>>>>>> "permission:luser: Read DNS Entries";allow (compare,read,search) userdn = >>>>>>>>>>> "ldap:///uid=luser,cn=users,cn=accounts,dc=ipa,dc=example";) >>>>>>>>>>> >>>>>>>>>>> Gives 'luser' read access only to txtRecord;test and *not* to the whole >>>>>>>>>>> txtRecord in general. >>>>>>>>>>> >>>>>>>>>>> $ kinit luser >>>>>>>>>>> $ ldapsearch -Y GSSAPI -s base -b >>>>>>>>>>> 'idnsname=txt,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example' >>>>>>>>>>> SASL username: luser at IPA.EXAMPLE >>>>>>>>>>> >>>>>>>>>>> # txt, ipa.example., dns, ipa.example >>>>>>>>>>> dn: idnsname=txt,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: idnsrecord >>>>>>>>>>> tXTRecord;test: Guess what is new here! >>>>>>>>>>> >>>>>>>>>>> Filter '(tXTRecord;test=*)' works as expected and returns only objects with >>>>>>>>>>> subtype ;test. >>>>>>>>>>> >>>>>>>>>>> The only weird thing I noticed is that search filter '(tXTRecord=*)' does not >>>>>>>>>>> return the object if you have access only to an subtype with existing value >>>>>>>>>>> but not to the 'vanilla' attribute. >>>>>>>>>>> >>>>>>>>>>> Maybe it is a bug? I will think about it for a while and possibly open a >>>>>>>>>>> ticket. Anyway, this is not something we need for implementation. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> For completeness: >>>>>>>>>>> >>>>>>>>>>> $ kinit admin >>>>>>>>>>> $ ldapsearch -Y GSSAPI -s base -b >>>>>>>>>>> 'idnsname=txt,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example' >>>>>>>>>>> SASL username: admin at IPA.EXAMPLE >>>>>>>>>>> >>>>>>>>>>> # txt, ipa.example., dns, ipa.example >>>>>>>>>>> dn: idnsname=txt,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: idnsrecord >>>>>>>>>>> tXTRecord: nothing >>>>>>>>>>> tXTRecord: something >>>>>>>>>>> idnsName: txt >>>>>>>>>>> tXTRecord;test: Guess what is new here! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> And yes, you assume correctly that (targetattr = "txtRecord") gives access to >>>>>>>>>>> whole txtRecord including all its subtypes. >>>>>>>>>>> >>>>>>>>>>> ACK? :-) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ACK. >>>>>>>>> >>>>>>>>> Thank you. Now to the most important and difficult question: >>>>>>>>> Should the attribute name be "GenericRecord" or "UnknownRecord"? >>>>>>>>> >>>>>>>>> I like "GenericRecord" but Honza prefers "UnknownRecord" so we need a third >>>>>>>>> opinion :-) >>>>>>>> >>>>>>>> GenericRecord sounds like something that may be used for any record type, >>>>>>>> known or unknown. I don't think that's what we want. We want users to use it >>>>>>>> only for unknown record types and use appropriate Record attribute for >>>>>>>> known attributes. >>>>>>>> >>>>>>>> The RFC is titled "Handling of *Unknown* DNS Resource Record (RR) Types". The >>>>>>>> word "generic" is used only when referring to encoding of RDATA. >>>>>>> >>>>>>> Okay, be it 'UnknownRecord'. >>>>>>> >>>>>>> Petr^2 Spacek >>>>>> >>>>>> I am just afraid it is quite general name, that may collide with other >>>>>> attribute names. If it would be named "idnsUnknownRecord", it would be more >>>>>> unique. But I assume we cannot add idns prefix for records themselves... >>>>> >>>>> Good point. What about UnknownDNSRecord? >>>> >>>> Maybe. Question is how consistent we want to be with other DNS record names >>>> (arecord, ptrrecord) and how consistent we want to be with Uninett schema >>>> (details in https://fedorahosted.org/bind-dyndb-ldap/wiki/LDAPSchema) and if >>>> this new record would be discussed with them and added to their OID space. >>> >>> Currently my intention is to contact Uninett and try to standardize it when we >>> finally agree on something. >>> >> >> I think we agreed on UnknownRecord or it's variant, so please feel free to >> contact and ask them. I think they will be more surprised with the subtype than >> with the actual name :-) > > Sure. I e-mailed drift at uninett.no with the latest version of proposal and link > to this thread. For the record, design page available on https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/UnknownRecord It simply summarizes this thread, I did not do any changes to it. E-mail ping-pong with upstream is in progress. -- Petr^2 Spacek From redhatrises at gmail.com Tue Apr 7 15:06:12 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 7 Apr 2015 09:06:12 -0600 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: <55239605.3080401@redhat.com> References: <551D596E.3040802@redhat.com> <55239605.3080401@redhat.com> Message-ID: Stupid me. I realized that chronyd was running which messed up my testing and such (sorry about that). New patch attached that implements 'else' On Tue, Apr 7, 2015 at 2:32 AM, Martin Basti wrote: > On 02/04/15 17:47, Gabe Alford wrote: > > On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti wrote: > >> On 30/03/15 15:25, Gabe Alford wrote: >> >> Hello, >> >> With the merging of ticket 4842 >> , I believe that half of >> ticket 3092 has been >> done. This patch just adds a message that says that NTP configuration was >> skipped which I believe should finish 3092 >> . >> >> Thanks, >> >> Gabe >> >> >> Hello, thank you for the patch. >> >> 1) >> IMO there should be: >> if *not* options.conf_ntp >> > > So, if --no-ntp is not specified, print message that the client is > skipping NTP sync? > > Yes, or did I miss something? I though the message should be shown only if > --no-ntp option is used. > > With your current patch: > > # ipa-client-install --no-ntp > > > > # ipa-client-install > > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Skipping synchronizing time with IPA NTP server. > > > But in this case the client did synchronization with NTP (which failed), > IMO the message "Skipping ..." should not be there. > This message is shown even the synchronization with NTP is successful. > > > >> 2) >> wouldnt be better to use just else? >> > > I actually ran ipa-client-install with no options on a system where I > used 'else', and it printed the skipping NTP sync when it should not have. > That is why the patch does not use 'else'. > > Interesting, I expected the messages only on client installed on IPA > server, or with using --no-ntp option > > > >> >> Martin >> >> -- >> Martin Basti >> >> > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0045-2-Add-message-for-skipping-NTP-configuration-during-cl.patch Type: text/x-patch Size: 1121 bytes Desc: not available URL: From mbasti at redhat.com Tue Apr 7 15:46:39 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 17:46:39 +0200 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: References: <551D596E.3040802@redhat.com> <55239605.3080401@redhat.com> Message-ID: <5523FBDF.20601@redhat.com> On 07/04/15 17:06, Gabe Alford wrote: > Stupid me. I realized that chronyd was running which messed up my > testing and such (sorry about that). New patch attached that > implements 'else' > > On Tue, Apr 7, 2015 at 2:32 AM, Martin Basti > wrote: > > On 02/04/15 17:47, Gabe Alford wrote: >> On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti > > wrote: >> >> On 30/03/15 15:25, Gabe Alford wrote: >>> Hello, >>> >>> With the merging of ticket 4842 >>> , I believe >>> that half of ticket 3092 >>> has been >>> done. This patch just adds a message that says that NTP >>> configuration was skipped which I believe should finish 3092 >>> . >>> >>> Thanks, >>> >>> Gabe >>> >>> >> Hello, thank you for the patch. >> >> 1) >> IMO there should be: >> if *not* options.conf_ntp >> >> >> So, if --no-ntp is not specified, print message that the client >> is skipping NTP sync? > Yes, or did I miss something? I though the message should be shown > only if --no-ntp option is used. > > With your current patch: > > # ipa-client-install --no-ntp > > > > # ipa-client-install > > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with IPA NTP server, assuming the time is in > sync. Please check that 123 UDP port is opened. > Skipping synchronizing time with IPA NTP server. > > > But in this case the client did synchronization with NTP (which > failed), IMO the message "Skipping ..." should not be there. > This message is shown even the synchronization with NTP is successful. > >> 2) >> wouldnt be better to use just else? >> >> >> I actually ran ipa-client-install with no options on a system >> where I used 'else', and it printed the skipping NTP sync when it >> should not have. >> That is why the patch does not use 'else'. > Interesting, I expected the messages only on client installed on > IPA server, or with using --no-ntp option >> >> >> Martin >> >> -- >> Martin Basti >> >> > > -- > Martin Basti > > Thank you! ACK -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Apr 8 06:11:46 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 08:11:46 +0200 Subject: [Freeipa-devel] [PATCH] 0003-3 User life cycle: new stageuser plugin with add verb In-Reply-To: <55127A33.4090801@redhat.com> References: <53E4D6AE.6050505@redhat.com> <54045399.3030404@redhat.com> <54196346.5070500@redhat.com> <54D0A7EB.1010700@redhat.com> <54D22BE2.9050407@redhat.com> <54D24567.4010103@redhat.com> <54E5D092.6030708@redhat.com> <54E5FF07.1080809@redhat.com> <54F9F243.5090003@redhat.com> <5506B918.6000708@redhat.com> <5507D13E.7040107@redhat.com> <5509C674.90104@redhat.com> <550A6E97.9010103@redhat.com> <550ABC18.8090009@redhat.com> <55115C7E.1090306@redhat.com> <55127A33.4090801@redhat.com> Message-ID: <5524C6A2.5020103@redhat.com> Dne 25.3.2015 v 10:04 thierry bordaz napsal(a): > On 03/24/2015 01:45 PM, Jan Cholasta wrote: >> Dne 19.3.2015 v 13:07 thierry bordaz napsal(a): >>> On 03/19/2015 07:37 AM, Jan Cholasta wrote: >>>> Dne 18.3.2015 v 19:39 thierry bordaz napsal(a): >>>>> On 03/17/2015 08:01 AM, Jan Cholasta wrote: >>>>>> Dne 16.3.2015 v 12:06 David Kupka napsal(a): >>>>>>> On 03/06/2015 07:30 PM, thierry bordaz wrote: >>>>>>>> On 02/19/2015 04:19 PM, Martin Basti wrote: >>>>>>>>> On 19/02/15 13:01, thierry bordaz wrote: >>>>>>>>>> On 02/04/2015 05:14 PM, Jan Cholasta wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Dne 4.2.2015 v 15:25 David Kupka napsal(a): >>>>>>>>>>>> On 02/03/2015 11:50 AM, thierry bordaz wrote: >>>>>>>>>>>>> On 09/17/2014 12:32 PM, thierry bordaz wrote: >>>>>>>>>>>>>> On 09/01/2014 01:08 PM, Petr Viktorin wrote: >>>>>>>>>>>>>>> On 08/08/2014 03:54 PM, thierry bordaz wrote: >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The attached patch is related to 'User Life Cycle' >>>>>>>>>>>>>>>> (https://fedorahosted.org/freeipa/ticket/3813) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It creates a stageuser plugin with a first function >>>>>>>>>>>>>>>> stageuser-add. >>>>>>>>>>>>>>>> Stage >>>>>>>>>>>>>>>> user entries are provisioned under 'cn=staged >>>>>>>>>>>>>>>> users,cn=accounts,cn=provisioning,SUFFIX'. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> thierry >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Avoid `from ipalib.plugins.baseldap import *` in new code; >>>>>>>>>>>>>>> instead >>>>>>>>>>>>>>> import the module itself and use e.g. `baseldap.LDAPObject`. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The stageuser help (docstring) is copied from the user >>>>>>>>>>>>>>> plugin, and >>>>>>>>>>>>>>> discusses things like account lockout and disabling >>>>>>>>>>>>>>> users. It >>>>>>>>>>>>>>> should >>>>>>>>>>>>>>> rather explain what stageuser itself does. (And I don't very >>>>>>>>>>>>>>> much >>>>>>>>>>>>>>> like the Note about the interface being badly designed...) >>>>>>>>>>>>>>> Also decide if the docs should call it "staged user" or >>>>>>>>>>>>>>> "stage >>>>>>>>>>>>>>> user" >>>>>>>>>>>>>>> or "stageuser". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> A lot of the code is copied and pasted over from the users >>>>>>>>>>>>>>> plugin. >>>>>>>>>>>>>>> Don't do that. Either import things (e.g. >>>>>>>>>>>>>>> validate_nsaccountlock) >>>>>>>>>>>>>>> from the users plugin, or move the reused code into a shared >>>>>>>>>>>>>>> module. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> For the `user` object, since so much is the same, it >>>>>>>>>>>>>>> might be >>>>>>>>>>>>>>> best to >>>>>>>>>>>>>>> create a common base class for user and stageuser; and >>>>>>>>>>>>>>> similarly >>>>>>>>>>>>>>> for >>>>>>>>>>>>>>> the Command plugins. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The default permissions need different names, and you don't >>>>>>>>>>>>>>> need >>>>>>>>>>>>>>> another copy of the 'non_object' ones. Also, run the makeaci >>>>>>>>>>>>>>> script. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> >>>>>>>>>>>>>> This modified patch is mainly moving common base class >>>>>>>>>>>>>> into a >>>>>>>>>>>>>> new >>>>>>>>>>>>>> plugin: accounts.py. user/stageuser plugin inherits from >>>>>>>>>>>>>> accounts. >>>>>>>>>>>>>> It also creates a better description of what are stage >>>>>>>>>>>>>> user, >>>>>>>>>>>>>> how >>>>>>>>>>>>>> to add a new stage user, updates ACI.txt and separate >>>>>>>>>>>>>> active/stage >>>>>>>>>>>>>> user managed permissions. >>>>>>>>>>>>>> >>>>>>>>>>>>>> thanks >>>>>>>>>>>>>> thierry >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks David for the reviews. Here the last patches >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The freeipa-tbordaz-0002 patch had trailing whitespaces on few >>>>>>>>>>>> lines so >>>>>>>>>>>> I'm attaching fixed version (and unchanged patch >>>>>>>>>>>> freeipa-tbordaz-0003-3 >>>>>>>>>>>> to keep them together). >>>>>>>>>>>> >>>>>>>>>>>> The ULC feature is still WIP but these patches look good to me >>>>>>>>>>>> and >>>>>>>>>>>> don't >>>>>>>>>>>> break anything as far as I tested. >>>>>>>>>>>> We should push them now to avoid further rebases. Thierry can >>>>>>>>>>>> then >>>>>>>>>>>> prepare other patches delivering the rest of ULC functionality. >>>>>>>>>>> >>>>>>>>>>> Few comments from just reading the patches: >>>>>>>>>>> >>>>>>>>>>> 1) I would name the base class "baseuser", "account" does not >>>>>>>>>>> necessarily mean user account. >>>>>>>>>>> >>>>>>>>>>> 2) This is very wrong: >>>>>>>>>>> >>>>>>>>>>> -class user_add(LDAPCreate): >>>>>>>>>>> +class user_add(user, LDAPCreate): >>>>>>>>>>> >>>>>>>>>>> You are creating a plugin which is both an object and an >>>>>>>>>>> command. >>>>>>>>>>> >>>>>>>>>>> 3) This is purely subjective, but I don't like the name >>>>>>>>>>> "deleteuser", as it has a verb in it. We usually don't do >>>>>>>>>>> that and >>>>>>>>>>> IMHO we shouldn't do that. >>>>>>>>>>> >>>>>>>>>>> Honza >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thank you for the review. I am attaching the updates patches >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>> Hello, >>>>>>>>> I'm getting errors during make rpms: >>>>>>>>> >>>>>>>>> if [ "" != "yes" ]; then \ >>>>>>>>> ./makeapi --validate; \ >>>>>>>>> ./makeaci --validate; \ >>>>>>>>> fi >>>>>>>>> >>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:641 command >>>>>>>>> "baseuser_add" >>>>>>>>> doc is not internationalized >>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:653 command >>>>>>>>> "baseuser_find" >>>>>>>>> doc is not internationalized >>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:647 command >>>>>>>>> "baseuser_mod" >>>>>>>>> doc is not internationalized >>>>>>>>> 0 commands without doc, 3 commands whose doc is not i18n >>>>>>>>> Command baseuser_add in ipalib, not in API >>>>>>>>> Command baseuser_find in ipalib, not in API >>>>>>>>> Command baseuser_mod in ipalib, not in API >>>>>>>>> >>>>>>>>> There are one or more new commands defined. >>>>>>>>> Update API.txt and increment the minor version in VERSION. >>>>>>>>> >>>>>>>>> There are one or more documentation problems. >>>>>>>>> You must fix these before preceeding >>>>>>>>> >>>>>>>>> Issues probably caused by this: >>>>>>>>> 1) >>>>>>>>> You should not use the register decorator, if this class is >>>>>>>>> just for >>>>>>>>> inheritance >>>>>>>>> @register() >>>>>>>>> class baseuser_add(LDAPCreate): >>>>>>>>> >>>>>>>>> @register() >>>>>>>>> class baseuser_mod(LDAPUpdate): >>>>>>>>> >>>>>>>>> @register() >>>>>>>>> class baseuser_find(LDAPSearch): >>>>>>>>> >>>>>>>>> see dns.py plugin and "DNSZoneBase" and "dnszone" classes >>>>>>>>> >>>>>>>>> 2) >>>>>>>>> there might be an issue with >>>>>>>>> @register() >>>>>>>>> class baseuser(LDAPObject): >>>>>>>>> >>>>>>>>> the register decorator should not be there, I was warned by >>>>>>>>> Petr^3 to >>>>>>>>> not use permission in parent class. The same permission should be >>>>>>>>> specified only in one place (for example user class), (otherwise >>>>>>>>> they >>>>>>>>> will be generated twice??) I don't know more details about it. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Martin Basti >>>>>>>> >>>>>>>> Hello Martin, Jan, >>>>>>>> >>>>>>>> Thanks for your review. >>>>>>>> I changed the patch so that it does not register baseuser_*. Also >>>>>>>> increase the minor version because of new command. >>>>>>>> Finally I moved the managed_permission definition out of the parent >>>>>>>> baseuser class. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Martin, could you please verify that the issues you encountered are >>>>>>> fixed? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>> >>>>>> You bumped wrong version variable: >>>>>> >>>>>> -IPA_VERSION_MINOR=1 >>>>>> +IPA_VERSION_MINOR=2 >>>>>> >>>>>> It should have been IPA_API_VERSION_MINOR (at the bottom of the >>>>>> file), >>>>>> including the last change comment below it. >>>>>> >>>>>> >>>>>> IMO baseuser should include superclasses for all the usual commands >>>>>> (add, mod, del, show, find) and stageuser/deleteuser commands should >>>>>> inherit from them. >>>>>> >>>>>> >>>>>> You don't need to override class properties like active_container_dn >>>>>> and takes_params on baseuser subclasses when they have the same value >>>>>> as in baseuser. >>>>>> >>>>>> >>>>>> Honza >>>>>> >>>>> Hello Honza, >>>>> >>>>> Thanks for the review. I did the modifications you recommended >>>>> within that attached patches >>>>> >>>>> * Change version >>>> >>>> Please also update the comment below (e.g. "# Last change: tbordaz - >>>> Add stageuser_add command") >>>> >>>>> * create the baseuser_* plugins commands and use them in the >>>>> user/stageuser plugin commands >>>>> * Do not redefine the class properties in the subclasses. >>>> >>>> There are still some in baseuser command classes: >>>> >>>> +class baseuser_add(LDAPCreate): >>>> + """ >>>> + Prototype command plugin to be implemented by real plugin >>>> + """ >>>> + active_container_dn = api.env.container_user >>>> + has_output_params = LDAPCreate.has_output_params >>>> >>>> You don't need to set active_container_dn here, you only need to set >>>> it in baseuser. Then in stageuser_add and other subclasses you use >>>> "self.obj.active_container_dn" instead of "self.active_container_dn". >>>> >>>> You also don't need to override has_output_params if you are not >>>> changing its value - you are inheriting from LDAPCreate, so >>>> baseuser_add.has_output_params implicitly has the same value as >>>> LDAPCreate.has_output_params. >>>> >>>>> >>>>> Thanks >>>>> thierry >>>>> >>>> >>> >>> Hello Honza, >>> >>> Thanks for your patience .. :-) >>> I understand my mistake. Just a question, in a plugin command >>> (user_add), is 'self.obj' referring to the plugin object (like >>> 'user') ? >> >> Yes, that's correct. >> >>> >>> updated patches (with the appropriate naming and patch versioning). >>> >>> thanks >>> theirry >>> >> >> One more thing: >> >> Instead of: >> >> class stageuser(baseuser): >> ... >> # take_params does not support 'nsaccountlock' option >> stageuser_takes_params_list = [] >> for elt in baseuser.takes_params: >> if isinstance(elt, Bool) and elt.param_spec == 'nsaccountlock?': >> pass >> else: >> stageuser_takes_params_list.append(elt) >> takes_params = tuple(stageuser_takes_params_list) >> >> I would remove nsaccountlock from baseuser.takes_params and add it in >> user.takes_params: >> >> class user(baseuser): >> ... >> takes_params = baseuser.takes_params + ( >> Bool('nsaccountlock?', >> label=_('Account disabled'), >> flags=['no_option'], >> ), >> ) >> >> > Right, making this option specific to active user makes sense. > > Thanks > thierry Thanks, ACK from me. -- Jan Cholasta From mkosek at redhat.com Wed Apr 8 06:20:50 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 08:20:50 +0200 Subject: [Freeipa-devel] [PATCH] 0003-3 User life cycle: new stageuser plugin with add verb In-Reply-To: <5524C6A2.5020103@redhat.com> References: <53E4D6AE.6050505@redhat.com> <54045399.3030404@redhat.com> <54196346.5070500@redhat.com> <54D0A7EB.1010700@redhat.com> <54D22BE2.9050407@redhat.com> <54D24567.4010103@redhat.com> <54E5D092.6030708@redhat.com> <54E5FF07.1080809@redhat.com> <54F9F243.5090003@redhat.com> <5506B918.6000708@redhat.com> <5507D13E.7040107@redhat.com> <5509C674.90104@redhat.com> <550A6E97.9010103@redhat.com> <550ABC18.8090009@redhat.com> <55115C7E.1090306@redhat.com> <55127A33.4090801@redhat.com> <5524C6A2.5020103@redhat.com> Message-ID: <5524C8C2.6050601@redhat.com> On 04/08/2015 08:11 AM, Jan Cholasta wrote: > Dne 25.3.2015 v 10:04 thierry bordaz napsal(a): >> On 03/24/2015 01:45 PM, Jan Cholasta wrote: >>> Dne 19.3.2015 v 13:07 thierry bordaz napsal(a): >>>> On 03/19/2015 07:37 AM, Jan Cholasta wrote: >>>>> Dne 18.3.2015 v 19:39 thierry bordaz napsal(a): >>>>>> On 03/17/2015 08:01 AM, Jan Cholasta wrote: >>>>>>> Dne 16.3.2015 v 12:06 David Kupka napsal(a): >>>>>>>> On 03/06/2015 07:30 PM, thierry bordaz wrote: >>>>>>>>> On 02/19/2015 04:19 PM, Martin Basti wrote: >>>>>>>>>> On 19/02/15 13:01, thierry bordaz wrote: >>>>>>>>>>> On 02/04/2015 05:14 PM, Jan Cholasta wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Dne 4.2.2015 v 15:25 David Kupka napsal(a): >>>>>>>>>>>>> On 02/03/2015 11:50 AM, thierry bordaz wrote: >>>>>>>>>>>>>> On 09/17/2014 12:32 PM, thierry bordaz wrote: >>>>>>>>>>>>>>> On 09/01/2014 01:08 PM, Petr Viktorin wrote: >>>>>>>>>>>>>>>> On 08/08/2014 03:54 PM, thierry bordaz wrote: >>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The attached patch is related to 'User Life Cycle' >>>>>>>>>>>>>>>>> (https://fedorahosted.org/freeipa/ticket/3813) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> It creates a stageuser plugin with a first function >>>>>>>>>>>>>>>>> stageuser-add. >>>>>>>>>>>>>>>>> Stage >>>>>>>>>>>>>>>>> user entries are provisioned under 'cn=staged >>>>>>>>>>>>>>>>> users,cn=accounts,cn=provisioning,SUFFIX'. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>> thierry >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Avoid `from ipalib.plugins.baseldap import *` in new code; >>>>>>>>>>>>>>>> instead >>>>>>>>>>>>>>>> import the module itself and use e.g. `baseldap.LDAPObject`. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The stageuser help (docstring) is copied from the user >>>>>>>>>>>>>>>> plugin, and >>>>>>>>>>>>>>>> discusses things like account lockout and disabling >>>>>>>>>>>>>>>> users. It >>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>> rather explain what stageuser itself does. (And I don't very >>>>>>>>>>>>>>>> much >>>>>>>>>>>>>>>> like the Note about the interface being badly designed...) >>>>>>>>>>>>>>>> Also decide if the docs should call it "staged user" or >>>>>>>>>>>>>>>> "stage >>>>>>>>>>>>>>>> user" >>>>>>>>>>>>>>>> or "stageuser". >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> A lot of the code is copied and pasted over from the users >>>>>>>>>>>>>>>> plugin. >>>>>>>>>>>>>>>> Don't do that. Either import things (e.g. >>>>>>>>>>>>>>>> validate_nsaccountlock) >>>>>>>>>>>>>>>> from the users plugin, or move the reused code into a shared >>>>>>>>>>>>>>>> module. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> For the `user` object, since so much is the same, it >>>>>>>>>>>>>>>> might be >>>>>>>>>>>>>>>> best to >>>>>>>>>>>>>>>> create a common base class for user and stageuser; and >>>>>>>>>>>>>>>> similarly >>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>> the Command plugins. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The default permissions need different names, and you don't >>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>> another copy of the 'non_object' ones. Also, run the makeaci >>>>>>>>>>>>>>>> script. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This modified patch is mainly moving common base class >>>>>>>>>>>>>>> into a >>>>>>>>>>>>>>> new >>>>>>>>>>>>>>> plugin: accounts.py. user/stageuser plugin inherits from >>>>>>>>>>>>>>> accounts. >>>>>>>>>>>>>>> It also creates a better description of what are stage >>>>>>>>>>>>>>> user, >>>>>>>>>>>>>>> how >>>>>>>>>>>>>>> to add a new stage user, updates ACI.txt and separate >>>>>>>>>>>>>>> active/stage >>>>>>>>>>>>>>> user managed permissions. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> thanks >>>>>>>>>>>>>>> thierry >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks David for the reviews. Here the last patches >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> The freeipa-tbordaz-0002 patch had trailing whitespaces on few >>>>>>>>>>>>> lines so >>>>>>>>>>>>> I'm attaching fixed version (and unchanged patch >>>>>>>>>>>>> freeipa-tbordaz-0003-3 >>>>>>>>>>>>> to keep them together). >>>>>>>>>>>>> >>>>>>>>>>>>> The ULC feature is still WIP but these patches look good to me >>>>>>>>>>>>> and >>>>>>>>>>>>> don't >>>>>>>>>>>>> break anything as far as I tested. >>>>>>>>>>>>> We should push them now to avoid further rebases. Thierry can >>>>>>>>>>>>> then >>>>>>>>>>>>> prepare other patches delivering the rest of ULC functionality. >>>>>>>>>>>> >>>>>>>>>>>> Few comments from just reading the patches: >>>>>>>>>>>> >>>>>>>>>>>> 1) I would name the base class "baseuser", "account" does not >>>>>>>>>>>> necessarily mean user account. >>>>>>>>>>>> >>>>>>>>>>>> 2) This is very wrong: >>>>>>>>>>>> >>>>>>>>>>>> -class user_add(LDAPCreate): >>>>>>>>>>>> +class user_add(user, LDAPCreate): >>>>>>>>>>>> >>>>>>>>>>>> You are creating a plugin which is both an object and an >>>>>>>>>>>> command. >>>>>>>>>>>> >>>>>>>>>>>> 3) This is purely subjective, but I don't like the name >>>>>>>>>>>> "deleteuser", as it has a verb in it. We usually don't do >>>>>>>>>>>> that and >>>>>>>>>>>> IMHO we shouldn't do that. >>>>>>>>>>>> >>>>>>>>>>>> Honza >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thank you for the review. I am attaching the updates patches >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Freeipa-devel mailing list >>>>>>>>>>> Freeipa-devel at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>>>>>> Hello, >>>>>>>>>> I'm getting errors during make rpms: >>>>>>>>>> >>>>>>>>>> if [ "" != "yes" ]; then \ >>>>>>>>>> ./makeapi --validate; \ >>>>>>>>>> ./makeaci --validate; \ >>>>>>>>>> fi >>>>>>>>>> >>>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:641 command >>>>>>>>>> "baseuser_add" >>>>>>>>>> doc is not internationalized >>>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:653 command >>>>>>>>>> "baseuser_find" >>>>>>>>>> doc is not internationalized >>>>>>>>>> /root/freeipa/ipalib/plugins/baseuser.py:647 command >>>>>>>>>> "baseuser_mod" >>>>>>>>>> doc is not internationalized >>>>>>>>>> 0 commands without doc, 3 commands whose doc is not i18n >>>>>>>>>> Command baseuser_add in ipalib, not in API >>>>>>>>>> Command baseuser_find in ipalib, not in API >>>>>>>>>> Command baseuser_mod in ipalib, not in API >>>>>>>>>> >>>>>>>>>> There are one or more new commands defined. >>>>>>>>>> Update API.txt and increment the minor version in VERSION. >>>>>>>>>> >>>>>>>>>> There are one or more documentation problems. >>>>>>>>>> You must fix these before preceeding >>>>>>>>>> >>>>>>>>>> Issues probably caused by this: >>>>>>>>>> 1) >>>>>>>>>> You should not use the register decorator, if this class is >>>>>>>>>> just for >>>>>>>>>> inheritance >>>>>>>>>> @register() >>>>>>>>>> class baseuser_add(LDAPCreate): >>>>>>>>>> >>>>>>>>>> @register() >>>>>>>>>> class baseuser_mod(LDAPUpdate): >>>>>>>>>> >>>>>>>>>> @register() >>>>>>>>>> class baseuser_find(LDAPSearch): >>>>>>>>>> >>>>>>>>>> see dns.py plugin and "DNSZoneBase" and "dnszone" classes >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> there might be an issue with >>>>>>>>>> @register() >>>>>>>>>> class baseuser(LDAPObject): >>>>>>>>>> >>>>>>>>>> the register decorator should not be there, I was warned by >>>>>>>>>> Petr^3 to >>>>>>>>>> not use permission in parent class. The same permission should be >>>>>>>>>> specified only in one place (for example user class), (otherwise >>>>>>>>>> they >>>>>>>>>> will be generated twice??) I don't know more details about it. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Martin Basti >>>>>>>>> >>>>>>>>> Hello Martin, Jan, >>>>>>>>> >>>>>>>>> Thanks for your review. >>>>>>>>> I changed the patch so that it does not register baseuser_*. Also >>>>>>>>> increase the minor version because of new command. >>>>>>>>> Finally I moved the managed_permission definition out of the parent >>>>>>>>> baseuser class. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Martin, could you please verify that the issues you encountered are >>>>>>>> fixed? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>> >>>>>>> You bumped wrong version variable: >>>>>>> >>>>>>> -IPA_VERSION_MINOR=1 >>>>>>> +IPA_VERSION_MINOR=2 >>>>>>> >>>>>>> It should have been IPA_API_VERSION_MINOR (at the bottom of the >>>>>>> file), >>>>>>> including the last change comment below it. >>>>>>> >>>>>>> >>>>>>> IMO baseuser should include superclasses for all the usual commands >>>>>>> (add, mod, del, show, find) and stageuser/deleteuser commands should >>>>>>> inherit from them. >>>>>>> >>>>>>> >>>>>>> You don't need to override class properties like active_container_dn >>>>>>> and takes_params on baseuser subclasses when they have the same value >>>>>>> as in baseuser. >>>>>>> >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> Hello Honza, >>>>>> >>>>>> Thanks for the review. I did the modifications you recommended >>>>>> within that attached patches >>>>>> >>>>>> * Change version >>>>> >>>>> Please also update the comment below (e.g. "# Last change: tbordaz - >>>>> Add stageuser_add command") >>>>> >>>>>> * create the baseuser_* plugins commands and use them in the >>>>>> user/stageuser plugin commands >>>>>> * Do not redefine the class properties in the subclasses. >>>>> >>>>> There are still some in baseuser command classes: >>>>> >>>>> +class baseuser_add(LDAPCreate): >>>>> + """ >>>>> + Prototype command plugin to be implemented by real plugin >>>>> + """ >>>>> + active_container_dn = api.env.container_user >>>>> + has_output_params = LDAPCreate.has_output_params >>>>> >>>>> You don't need to set active_container_dn here, you only need to set >>>>> it in baseuser. Then in stageuser_add and other subclasses you use >>>>> "self.obj.active_container_dn" instead of "self.active_container_dn". >>>>> >>>>> You also don't need to override has_output_params if you are not >>>>> changing its value - you are inheriting from LDAPCreate, so >>>>> baseuser_add.has_output_params implicitly has the same value as >>>>> LDAPCreate.has_output_params. >>>>> >>>>>> >>>>>> Thanks >>>>>> thierry >>>>>> >>>>> >>>> >>>> Hello Honza, >>>> >>>> Thanks for your patience .. :-) >>>> I understand my mistake. Just a question, in a plugin command >>>> (user_add), is 'self.obj' referring to the plugin object (like >>>> 'user') ? >>> >>> Yes, that's correct. >>> >>>> >>>> updated patches (with the appropriate naming and patch versioning). >>>> >>>> thanks >>>> theirry >>>> >>> >>> One more thing: >>> >>> Instead of: >>> >>> class stageuser(baseuser): >>> ... >>> # take_params does not support 'nsaccountlock' option >>> stageuser_takes_params_list = [] >>> for elt in baseuser.takes_params: >>> if isinstance(elt, Bool) and elt.param_spec == 'nsaccountlock?': >>> pass >>> else: >>> stageuser_takes_params_list.append(elt) >>> takes_params = tuple(stageuser_takes_params_list) >>> >>> I would remove nsaccountlock from baseuser.takes_params and add it in >>> user.takes_params: >>> >>> class user(baseuser): >>> ... >>> takes_params = baseuser.takes_params + ( >>> Bool('nsaccountlock?', >>> label=_('Account disabled'), >>> flags=['no_option'], >>> ), >>> ) >>> >>> >> Right, making this option specific to active user makes sense. >> >> Thanks >> thierry > > Thanks, ACK from me. > Thanks guys! Pushed to master: d1691eee88c5462ef1d015617fd5b65eec0319b9 Martin From jcholast at redhat.com Wed Apr 8 06:34:46 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 08:34:46 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <551C1169.9060906@redhat.com> References: <551C1169.9060906@redhat.com> Message-ID: <5524CC06.1020602@redhat.com> Hi, Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): > Hello, > > In user life cycle, Active entries are moved to Delete container and > Delete entries can be moved back to Staging container. > This requires a LDAP modrdn with new superior that is not supported > in ldap2. Since update_entry_rdn() is used only in one spot in baseldap, I think we can merge it and move_entry_newsuperior() into a single method move_entry(): def move_entry(self, dn, new_dn, del_old=True): We can easily detect whether the superior needs to be updated by comparing dn[1:] and new_dn[1:]. Maybe we can also get rid of del_old, if it's always gonna be True in our code? BTW what is the purpose of the find_entries() call? Does MODRDN operation not fail with not found itself if the new superior does not exist? > > thanks > thierry Honza -- Jan Cholasta From mbabinsk at redhat.com Wed Apr 8 06:44:07 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 08 Apr 2015 08:44:07 +0200 Subject: [Freeipa-devel] [PATCH 0027] do not install CA on replica during integration test if setup_ca=False Message-ID: <5524CE37.9070504@redhat.com> I have discovered another little bug in the integration test suite. Attaching a patch that fixes it. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0027-1-do-not-install-CA-on-replica-during-integration-test.patch Type: text/x-patch Size: 1245 bytes Desc: not available URL: From jcholast at redhat.com Wed Apr 8 08:21:43 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 10:21:43 +0200 Subject: [Freeipa-devel] [PATCH] 810 speed up indirect member processing In-Reply-To: <551A72D4.9080002@redhat.com> References: <551A72D4.9080002@redhat.com> Message-ID: <5524E517.9000704@redhat.com> Hi, Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): > the old implementation tried to get all entries which are member of > group. That means also user. User can't have any members therefore this > costly processing was unnecessary. > > New implementation reduces the search only to entries which can have > entries. > > Also page size was removed to avoid paging by small pages(default size: > 100) which is very slow for many members. > > https://fedorahosted.org/freeipa/ticket/4947 > > Useful to test with #809 1) To search for entries with members, you should search for entries with the member attribute set ('(member=*)'), not for entries with some arbitrary object class. 2) I don't like how the search in get_memberindirect is limited to an arbitrary hard-coded subtree. You should go through the object's attribute_members to figure out which subtrees to search. 3) Since memberindirect and memberofindirect are not real attributes, you must define their syntax in ipaldap before you cat set them using .raw[], otherwise they will be decoded to wrong type. 4) The processing of memberof should be done even when memberofindirect is not requested, otherwise its value will depend on whether memberofindirect was requested or not. 5) I would prefer if all membership processing (.convert_attribute_members() and .get_indirect_members()) was done in a single LDAPObject method. Honza -- Jan Cholasta From dkupka at redhat.com Wed Apr 8 08:22:04 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 08 Apr 2015 10:22:04 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <1428324531.19641.123.camel@willson.usersys.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> Message-ID: <5524E52C.3050207@redhat.com> On 04/06/2015 02:48 PM, Simo Sorce wrote: > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>> On 27.3.2015 14:58, David Kupka wrote: >>>>> pylint changed slightly so we must react otherwise we'll be unable to >>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure >>>>> but I don't know if we want it in 4.1. >>>>> >>>> >>>> ACK >>> >>> Are all the new disables really just false positives? >> >> It seems to me as a false positives. >> >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >> >> >>> import ssl >> >>> ssl.PROTOCOL_TLSv1 >> 3 >> >> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >> convertDate] Instance of 'tuple' has no 'tzinfo' member) >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >> convertDate] Instance of 'tuple' has no 'timetuple' member) >> >> dateutil.parser.parse() returns datetime.datetime object and it has >> both tzinfo and timetuple methods >> (https://docs.python.org/2/library/datetime.html#datetime-objects) >> >> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >> uri_escape] Slice index is not an int, None, or instance with __index__) >> >> This is the line lint is complaining about: >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >> >>> >>>> >>>> tested on: >>>> - F21: ipa-4-1, master branch >>>> - F22: master branch. >>>> >>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>> > > This patch doesn't seem to fix all my issues building on F22, so > tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint > > It seem the main offenders are "No value for argument 'second' in method > call" (this one only in test_ipautul.py) and "No value for argument > 'extClass' in method call" sprinkled around various test plugins. > These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? > > On a different note, make-lint takes forever to run, do we really need > to run it in make rpms ? Shouldn't we rather just run it at make dist > time, or whatever we use to generate the release tarballs ? It really takes forever and it would be nice to move it out of Makefile's rpms target but I don't know if we can do it without breaking anything. > > Simo. > -- David Kupka From jcholast at redhat.com Wed Apr 8 08:23:49 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 10:23:49 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5524E52C.3050207@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> Message-ID: <5524E595.5060208@redhat.com> Dne 8.4.2015 v 10:22 David Kupka napsal(a): > On 04/06/2015 02:48 PM, Simo Sorce wrote: >> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>> pylint changed slightly so we must react otherwise we'll be unable to >>>>>> build freeipa rpms on Fedora 22. This patch should go to master >>>>>> for sure >>>>>> but I don't know if we want it in 4.1. >>>>>> >>>>> >>>>> ACK >>>> >>>> Are all the new disables really just false positives? >>> >>> It seems to me as a false positives. >>> >>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> >>> >>> import ssl >>> >>> ssl.PROTOCOL_TLSv1 >>> 3 >>> >>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>> >>> dateutil.parser.parse() returns datetime.datetime object and it has >>> both tzinfo and timetuple methods >>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>> >>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>> uri_escape] Slice index is not an int, None, or instance with __index__) >>> >>> This is the line lint is complaining about: >>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >>> >>>> >>>>> >>>>> tested on: >>>>> - F21: ipa-4-1, master branch >>>>> - F22: master branch. >>>>> >>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>> >> >> This patch doesn't seem to fix all my issues building on F22, so >> tentative NACK. > > I tested it this way: > 1. started with Fedora-22-x86_64-minimal system > 2. dnf install git > 3. clone freeipa > 4. make version-update # to get freeipa.spec > 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` > 6. ./make-lint > >> >> It seem the main offenders are "No value for argument 'second' in method >> call" (this one only in test_ipautul.py) and "No value for argument >> 'extClass' in method call" sprinkled around various test plugins. >> These cause E1120(no-value-for-parameter). > > Could you please paste the output of make-lint somewhere? >> >> On a different note, make-lint takes forever to run, do we really need >> to run it in make rpms ? Shouldn't we rather just run it at make dist >> time, or whatever we use to generate the release tarballs ? > > It really takes forever and it would be nice to move it out of > Makefile's rpms target but I don't know if we can do it without breaking > anything. Well, you can always "make rpms DEVELOPER_MODE=1" to skip make-lint. > >> >> Simo. >> > -- Jan Cholasta From dkupka at redhat.com Wed Apr 8 08:30:51 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 08 Apr 2015 10:30:51 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5524E595.5060208@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <5524E595.5060208@redhat.com> Message-ID: <5524E73B.2030309@redhat.com> On 04/08/2015 10:23 AM, Jan Cholasta wrote: > Dne 8.4.2015 v 10:22 David Kupka napsal(a): >> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>> unable to >>>>>>> build freeipa rpms on Fedora 22. This patch should go to master >>>>>>> for sure >>>>>>> but I don't know if we want it in 4.1. >>>>>>> >>>>>> >>>>>> ACK >>>>> >>>>> Are all the new disables really just false positives? >>>> >>>> It seems to me as a false positives. >>>> >>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>>> >>>> >>> import ssl >>>> >>> ssl.PROTOCOL_TLSv1 >>>> 3 >>>> >>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>> >>>> dateutil.parser.parse() returns datetime.datetime object and it has >>>> both tzinfo and timetuple methods >>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>> >>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>> uri_escape] Slice index is not an int, None, or instance with >>>> __index__) >>>> >>>> This is the line lint is complaining about: >>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>> integers. >>>> >>>>> >>>>>> >>>>>> tested on: >>>>>> - F21: ipa-4-1, master branch >>>>>> - F22: master branch. >>>>>> >>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>>> >>> >>> This patch doesn't seem to fix all my issues building on F22, so >>> tentative NACK. >> >> I tested it this way: >> 1. started with Fedora-22-x86_64-minimal system >> 2. dnf install git >> 3. clone freeipa >> 4. make version-update # to get freeipa.spec >> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >> 6. ./make-lint >> >>> >>> It seem the main offenders are "No value for argument 'second' in method >>> call" (this one only in test_ipautul.py) and "No value for argument >>> 'extClass' in method call" sprinkled around various test plugins. >>> These cause E1120(no-value-for-parameter). >> >> Could you please paste the output of make-lint somewhere? >>> >>> On a different note, make-lint takes forever to run, do we really need >>> to run it in make rpms ? Shouldn't we rather just run it at make dist >>> time, or whatever we use to generate the release tarballs ? >> >> It really takes forever and it would be nice to move it out of >> Makefile's rpms target but I don't know if we can do it without breaking >> anything. > > Well, you can always "make rpms DEVELOPER_MODE=1" to skip make-lint. Quick "git grep" shows that it only passes "--no-fail" to make-lint so the process always succeeds but it takes the same amount of time. > >> >>> >>> Simo. >>> >> > > -- David Kupka From ldelouw at redhat.com Wed Apr 8 09:57:06 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Wed, 08 Apr 2015 11:57:06 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so Message-ID: <5524FB72.6060005@redhat.com> Hi there, At the moment ipa otptoken-add-yubikey does not add the parameter "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is usually very handy, most people use this functionality. The patch changes the behavior to set APPEND_CR by default and let the user override this by using the the --do-not-append-cr option. Thanks, Luc -------------- next part -------------- A non-text attachment was scrubbed... Name: otptoken_yubikey.py.diff Type: text/x-patch Size: 1555 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 8 10:46:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 08 Apr 2015 12:46:16 +0200 Subject: [Freeipa-devel] [PATCH 0210] DNSSEC: CI test In-Reply-To: <5523DF64.6050405@redhat.com> References: <55102929.9030702@redhat.com> <5523DF64.6050405@redhat.com> Message-ID: <552506F8.1050702@redhat.com> On 07/04/15 15:45, Milan Kubik wrote: > > > On 03/23/2015 03:54 PM, Martin Basti wrote: >> Hello, >> >> a patch with DNSSEC CI tests attached. >> >> * Two types of installation tested >> * Tests check if zones are signed on both replica and master >> * The root zone test also checks chain of trust >> >> Can somebody very familiar with pytest do review? I'm not sure If I >> used pytest friendly constructions. >> >> PS: test may failure occasionally due a bug in DNSSEC code, but CI >> test itself should be OK >> >> Useful information: http://www.freeipa.org/page/Howto/DNSSEC >> >> >> > Hello, > > the patch looks good to me. > > Fix the pep8 complaints please (unused imports and long lines). > > Thanks, > Milan Thanks, updated patch attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0210.2-DNSSEC-CI-tests.patch Type: text/x-patch Size: 13907 bytes Desc: not available URL: From simo at redhat.com Wed Apr 8 12:44:46 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2015 08:44:46 -0400 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5524E52C.3050207@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> Message-ID: <1428497086.19641.164.camel@willson.usersys.redhat.com> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: > On 04/06/2015 02:48 PM, Simo Sorce wrote: > > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: > >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: > >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): > >>>> On 27.3.2015 14:58, David Kupka wrote: > >>>>> pylint changed slightly so we must react otherwise we'll be unable to > >>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure > >>>>> but I don't know if we want it in 4.1. > >>>>> > >>>> > >>>> ACK > >>> > >>> Are all the new disables really just false positives? > >> > >> It seems to me as a false positives. > >> > >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), > >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) > >> > >> >>> import ssl > >> >>> ssl.PROTOCOL_TLSv1 > >> 3 > >> > >> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), > >> convertDate] Instance of 'tuple' has no 'tzinfo' member) > >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), > >> convertDate] Instance of 'tuple' has no 'timetuple' member) > >> > >> dateutil.parser.parse() returns datetime.datetime object and it has > >> both tzinfo and timetuple methods > >> (https://docs.python.org/2/library/datetime.html#datetime-objects) > >> > >> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), > >> uri_escape] Slice index is not an int, None, or instance with __index__) > >> > >> This is the line lint is complaining about: > >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) > >> I don't see a chance for 'i' or 'i+1' to be anything else than integers. > >> > >>> > >>>> > >>>> tested on: > >>>> - F21: ipa-4-1, master branch > >>>> - F22: master branch. > >>>> > >>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 > >>> > > > > This patch doesn't seem to fix all my issues building on F22, so > > tentative NACK. > > I tested it this way: > 1. started with Fedora-22-x86_64-minimal system > 2. dnf install git > 3. clone freeipa > 4. make version-update # to get freeipa.spec > 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` > 6. ./make-lint > > > > > It seem the main offenders are "No value for argument 'second' in method > > call" (this one only in test_ipautul.py) and "No value for argument > > 'extClass' in method call" sprinkled around various test plugins. > > These cause E1120(no-value-for-parameter). > > Could you please paste the output of make-lint somewhere? > > > > On a different note, make-lint takes forever to run, do we really need > > to run it in make rpms ? Shouldn't we rather just run it at make dist > > time, or whatever we use to generate the release tarballs ? > > It really takes forever and it would be nice to move it out of > Makefile's rpms target but I don't know if we can do it without breaking > anything. > > > > > Simo. > > > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Apr 8 12:53:15 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2015 08:53:15 -0400 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5524E52C.3050207@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> Message-ID: <1428497595.19641.166.camel@willson.usersys.redhat.com> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: > On 04/06/2015 02:48 PM, Simo Sorce wrote: > > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: > >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: > >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): > >>>> On 27.3.2015 14:58, David Kupka wrote: > >>>>> pylint changed slightly so we must react otherwise we'll be unable to > >>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure > >>>>> but I don't know if we want it in 4.1. > >>>>> > >>>> > >>>> ACK > >>> > >>> Are all the new disables really just false positives? > >> > >> It seems to me as a false positives. > >> > >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), > >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) > >> > >> >>> import ssl > >> >>> ssl.PROTOCOL_TLSv1 > >> 3 > >> > >> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), > >> convertDate] Instance of 'tuple' has no 'tzinfo' member) > >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), > >> convertDate] Instance of 'tuple' has no 'timetuple' member) > >> > >> dateutil.parser.parse() returns datetime.datetime object and it has > >> both tzinfo and timetuple methods > >> (https://docs.python.org/2/library/datetime.html#datetime-objects) > >> > >> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), > >> uri_escape] Slice index is not an int, None, or instance with __index__) > >> > >> This is the line lint is complaining about: > >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) > >> I don't see a chance for 'i' or 'i+1' to be anything else than integers. > >> > >>> > >>>> > >>>> tested on: > >>>> - F21: ipa-4-1, master branch > >>>> - F22: master branch. > >>>> > >>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 > >>> > > > > This patch doesn't seem to fix all my issues building on F22, so > > tentative NACK. > > I tested it this way: > 1. started with Fedora-22-x86_64-minimal system > 2. dnf install git > 3. clone freeipa > 4. make version-update # to get freeipa.spec > 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` > 6. ./make-lint > > > > > It seem the main offenders are "No value for argument 'second' in method > > call" (this one only in test_ipautul.py) and "No value for argument > > 'extClass' in method call" sprinkled around various test plugins. > > These cause E1120(no-value-for-parameter). > > Could you please paste the output of make-lint somewhere? Here it is. This is with my f22 desktop, fully updated with buildrequires running make-lint straight after applying your patch: ************* Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) ************* Module ipatests.test_xmlrpc.test_cert_plugin ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) ************* Module ipatests.test_xmlrpc.test_automount_plugin ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) ************* Module ipatests.test_xmlrpc.test_sudorule_plugin ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) ************* Module ipatests.test_xmlrpc.test_passwd_plugin ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) ************* Module ipatests.test_xmlrpc.test_hbac_plugin ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) ************* Module ipatests.test_ipaserver.test_ldap ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) -- Simo Sorce * Red Hat, Inc * New York From tbordaz at redhat.com Wed Apr 8 13:00:06 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 08 Apr 2015 15:00:06 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <5524CC06.1020602@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> Message-ID: <55252656.6020900@redhat.com> On 04/08/2015 08:34 AM, Jan Cholasta wrote: > Hi, > > Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): >> Hello, >> >> In user life cycle, Active entries are moved to Delete container and >> Delete entries can be moved back to Staging container. >> This requires a LDAP modrdn with new superior that is not supported >> in ldap2. > > Since update_entry_rdn() is used only in one spot in baseldap, I think > we can merge it and move_entry_newsuperior() into a single method > move_entry(): > > def move_entry(self, dn, new_dn, del_old=True): > > We can easily detect whether the superior needs to be updated by > comparing dn[1:] and new_dn[1:]. Hello Jan, Yes that is a good idea to merge those two methods. They both rely on modrdn and a single method is enough. > > Maybe we can also get rid of del_old, if it's always gonna be True in > our code? I think it is better to get this interface as close as possible as the MODRDN call, so that del_old option will be already available for future usage. I agree that currently del_old is always true in case of IPA but it could be the default value. > > BTW what is the purpose of the find_entries() call? Does MODRDN > operation not fail with not found itself if the new superior does not > exist? You are right, rename_s will detect the new supperior does not exist and will catch it with self.error_handler. So this test on the superior is useless. Thanks for your feedbacks here is an updated patch. thanks thierry > >> >> thanks >> thierry > > Honza > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0004-2-User-life-cycle-allows-MODRDN-from-ldap2.patch Type: text/x-patch Size: 2824 bytes Desc: not available URL: From dkupka at redhat.com Wed Apr 8 13:16:43 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 08 Apr 2015 15:16:43 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <1428497595.19641.166.camel@willson.usersys.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> Message-ID: <55252A3B.80904@redhat.com> On 04/08/2015 02:53 PM, Simo Sorce wrote: > On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>> pylint changed slightly so we must react otherwise we'll be unable to >>>>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure >>>>>>> but I don't know if we want it in 4.1. >>>>>>> >>>>>> >>>>>> ACK >>>>> >>>>> Are all the new disables really just false positives? >>>> >>>> It seems to me as a false positives. >>>> >>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>>> >>>> >>> import ssl >>>> >>> ssl.PROTOCOL_TLSv1 >>>> 3 >>>> >>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>> >>>> dateutil.parser.parse() returns datetime.datetime object and it has >>>> both tzinfo and timetuple methods >>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>> >>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>> uri_escape] Slice index is not an int, None, or instance with __index__) >>>> >>>> This is the line lint is complaining about: >>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >>>> >>>>> >>>>>> >>>>>> tested on: >>>>>> - F21: ipa-4-1, master branch >>>>>> - F22: master branch. >>>>>> >>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>>> >>> >>> This patch doesn't seem to fix all my issues building on F22, so >>> tentative NACK. >> >> I tested it this way: >> 1. started with Fedora-22-x86_64-minimal system >> 2. dnf install git >> 3. clone freeipa >> 4. make version-update # to get freeipa.spec >> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >> 6. ./make-lint >> >>> >>> It seem the main offenders are "No value for argument 'second' in method >>> call" (this one only in test_ipautul.py) and "No value for argument >>> 'extClass' in method call" sprinkled around various test plugins. >>> These cause E1120(no-value-for-parameter). >> >> Could you please paste the output of make-lint somewhere? > > Here it is. > This is with my f22 desktop, fully updated with buildrequires running > make-lint straight after applying your patch: > > ************* Module ipatests.test_ipapython.test_ipautil > ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) > ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) > ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) > ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) > ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) > ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > ************* Module ipatests.test_xmlrpc.test_cert_plugin > ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) > ************* Module ipatests.test_xmlrpc.test_automount_plugin > ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) > ************* Module ipatests.test_xmlrpc.test_sudorule_plugin > ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) > ************* Module ipatests.test_xmlrpc.test_passwd_plugin > ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) > ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin > ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) > ************* Module ipatests.test_xmlrpc.test_hbac_plugin > ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) > ************* Module ipatests.test_ipaserver.test_ldap > ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) > It seems weird to me that all the issues are found in tests only. Not a single report from code. Do you have pytest installed/upgraded? pytest is defined only in "Requires" not in "BuildRequires" and maybe this is the problem. -- David Kupka From jcholast at redhat.com Wed Apr 8 13:18:55 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 15:18:55 +0200 Subject: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject Message-ID: <55252ABF.5010608@redhat.com> Hi, the attached patches remove IPASimpleLDAPObject from ipaldap. As a result, the one and only IPA LDAP API is the LDAPClient API. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0408-ldap-Drop-python-ldap-tuple-compatibility.patch Type: text/x-patch Size: 4580 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0409-ldap-Remove-unused-IPAdmin-methods.patch Type: text/x-patch Size: 976 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0410-ldap-Add-connection-management-to-LDAPClient.patch Type: text/x-patch Size: 4982 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0411-ldap-Use-LDAPClient-connection-management-in-IPAdmin.patch Type: text/x-patch Size: 1604 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0412-ldap-Use-LDAPClient-connection-management-in-ldap2.patch Type: text/x-patch Size: 1731 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0413-ldap-Add-bind-and-unbind-methods-to-LDAPClient.patch Type: text/x-patch Size: 1996 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0414-ldap-Use-LDAPClient-bind-and-unbind-methods-in-IPAdm.patch Type: text/x-patch Size: 2904 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0415-ldap-Use-LDAPClient-bind-and-unbind-methods-in-ldap2.patch Type: text/x-patch Size: 4192 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0416-ldap-Use-LDAPClient-instead-of-IPASimpleLDAPObject-i.patch Type: text/x-patch Size: 1357 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0417-cainstance-Use-LDAPClient-instead-of-IPASimpleLDAPOb.patch Type: text/x-patch Size: 1345 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0418-makeaci-Use-LDAPClient-instead-of-IPASimpleLDAPObjec.patch Type: text/x-patch Size: 1440 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0419-ldap-Move-value-encoding-from-IPASimpleLDAPObject-to.patch Type: text/x-patch Size: 18196 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0420-ldap-Use-LDAPClient-instead-of-IPASimpleLDAPObject-i.patch Type: text/x-patch Size: 3149 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0421-ldap-Move-schema-handling-from-IPASimpleLDAPObject-t.patch Type: text/x-patch Size: 31103 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0422-ldap-Use-SimpleLDAPObject-instead-of-IPASimpleLDAPOb.patch Type: text/x-patch Size: 1225 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0423-ldap-Remove-IPASimpleLDAPObject.patch Type: text/x-patch Size: 5122 bytes Desc: not available URL: From jcholast at redhat.com Wed Apr 8 13:33:36 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 15:33:36 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <55252656.6020900@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> Message-ID: <55252E30.7060301@redhat.com> Dne 8.4.2015 v 15:00 thierry bordaz napsal(a): > On 04/08/2015 08:34 AM, Jan Cholasta wrote: >> Hi, >> >> Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): >>> Hello, >>> >>> In user life cycle, Active entries are moved to Delete container and >>> Delete entries can be moved back to Staging container. >>> This requires a LDAP modrdn with new superior that is not supported >>> in ldap2. >> >> Since update_entry_rdn() is used only in one spot in baseldap, I think >> we can merge it and move_entry_newsuperior() into a single method >> move_entry(): >> >> def move_entry(self, dn, new_dn, del_old=True): >> >> We can easily detect whether the superior needs to be updated by >> comparing dn[1:] and new_dn[1:]. > > Hello Jan, > > Yes that is a good idea to merge those two methods. They both rely on > modrdn and a single method is enough. Well, I had something like this in mind: def move_entry(self, dn, new_dn, del_old=True): assert isinstance(dn, DN) assert isinstance(new_dn, DN) if new_dn == dn: raise errors.EmptyModlist() new_rdn = new_dn[0] if new_rdn == dn[0]: new_rdn = None new_superior = new_dn[1:] if new_superior == dn[1:]: new_superior = None with self.error_handler(): self.conn.rename_s(dn, new_rdn, new_superior, int(del_old)) time.sleep(.3) # Give memberOf plugin a chance to work so that you don't have to care if you should change the RDN or the superior and it just does the right thing. > >> >> Maybe we can also get rid of del_old, if it's always gonna be True in >> our code? > > I think it is better to get this interface as close as possible as the > MODRDN call, so that del_old option will be already available for future > usage. > I agree that currently del_old is always true in case of IPA but it > could be the default value. OK, it's not a big piece of code, so I guess we can leave it. -- Jan Cholasta From simo at redhat.com Wed Apr 8 13:37:52 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2015 09:37:52 -0400 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <55252A3B.80904@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <55252A3B.80904@redhat.com> Message-ID: <1428500272.19641.170.camel@willson.usersys.redhat.com> On Wed, 2015-04-08 at 15:16 +0200, David Kupka wrote: > It seems weird to me that all the issues are found in tests only. Not > a > single report from code. > Do you have pytest installed/upgraded? pytest is defined only in > "Requires" not in "BuildRequires" and maybe this is the problem. I have the latest f22 versions of all the pytest packages python-pytsest-multihost/sourceorder are in BuildRequires and they will drag in python-pytest I guess. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Wed Apr 8 14:44:26 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 16:44:26 +0200 Subject: [Freeipa-devel] Designing better API compatibility In-Reply-To: <550C440F.9030907@redhat.com> References: <550C1CFB.3020402@redhat.com> <1426857556.2981.144.camel@willson.usersys.redhat.com> <550C22C4.2000908@redhat.com> <1426859936.2981.146.camel@willson.usersys.redhat.com> <1426863072.2504.8.camel@redhat.com> <550C39B5.5030006@redhat.com> <550C440F.9030907@redhat.com> Message-ID: <55253ECA.4010608@redhat.com> On 03/20/2015 05:00 PM, Petr Vobornik wrote: > On 03/20/2015 04:16 PM, Petr Spacek wrote: >> On 20.3.2015 15:51, Nathaniel McCallum wrote: >>> On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: >>>> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote: >>>>> >>>>> Correct. I see 2 approaches here: >>>>> >>>>> a) Thin client, which simply downloads metadata from the (old) >>>>> server and won't >>>>> use unsupported commands/parameters >>>>> b) Not-so-thin client that knows the minimal API versions of >>>>> commands/parameters (can be annotated in the code), that would >>>>> ping the server >>>>> first to identify it's version, validate that the chosen set of >>>>> commands/parameters is supported on that server and then send the >>>>> commands with >>>>> that version. >>>> >>>> If we have a recognizable error the client can take an optimistic >>>> approach, send the command normally, if it gets an error that the >>>> server does not understand it, it checks the version in the reply >>>> and falls back to an older "baseline" version of the command (if >>>> possible) or bails out with an error. >>> >>> My understanding was that: >>> >>> 1. We already publish all the information necessary to implement a >>> thin client, and have for some time. >> We certainly have *some* data but real thin client will most likely require >> some changes. Some information like return types and so on are missing. >> >>> 2. Thus, the thin client would work on both new and old versions since >>> it just simply translates from user input into JSON/XML. >>> >>> 3. Only plugins with specific client behavior would need to be ported >>> to the thin client. A prime example of this is otptoken-add-yubikey. >>> >>> My preference is solidly for implementing the thin client first. Once >>> we have decoupled the client from the current plugin framework, server- >>> side changes can be made in isolation. This decoupling is the move >>> that is essentially necessary to provide proper API versioning. And if >>> this can't land for 4.2, land it in the next release. I'd rather do >>> API-stability correctly and a release later than rushed with >>> compromises. We have to live with this forever. >> + all votes I have :-) >> > > +1 Ok. So to sum up this thread (and do the actual changes in Trac), in FreeIPA 4.2, we would: 1) Prepare the API UI browser or generated API documentation so that people could finally see the existing API without having to read the code or inspect jquery sent by the Web UI. https://fedorahosted.org/freeipa/ticket/3129 2) Have option for the ipa tool to send version-less command to the server which should thus behave as if it is the same version. Bonus points if defaults are not filled in this case to prevent unrecoverable Unkown Option errors. https://fedorahosted.org/freeipa/ticket/4768 Rest would be left for later releases. Please holler if there is disagreement with this plan. Thanks, Martin From npmccallum at redhat.com Wed Apr 8 14:55:07 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 08 Apr 2015 10:55:07 -0400 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <5524FB72.6060005@redhat.com> References: <5524FB72.6060005@redhat.com> Message-ID: <1428504907.2750.3.camel@redhat.com> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: > Hi there, > > At the moment ipa otptoken-add-yubikey does not add the parameter > "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is > usually > very handy, most people use this functionality. > > The patch changes the behavior to set APPEND_CR by default and let > the > user override this by using the the --do-not-append-cr option. This patch is very helpful and I would like to see it merged. Thanks Luc! 1. This patch needs to be formatted according to the FreeIPA formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format 2. The flag should be named "no_cr" instead of "do_not_append_cr". 3. The comment is not necessary since what the code does is obvious. Nathaniel From mbasti at redhat.com Wed Apr 8 15:05:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 08 Apr 2015 17:05:18 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <1428504907.2750.3.camel@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> Message-ID: <552543AE.4090900@redhat.com> On 08/04/15 16:55, Nathaniel McCallum wrote: > On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >> Hi there, >> >> At the moment ipa otptoken-add-yubikey does not add the parameter >> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >> usually >> very handy, most people use this functionality. >> >> The patch changes the behavior to set APPEND_CR by default and let >> the >> user override this by using the the --do-not-append-cr option. > This patch is very helpful and I would like to see it merged. Thanks > Luc! > > 1. This patch needs to be formatted according to the FreeIPA > formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format > > 2. The flag should be named "no_cr" instead of "do_not_append_cr". > > 3. The comment is not necessary since what the code does is obvious. > > Nathaniel > Hello, 4) this patch changes API, so please run ./makeapi to regenerate API.txt file and add changes into patch + please bum API minor version in VERSION file thanks. -- Martin Basti From ldelouw at redhat.com Wed Apr 8 15:12:14 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Wed, 08 Apr 2015 17:12:14 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <552543AE.4090900@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> Message-ID: <5525454E.30101@redhat.com> On 04/08/2015 05:05 PM, Martin Basti wrote: > On 08/04/15 16:55, Nathaniel McCallum wrote: >> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>> Hi there, >>> >>> At the moment ipa otptoken-add-yubikey does not add the parameter >>> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >>> usually >>> very handy, most people use this functionality. >>> >>> The patch changes the behavior to set APPEND_CR by default and let >>> the >>> user override this by using the the --do-not-append-cr option. >> This patch is very helpful and I would like to see it merged. Thanks >> Luc! >> >> 1. This patch needs to be formatted according to the FreeIPA >> formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format >> >> 2. The flag should be named "no_cr" instead of "do_not_append_cr". >> >> 3. The comment is not necessary since what the code does is obvious. >> >> Nathaniel >> > Hello, > > 4) this patch changes API, so please run ./makeapi to regenerate API.txt > file and add changes into patch + please bum API minor version in > VERSION file > > thanks. > Hi, When running makeaip, I get the following error: File "/home/luc/freeipa/ipalib/constants.py", line 25, in from ipaplatform.paths import paths ImportError: No module named paths Any hints? The other changes are ready to submit. Thanks, Luc From mbasti at redhat.com Wed Apr 8 15:14:36 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 08 Apr 2015 17:14:36 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <5525454E.30101@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> Message-ID: <552545DC.2000104@redhat.com> On 08/04/15 17:12, Luc de Louw wrote: > > On 04/08/2015 05:05 PM, Martin Basti wrote: >> On 08/04/15 16:55, Nathaniel McCallum wrote: >>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>> Hi there, >>>> >>>> At the moment ipa otptoken-add-yubikey does not add the parameter >>>> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >>>> usually >>>> very handy, most people use this functionality. >>>> >>>> The patch changes the behavior to set APPEND_CR by default and let >>>> the >>>> user override this by using the the --do-not-append-cr option. >>> This patch is very helpful and I would like to see it merged. Thanks >>> Luc! >>> >>> 1. This patch needs to be formatted according to the FreeIPA >>> formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format >>> >>> 2. The flag should be named "no_cr" instead of "do_not_append_cr". >>> >>> 3. The comment is not necessary since what the code does is obvious. >>> >>> Nathaniel >>> >> Hello, >> >> 4) this patch changes API, so please run ./makeapi to regenerate API.txt >> file and add changes into patch + please bum API minor version in >> VERSION file >> >> thanks. >> > > > Hi, > > When running makeaip, I get the following error: > File "/home/luc/freeipa/ipalib/constants.py", line 25, in > from ipaplatform.paths import paths > ImportError: No module named paths > > Any hints? > > The other changes are ready to submit. > > Thanks, > > Luc You may need to run 'make version-upgrade' or 'make' to prepare the module. If it will not work, you can send incomplete patch, I will add API changes there, just bump VERSION please -- Martin Basti From ldelouw at redhat.com Wed Apr 8 15:46:48 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Wed, 08 Apr 2015 17:46:48 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <552545DC.2000104@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> Message-ID: <55254D68.1020904@redhat.com> On 04/08/2015 05:14 PM, Martin Basti wrote: > On 08/04/15 17:12, Luc de Louw wrote: >> >> On 04/08/2015 05:05 PM, Martin Basti wrote: >>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>> Hi there, >>>>> >>>>> At the moment ipa otptoken-add-yubikey does not add the parameter >>>>> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >>>>> usually >>>>> very handy, most people use this functionality. >>>>> >>>>> The patch changes the behavior to set APPEND_CR by default and let >>>>> the >>>>> user override this by using the the --do-not-append-cr option. >>>> This patch is very helpful and I would like to see it merged. Thanks >>>> Luc! >>>> >>>> 1. This patch needs to be formatted according to the FreeIPA >>>> formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format >>>> >>>> 2. The flag should be named "no_cr" instead of "do_not_append_cr". >>>> >>>> 3. The comment is not necessary since what the code does is obvious. >>>> >>>> Nathaniel >>>> >>> Hello, >>> >>> 4) this patch changes API, so please run ./makeapi to regenerate API.txt >>> file and add changes into patch + please bum API minor version in >>> VERSION file >>> >>> thanks. >>> >> >> >> Hi, >> >> When running makeaip, I get the following error: >> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >> from ipaplatform.paths import paths >> ImportError: No module named paths >> >> Any hints? >> >> The other changes are ready to submit. >> >> Thanks, >> >> Luc > You may need to run 'make version-upgrade' or 'make' to prepare the module. > > If it will not work, you can send incomplete patch, I will add API > changes there, just bump VERSION please > Martin, Thanks for your hints, seems to work, please have a look at it... Thanks, Luc -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-At-the-moment-ipa-otptoken-add-yubikey-does-not-add-.patch Type: text/x-patch Size: 3793 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 8 15:53:45 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 08 Apr 2015 17:53:45 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55254D68.1020904@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> Message-ID: <55254F09.7040202@redhat.com> On 08/04/15 17:46, Luc de Louw wrote: > On 04/08/2015 05:14 PM, Martin Basti wrote: >> On 08/04/15 17:12, Luc de Louw wrote: >>> >>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>> Hi there, >>>>>> >>>>>> At the moment ipa otptoken-add-yubikey does not add the parameter >>>>>> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >>>>>> usually >>>>>> very handy, most people use this functionality. >>>>>> >>>>>> The patch changes the behavior to set APPEND_CR by default and let >>>>>> the >>>>>> user override this by using the the --do-not-append-cr option. >>>>> This patch is very helpful and I would like to see it merged. Thanks >>>>> Luc! >>>>> >>>>> 1. This patch needs to be formatted according to the FreeIPA >>>>> formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format >>>>> >>>>> 2. The flag should be named "no_cr" instead of "do_not_append_cr". >>>>> >>>>> 3. The comment is not necessary since what the code does is obvious. >>>>> >>>>> Nathaniel >>>>> >>>> Hello, >>>> >>>> 4) this patch changes API, so please run ./makeapi to regenerate >>>> API.txt >>>> file and add changes into patch + please bum API minor version in >>>> VERSION file >>>> >>>> thanks. >>>> >>> >>> >>> Hi, >>> >>> When running makeaip, I get the following error: >>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>> from ipaplatform.paths import paths >>> ImportError: No module named paths >>> >>> Any hints? >>> >>> The other changes are ready to submit. >>> >>> Thanks, >>> >>> Luc >> You may need to run 'make version-upgrade' or 'make' to prepare the >> module. >> >> If it will not work, you can send incomplete patch, I will add API >> changes there, just bump VERSION please >> > > Martin, > > Thanks for your hints, seems to work, please have a look at it... > > Thanks, > > Luc > > Thanks, please change the comment too -IPA_API_VERSION_MINOR=116 +IPA_API_VERSION_MINOR=117 # Last change: tbordaz - Add stageuser_add command" Otherwise patch looks good, but Nathaniel is the OTP guru, he should say final ack. -- Martin Basti From npmccallum at redhat.com Wed Apr 8 16:03:11 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 08 Apr 2015 12:03:11 -0400 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55254F09.7040202@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> Message-ID: <1428508991.2750.12.camel@redhat.com> On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: > On 08/04/15 17:46, Luc de Louw wrote: > > On 04/08/2015 05:14 PM, Martin Basti wrote: > > > On 08/04/15 17:12, Luc de Louw wrote: > > > > > > > > On 04/08/2015 05:05 PM, Martin Basti wrote: > > > > > On 08/04/15 16:55, Nathaniel McCallum wrote: > > > > > > On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: > > > > > > > Hi there, > > > > > > > > > > > > > > At the moment ipa otptoken-add-yubikey does not add the > > > > > > > parameter > > > > > > > "APPEND_CR". This prevents submit the password+OTP. > > > > > > > APPEND_CR is > > > > > > > usually > > > > > > > very handy, most people use this functionality. > > > > > > > > > > > > > > The patch changes the behavior to set APPEND_CR by > > > > > > > default and let > > > > > > > the > > > > > > > user override this by using the the --do-not-append-cr > > > > > > > option. > > > > > > This patch is very helpful and I would like to see it > > > > > > merged. Thanks > > > > > > Luc! > > > > > > > > > > > > 1. This patch needs to be formatted according to the > > > > > > FreeIPA > > > > > > formatting. See: > > > > > > https://www.freeipa.org/page/Contribute/Patch_Format > > > > > > > > > > > > 2. The flag should be named "no_cr" instead of > > > > > > "do_not_append_cr". > > > > > > > > > > > > 3. The comment is not necessary since what the code does > > > > > > is obvious. > > > > > > > > > > > > Nathaniel > > > > > > > > > > > Hello, > > > > > > > > > > 4) this patch changes API, so please run ./makeapi to > > > > > regenerate > > > > > API.txt > > > > > file and add changes into patch + please bum API minor > > > > > version in > > > > > VERSION file > > > > > > > > > > thanks. > > > > > > > > > > > > > > > > > Hi, > > > > > > > > When running makeaip, I get the following error: > > > > File "/home/luc/freeipa/ipalib/constants.py", line 25, in > > > > > > > > from ipaplatform.paths import paths > > > > ImportError: No module named paths > > > > > > > > Any hints? > > > > > > > > The other changes are ready to submit. > > > > > > > > Thanks, > > > > > > > > Luc > > > You may need to run 'make version-upgrade' or 'make' to prepare > > > the > > > module. > > > > > > If it will not work, you can send incomplete patch, I will add > > > API > > > changes there, just bump VERSION please > > > > > > > Martin, > > > > Thanks for your hints, seems to work, please have a look at it... > > > > Thanks, > > > > Luc > > > > > Thanks, > > please change the comment too > > -IPA_API_VERSION_MINOR=116 > +IPA_API_VERSION_MINOR=117 > # Last change: tbordaz - Add stageuser_add command" > > Otherwise patch looks good, but Nathaniel is the OTP guru, he should > say > final ack. I'm also a tough reviewer. :) 1. Remove the unnecessary code comment. 2. There appears to be inconsistent indentation in the flag parameter specification. It is probably a mix of tabs and spaces. 3. The git commit comment should contain one short summary line without terminating punctuation followed by any necessary explanatory paragraphs. You can change this via the "--amend" option to "git commit". Try the following: Enable YubiKey carriage return emission via otptoken-add-yubikey Before this patch, YubiKeys programmed by IPA would not emit the carriage return character at the end of the OTP value. This requires the user to press his YubiKey and then (unnecessarily) the Enter or Return key. After this patch, the user only needs to press the YubiKey. Should a user desire to omit the carriage return character, the --no- cr option can be specified. Nathaniel From ldelouw at redhat.com Wed Apr 8 16:03:17 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Wed, 08 Apr 2015 18:03:17 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55254F09.7040202@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> Message-ID: <55255145.5060407@redhat.com> On 04/08/2015 05:53 PM, Martin Basti wrote: > On 08/04/15 17:46, Luc de Louw wrote: >> On 04/08/2015 05:14 PM, Martin Basti wrote: >>> On 08/04/15 17:12, Luc de Louw wrote: >>>> >>>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>>> Hi there, >>>>>>> >>>>>>> At the moment ipa otptoken-add-yubikey does not add the parameter >>>>>>> "APPEND_CR". This prevents submit the password+OTP. APPEND_CR is >>>>>>> usually >>>>>>> very handy, most people use this functionality. >>>>>>> >>>>>>> The patch changes the behavior to set APPEND_CR by default and let >>>>>>> the >>>>>>> user override this by using the the --do-not-append-cr option. >>>>>> This patch is very helpful and I would like to see it merged. Thanks >>>>>> Luc! >>>>>> >>>>>> 1. This patch needs to be formatted according to the FreeIPA >>>>>> formatting. See: https://www.freeipa.org/page/Contribute/Patch_Format >>>>>> >>>>>> 2. The flag should be named "no_cr" instead of "do_not_append_cr". >>>>>> >>>>>> 3. The comment is not necessary since what the code does is obvious. >>>>>> >>>>>> Nathaniel >>>>>> >>>>> Hello, >>>>> >>>>> 4) this patch changes API, so please run ./makeapi to regenerate >>>>> API.txt >>>>> file and add changes into patch + please bum API minor version in >>>>> VERSION file >>>>> >>>>> thanks. >>>>> >>>> >>>> >>>> Hi, >>>> >>>> When running makeaip, I get the following error: >>>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>>> from ipaplatform.paths import paths >>>> ImportError: No module named paths >>>> >>>> Any hints? >>>> >>>> The other changes are ready to submit. >>>> >>>> Thanks, >>>> >>>> Luc >>> You may need to run 'make version-upgrade' or 'make' to prepare the >>> module. >>> >>> If it will not work, you can send incomplete patch, I will add API >>> changes there, just bump VERSION please >>> >> >> Martin, >> >> Thanks for your hints, seems to work, please have a look at it... >> >> Thanks, >> >> Luc >> >> > Thanks, > > please change the comment too > > -IPA_API_VERSION_MINOR=116 > +IPA_API_VERSION_MINOR=117 > # Last change: tbordaz - Add stageuser_add command" > > Otherwise patch looks good, but Nathaniel is the OTP guru, he should say > final ack. > Here we are.... Thanks, Luc -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Added-last-change-statement.patch Type: text/x-patch Size: 709 bytes Desc: not available URL: From lslebodn at redhat.com Wed Apr 8 19:55:06 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 8 Apr 2015 21:55:06 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5524E52C.3050207@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> Message-ID: <20150408195506.GB16866@mail.corp.redhat.com> On (08/04/15 10:22), David Kupka wrote: >On 04/06/2015 02:48 PM, Simo Sorce wrote: >>On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>On 27.3.2015 14:58, David Kupka wrote: >>>>>>pylint changed slightly so we must react otherwise we'll be unable to >>>>>>build freeipa rpms on Fedora 22. This patch should go to master for sure >>>>>>but I don't know if we want it in 4.1. >>>>>> >>>>> >>>>>ACK >>>> >>>>Are all the new disables really just false positives? >>> >>>It seems to me as a false positives. >>> >>>1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> >>> >>> import ssl >>> >>> ssl.PROTOCOL_TLSv1 >>>3 >>> >>>2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>convertDate] Instance of 'tuple' has no 'timetuple' member) >>> >>>dateutil.parser.parse() returns datetime.datetime object and it has >>>both tzinfo and timetuple methods >>>(https://docs.python.org/2/library/datetime.html#datetime-objects) >>> >>>3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>uri_escape] Slice index is not an int, None, or instance with __index__) >>> >>>This is the line lint is complaining about: >>>out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>I don't see a chance for 'i' or 'i+1' to be anything else than integers. >>> >>>> >>>>> >>>>>tested on: >>>>>- F21: ipa-4-1, master branch >>>>>- F22: master branch. >>>>> >>>>>IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>> >> >>This patch doesn't seem to fix all my issues building on F22, so >>tentative NACK. > >I tested it this way: >1. started with Fedora-22-x86_64-minimal system >2. dnf install git >3. clone freeipa >4. make version-update # to get freeipa.spec If spec file has already been generated you can install build requires with one command. a) dnf builddep /path/to/spec buildep is dnf plugin packaged in dnf-plugins-core b) yum-builddep /path/to/spec it is part of package yum-utils LS From mkosek at redhat.com Wed Apr 8 20:52:51 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 22:52:51 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <1428508991.2750.12.camel@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> Message-ID: <55259523.9080900@redhat.com> On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: > On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: >> On 08/04/15 17:46, Luc de Louw wrote: >>> On 04/08/2015 05:14 PM, Martin Basti wrote: >>>> On 08/04/15 17:12, Luc de Louw wrote: >>>>> >>>>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>>>> Hi there, >>>>>>>> >>>>>>>> At the moment ipa otptoken-add-yubikey does not add the >>>>>>>> parameter >>>>>>>> "APPEND_CR". This prevents submit the password+OTP. >>>>>>>> APPEND_CR is >>>>>>>> usually >>>>>>>> very handy, most people use this functionality. >>>>>>>> >>>>>>>> The patch changes the behavior to set APPEND_CR by >>>>>>>> default and let >>>>>>>> the >>>>>>>> user override this by using the the --do-not-append-cr >>>>>>>> option. >>>>>>> This patch is very helpful and I would like to see it >>>>>>> merged. Thanks >>>>>>> Luc! >>>>>>> >>>>>>> 1. This patch needs to be formatted according to the >>>>>>> FreeIPA >>>>>>> formatting. See: >>>>>>> https://www.freeipa.org/page/Contribute/Patch_Format >>>>>>> >>>>>>> 2. The flag should be named "no_cr" instead of >>>>>>> "do_not_append_cr". >>>>>>> >>>>>>> 3. The comment is not necessary since what the code does >>>>>>> is obvious. >>>>>>> >>>>>>> Nathaniel >>>>>>> >>>>>> Hello, >>>>>> >>>>>> 4) this patch changes API, so please run ./makeapi to >>>>>> regenerate >>>>>> API.txt >>>>>> file and add changes into patch + please bum API minor >>>>>> version in >>>>>> VERSION file >>>>>> >>>>>> thanks. >>>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> When running makeaip, I get the following error: >>>>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>>>> >>>>> from ipaplatform.paths import paths >>>>> ImportError: No module named paths >>>>> >>>>> Any hints? >>>>> >>>>> The other changes are ready to submit. >>>>> >>>>> Thanks, >>>>> >>>>> Luc >>>> You may need to run 'make version-upgrade' or 'make' to prepare >>>> the >>>> module. >>>> >>>> If it will not work, you can send incomplete patch, I will add >>>> API >>>> changes there, just bump VERSION please >>>> >>> >>> Martin, >>> >>> Thanks for your hints, seems to work, please have a look at it... >>> >>> Thanks, >>> >>> Luc >>> >>> >> Thanks, >> >> please change the comment too >> >> -IPA_API_VERSION_MINOR=116 >> +IPA_API_VERSION_MINOR=117 >> # Last change: tbordaz - Add stageuser_add command" >> >> Otherwise patch looks good, but Nathaniel is the OTP guru, he should >> say >> final ack. > > I'm also a tough reviewer. :) > > 1. Remove the unnecessary code comment. > > 2. There appears to be inconsistent indentation in the flag parameter > specification. It is probably a mix of tabs and spaces. > > 3. The git commit comment should contain one short summary line > without terminating punctuation followed by any necessary explanatory > paragraphs. You can change this via the "--amend" option to "git > commit". Try the following: > > Enable YubiKey carriage return emission via otptoken-add-yubikey > > Before this patch, YubiKeys programmed by IPA would not emit the > carriage return character at the end of the OTP value. This requires > the user to press his YubiKey and then (unnecessarily) the Enter or > Return key. After this patch, the user only needs to press the YubiKey. > > Should a user desire to omit the carriage return character, the --no- > cr option can be specified. > > Nathaniel > One more note to the API. By my experience, using a Flag for a boolean data input has often proved to be a bad call. Let's say you now introduce --no-cr flag. What if we decide to change the default to False? How would you then change the option/API? It is more flexible IMO to just use something like --cr=TRUE|FALSE with TRUE being the default Martin From jcholast at redhat.com Thu Apr 9 07:16:55 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 09:16:55 +0200 Subject: [Freeipa-devel] Designing better API compatibility In-Reply-To: <55253ECA.4010608@redhat.com> References: <550C1CFB.3020402@redhat.com> <1426857556.2981.144.camel@willson.usersys.redhat.com> <550C22C4.2000908@redhat.com> <1426859936.2981.146.camel@willson.usersys.redhat.com> <1426863072.2504.8.camel@redhat.com> <550C39B5.5030006@redhat.com> <550C440F.9030907@redhat.com> <55253ECA.4010608@redhat.com> Message-ID: <55262767.7020407@redhat.com> Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): > On 03/20/2015 05:00 PM, Petr Vobornik wrote: >> On 03/20/2015 04:16 PM, Petr Spacek wrote: >>> On 20.3.2015 15:51, Nathaniel McCallum wrote: >>>> On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: >>>>> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote: >>>>>> >>>>>> Correct. I see 2 approaches here: >>>>>> >>>>>> a) Thin client, which simply downloads metadata from the (old) >>>>>> server and won't >>>>>> use unsupported commands/parameters >>>>>> b) Not-so-thin client that knows the minimal API versions of >>>>>> commands/parameters (can be annotated in the code), that would >>>>>> ping the server >>>>>> first to identify it's version, validate that the chosen set of >>>>>> commands/parameters is supported on that server and then send the >>>>>> commands with >>>>>> that version. >>>>> >>>>> If we have a recognizable error the client can take an optimistic >>>>> approach, send the command normally, if it gets an error that the >>>>> server does not understand it, it checks the version in the reply >>>>> and falls back to an older "baseline" version of the command (if >>>>> possible) or bails out with an error. >>>> >>>> My understanding was that: >>>> >>>> 1. We already publish all the information necessary to implement a >>>> thin client, and have for some time. >>> We certainly have *some* data but real thin client will most likely require >>> some changes. Some information like return types and so on are missing. >>> >>>> 2. Thus, the thin client would work on both new and old versions since >>>> it just simply translates from user input into JSON/XML. >>>> >>>> 3. Only plugins with specific client behavior would need to be ported >>>> to the thin client. A prime example of this is otptoken-add-yubikey. >>>> >>>> My preference is solidly for implementing the thin client first. Once >>>> we have decoupled the client from the current plugin framework, server- >>>> side changes can be made in isolation. This decoupling is the move >>>> that is essentially necessary to provide proper API versioning. And if >>>> this can't land for 4.2, land it in the next release. I'd rather do >>>> API-stability correctly and a release later than rushed with >>>> compromises. We have to live with this forever. >>> + all votes I have :-) >>> >> >> +1 > > Ok. So to sum up this thread (and do the actual changes in Trac), in FreeIPA > 4.2, we would: > > 1) Prepare the API UI browser or generated API documentation so that people > could finally see the existing API without having to read the code or inspect > jquery sent by the Web UI. > > https://fedorahosted.org/freeipa/ticket/3129 This is not related to API compatibility, it just uses the same metadata. > > 2) Have option for the ipa tool to send version-less command to the server > which should thus behave as if it is the same version. Bonus points if defaults > are not filled in this case to prevent unrecoverable Unkown Option errors. > > https://fedorahosted.org/freeipa/ticket/4768 Not sending version and not computing defaults are very different things and their implemetantion will be very different too. I would not mix them together. > > Rest would be left for later releases. Please holler if there is disagreement > with this plan. I agree with Nathaniel that we should do thin client ASAP. > > Thanks, > Martin > -- Jan Cholasta From mkosek at redhat.com Thu Apr 9 07:35:09 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Apr 2015 09:35:09 +0200 Subject: [Freeipa-devel] Designing better API compatibility In-Reply-To: <55262767.7020407@redhat.com> References: <550C1CFB.3020402@redhat.com> <1426857556.2981.144.camel@willson.usersys.redhat.com> <550C22C4.2000908@redhat.com> <1426859936.2981.146.camel@willson.usersys.redhat.com> <1426863072.2504.8.camel@redhat.com> <550C39B5.5030006@redhat.com> <550C440F.9030907@redhat.com> <55253ECA.4010608@redhat.com> <55262767.7020407@redhat.com> Message-ID: <55262BAD.10204@redhat.com> On 04/09/2015 09:16 AM, Jan Cholasta wrote: > Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): >> On 03/20/2015 05:00 PM, Petr Vobornik wrote: >>> On 03/20/2015 04:16 PM, Petr Spacek wrote: >>>> On 20.3.2015 15:51, Nathaniel McCallum wrote: >>>>> On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: >>>>>> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote: >>>>>>> >>>>>>> Correct. I see 2 approaches here: >>>>>>> >>>>>>> a) Thin client, which simply downloads metadata from the (old) >>>>>>> server and won't >>>>>>> use unsupported commands/parameters >>>>>>> b) Not-so-thin client that knows the minimal API versions of >>>>>>> commands/parameters (can be annotated in the code), that would >>>>>>> ping the server >>>>>>> first to identify it's version, validate that the chosen set of >>>>>>> commands/parameters is supported on that server and then send the >>>>>>> commands with >>>>>>> that version. >>>>>> >>>>>> If we have a recognizable error the client can take an optimistic >>>>>> approach, send the command normally, if it gets an error that the >>>>>> server does not understand it, it checks the version in the reply >>>>>> and falls back to an older "baseline" version of the command (if >>>>>> possible) or bails out with an error. >>>>> >>>>> My understanding was that: >>>>> >>>>> 1. We already publish all the information necessary to implement a >>>>> thin client, and have for some time. >>>> We certainly have *some* data but real thin client will most likely require >>>> some changes. Some information like return types and so on are missing. >>>> >>>>> 2. Thus, the thin client would work on both new and old versions since >>>>> it just simply translates from user input into JSON/XML. >>>>> >>>>> 3. Only plugins with specific client behavior would need to be ported >>>>> to the thin client. A prime example of this is otptoken-add-yubikey. >>>>> >>>>> My preference is solidly for implementing the thin client first. Once >>>>> we have decoupled the client from the current plugin framework, server- >>>>> side changes can be made in isolation. This decoupling is the move >>>>> that is essentially necessary to provide proper API versioning. And if >>>>> this can't land for 4.2, land it in the next release. I'd rather do >>>>> API-stability correctly and a release later than rushed with >>>>> compromises. We have to live with this forever. >>>> + all votes I have :-) >>>> >>> >>> +1 >> >> Ok. So to sum up this thread (and do the actual changes in Trac), in FreeIPA >> 4.2, we would: >> >> 1) Prepare the API UI browser or generated API documentation so that people >> could finally see the existing API without having to read the code or inspect >> jquery sent by the Web UI. >> >> https://fedorahosted.org/freeipa/ticket/3129 > > This is not related to API compatibility, it just uses the same metadata. It is not related to API compatibility per se, but very related to better API consumption and a low hanging fruit we could start with, since we have the metadata already >> 2) Have option for the ipa tool to send version-less command to the server >> which should thus behave as if it is the same version. Bonus points if defaults >> are not filled in this case to prevent unrecoverable Unkown Option errors. >> >> https://fedorahosted.org/freeipa/ticket/4768 > > Not sending version and not computing defaults are very different things and > their implemetantion will be very different too. I would not mix them together. We are now getting more in the design, but the idea was that sending the defaults may force server to refuse serving the command even if the caller did not explicitly requested that option. Even if the caller did not care about the new default option in 4.x, he would not be able to call the command as it would be always sent to the old server. >> Rest would be left for later releases. Please holler if there is disagreement >> with this plan. > > I agree with Nathaniel that we should do thin client ASAP. I agree too, but given it is not realistic for 4.2, we need to do at least something in 4.2 for projects which need to use the CLI against older versions. Skipping version and client defaults seemed as the low hanging fruit that could help them. If there is a better idea about what else can be done in 4.2, I am open to it. Martin From pvoborni at redhat.com Thu Apr 9 07:45:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 09 Apr 2015 09:45:56 +0200 Subject: [Freeipa-devel] Designing better API compatibility In-Reply-To: <55262BAD.10204@redhat.com> References: <550C1CFB.3020402@redhat.com> <1426857556.2981.144.camel@willson.usersys.redhat.com> <550C22C4.2000908@redhat.com> <1426859936.2981.146.camel@willson.usersys.redhat.com> <1426863072.2504.8.camel@redhat.com> <550C39B5.5030006@redhat.com> <550C440F.9030907@redhat.com> <55253ECA.4010608@redhat.com> <55262767.7020407@redhat.com> <55262BAD.10204@redhat.com> Message-ID: <55262E34.2020201@redhat.com> On 04/09/2015 09:35 AM, Martin Kosek wrote: > On 04/09/2015 09:16 AM, Jan Cholasta wrote: >> Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): >>> On 03/20/2015 05:00 PM, Petr Vobornik wrote: >>>> On 03/20/2015 04:16 PM, Petr Spacek wrote: >>>>> On 20.3.2015 15:51, Nathaniel McCallum wrote: >>>>>> On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: >>>>>>> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote: >>>>>>>> >>>>>>>> Correct. I see 2 approaches here: >>>>>>>> >>>>>>>> a) Thin client, which simply downloads metadata from the (old) >>>>>>>> server and won't >>>>>>>> use unsupported commands/parameters >>>>>>>> b) Not-so-thin client that knows the minimal API versions of >>>>>>>> commands/parameters (can be annotated in the code), that would >>>>>>>> ping the server >>>>>>>> first to identify it's version, validate that the chosen set of >>>>>>>> commands/parameters is supported on that server and then send the >>>>>>>> commands with >>>>>>>> that version. >>>>>>> >>>>>>> If we have a recognizable error the client can take an optimistic >>>>>>> approach, send the command normally, if it gets an error that the >>>>>>> server does not understand it, it checks the version in the reply >>>>>>> and falls back to an older "baseline" version of the command (if >>>>>>> possible) or bails out with an error. >>>>>> >>>>>> My understanding was that: >>>>>> >>>>>> 1. We already publish all the information necessary to implement a >>>>>> thin client, and have for some time. >>>>> We certainly have *some* data but real thin client will most likely require >>>>> some changes. Some information like return types and so on are missing. >>>>> >>>>>> 2. Thus, the thin client would work on both new and old versions since >>>>>> it just simply translates from user input into JSON/XML. >>>>>> >>>>>> 3. Only plugins with specific client behavior would need to be ported >>>>>> to the thin client. A prime example of this is otptoken-add-yubikey. >>>>>> >>>>>> My preference is solidly for implementing the thin client first. Once >>>>>> we have decoupled the client from the current plugin framework, server- >>>>>> side changes can be made in isolation. This decoupling is the move >>>>>> that is essentially necessary to provide proper API versioning. And if >>>>>> this can't land for 4.2, land it in the next release. I'd rather do >>>>>> API-stability correctly and a release later than rushed with >>>>>> compromises. We have to live with this forever. >>>>> + all votes I have :-) >>>>> >>>> >>>> +1 >>> >>> Ok. So to sum up this thread (and do the actual changes in Trac), in FreeIPA >>> 4.2, we would: >>> >>> 1) Prepare the API UI browser or generated API documentation so that people >>> could finally see the existing API without having to read the code or inspect >>> jquery sent by the Web UI. >>> >>> https://fedorahosted.org/freeipa/ticket/3129 >> >> This is not related to API compatibility, it just uses the same metadata. > > It is not related to API compatibility per se, but very related to better API > consumption and a low hanging fruit we could start with, since we have the > metadata already +1 > >>> 2) Have option for the ipa tool to send version-less command to the server >>> which should thus behave as if it is the same version. Bonus points if defaults >>> are not filled in this case to prevent unrecoverable Unkown Option errors. >>> >>> https://fedorahosted.org/freeipa/ticket/4768 >> >> Not sending version and not computing defaults are very different things and >> their implemetantion will be very different too. I would not mix them together. > > We are now getting more in the design, but the idea was that sending the > defaults may force server to refuse serving the command even if the caller did > not explicitly requested that option. Even if the caller did not care about the > new default option in 4.x, he would not be able to call the command as it would > be always sent to the old server. +1 that not sending defaults is essential for this case. IMHO we should not send them at all. > >>> Rest would be left for later releases. Please holler if there is disagreement >>> with this plan. >> >> I agree with Nathaniel that we should do thin client ASAP. > > I agree too, but given it is not realistic for 4.2, we need to do at least > something in 4.2 for projects which need to use the CLI against older versions. > > Skipping version and client defaults seemed as the low hanging fruit that could > help them. If there is a better idea about what else can be done in 4.2, I am > open to it. > > Martin > -- Petr Vobornik From jcholast at redhat.com Thu Apr 9 08:00:50 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 10:00:50 +0200 Subject: [Freeipa-devel] Designing better API compatibility In-Reply-To: <55262E34.2020201@redhat.com> References: <550C1CFB.3020402@redhat.com> <1426857556.2981.144.camel@willson.usersys.redhat.com> <550C22C4.2000908@redhat.com> <1426859936.2981.146.camel@willson.usersys.redhat.com> <1426863072.2504.8.camel@redhat.com> <550C39B5.5030006@redhat.com> <550C440F.9030907@redhat.com> <55253ECA.4010608@redhat.com> <55262767.7020407@redhat.com> <55262BAD.10204@redhat.com> <55262E34.2020201@redhat.com> Message-ID: <552631B2.6080800@redhat.com> Dne 9.4.2015 v 09:45 Petr Vobornik napsal(a): > On 04/09/2015 09:35 AM, Martin Kosek wrote: >> On 04/09/2015 09:16 AM, Jan Cholasta wrote: >>> Dne 8.4.2015 v 16:44 Martin Kosek napsal(a): >>>> On 03/20/2015 05:00 PM, Petr Vobornik wrote: >>>>> On 03/20/2015 04:16 PM, Petr Spacek wrote: >>>>>> On 20.3.2015 15:51, Nathaniel McCallum wrote: >>>>>>> On Fri, 2015-03-20 at 09:58 -0400, Simo Sorce wrote: >>>>>>>> On Fri, 2015-03-20 at 14:38 +0100, Martin Kosek wrote: >>>>>>>>> >>>>>>>>> Correct. I see 2 approaches here: >>>>>>>>> >>>>>>>>> a) Thin client, which simply downloads metadata from the (old) >>>>>>>>> server and won't >>>>>>>>> use unsupported commands/parameters >>>>>>>>> b) Not-so-thin client that knows the minimal API versions of >>>>>>>>> commands/parameters (can be annotated in the code), that would >>>>>>>>> ping the server >>>>>>>>> first to identify it's version, validate that the chosen set of >>>>>>>>> commands/parameters is supported on that server and then send the >>>>>>>>> commands with >>>>>>>>> that version. >>>>>>>> >>>>>>>> If we have a recognizable error the client can take an optimistic >>>>>>>> approach, send the command normally, if it gets an error that the >>>>>>>> server does not understand it, it checks the version in the reply >>>>>>>> and falls back to an older "baseline" version of the command (if >>>>>>>> possible) or bails out with an error. >>>>>>> >>>>>>> My understanding was that: >>>>>>> >>>>>>> 1. We already publish all the information necessary to implement a >>>>>>> thin client, and have for some time. >>>>>> We certainly have *some* data but real thin client will most >>>>>> likely require >>>>>> some changes. Some information like return types and so on are >>>>>> missing. >>>>>> >>>>>>> 2. Thus, the thin client would work on both new and old versions >>>>>>> since >>>>>>> it just simply translates from user input into JSON/XML. >>>>>>> >>>>>>> 3. Only plugins with specific client behavior would need to be >>>>>>> ported >>>>>>> to the thin client. A prime example of this is otptoken-add-yubikey. >>>>>>> >>>>>>> My preference is solidly for implementing the thin client first. >>>>>>> Once >>>>>>> we have decoupled the client from the current plugin framework, >>>>>>> server- >>>>>>> side changes can be made in isolation. This decoupling is the move >>>>>>> that is essentially necessary to provide proper API versioning. >>>>>>> And if >>>>>>> this can't land for 4.2, land it in the next release. I'd rather do >>>>>>> API-stability correctly and a release later than rushed with >>>>>>> compromises. We have to live with this forever. >>>>>> + all votes I have :-) >>>>>> >>>>> >>>>> +1 >>>> >>>> Ok. So to sum up this thread (and do the actual changes in Trac), in >>>> FreeIPA >>>> 4.2, we would: >>>> >>>> 1) Prepare the API UI browser or generated API documentation so that >>>> people >>>> could finally see the existing API without having to read the code >>>> or inspect >>>> jquery sent by the Web UI. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3129 >>> >>> This is not related to API compatibility, it just uses the same >>> metadata. >> >> It is not related to API compatibility per se, but very related to >> better API >> consumption and a low hanging fruit we could start with, since we have >> the >> metadata already > > +1 > >> >>>> 2) Have option for the ipa tool to send version-less command to the >>>> server >>>> which should thus behave as if it is the same version. Bonus points >>>> if defaults >>>> are not filled in this case to prevent unrecoverable Unkown Option >>>> errors. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4768 >>> >>> Not sending version and not computing defaults are very different >>> things and >>> their implemetantion will be very different too. I would not mix them >>> together. >> >> We are now getting more in the design, but the idea was that sending the >> defaults may force server to refuse serving the command even if the >> caller did >> not explicitly requested that option. Even if the caller did not care >> about the >> new default option in 4.x, he would not be able to call the command as >> it would >> be always sent to the old server. > > +1 that not sending defaults is essential for this case. IMHO we should > not send them at all. I agree with that, I'm just saying it won't be as simple as it sounds and certainly not as simple as not sending the version. > >> >>>> Rest would be left for later releases. Please holler if there is >>>> disagreement >>>> with this plan. >>> >>> I agree with Nathaniel that we should do thin client ASAP. >> >> I agree too, but given it is not realistic for 4.2, we need to do at >> least >> something in 4.2 for projects which need to use the CLI against older >> versions. >> >> Skipping version and client defaults seemed as the low hanging fruit >> that could >> help them. If there is a better idea about what else can be done in >> 4.2, I am >> open to it. >> >> Martin >> > > -- Jan Cholasta From jcholast at redhat.com Thu Apr 9 10:30:03 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 12:30:03 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55259523.9080900@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> Message-ID: <552654AB.4070408@redhat.com> Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): > On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: >> On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: >>> On 08/04/15 17:46, Luc de Louw wrote: >>>> On 04/08/2015 05:14 PM, Martin Basti wrote: >>>>> On 08/04/15 17:12, Luc de Louw wrote: >>>>>> >>>>>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>>>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>>>>> Hi there, >>>>>>>>> >>>>>>>>> At the moment ipa otptoken-add-yubikey does not add the >>>>>>>>> parameter >>>>>>>>> "APPEND_CR". This prevents submit the password+OTP. >>>>>>>>> APPEND_CR is >>>>>>>>> usually >>>>>>>>> very handy, most people use this functionality. >>>>>>>>> >>>>>>>>> The patch changes the behavior to set APPEND_CR by >>>>>>>>> default and let >>>>>>>>> the >>>>>>>>> user override this by using the the --do-not-append-cr >>>>>>>>> option. >>>>>>>> This patch is very helpful and I would like to see it >>>>>>>> merged. Thanks >>>>>>>> Luc! >>>>>>>> >>>>>>>> 1. This patch needs to be formatted according to the >>>>>>>> FreeIPA >>>>>>>> formatting. See: >>>>>>>> https://www.freeipa.org/page/Contribute/Patch_Format >>>>>>>> >>>>>>>> 2. The flag should be named "no_cr" instead of >>>>>>>> "do_not_append_cr". >>>>>>>> >>>>>>>> 3. The comment is not necessary since what the code does >>>>>>>> is obvious. >>>>>>>> >>>>>>>> Nathaniel >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> 4) this patch changes API, so please run ./makeapi to >>>>>>> regenerate >>>>>>> API.txt >>>>>>> file and add changes into patch + please bum API minor >>>>>>> version in >>>>>>> VERSION file >>>>>>> >>>>>>> thanks. >>>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> When running makeaip, I get the following error: >>>>>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>>>>> >>>>>> from ipaplatform.paths import paths >>>>>> ImportError: No module named paths >>>>>> >>>>>> Any hints? >>>>>> >>>>>> The other changes are ready to submit. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Luc >>>>> You may need to run 'make version-upgrade' or 'make' to prepare >>>>> the >>>>> module. >>>>> >>>>> If it will not work, you can send incomplete patch, I will add >>>>> API >>>>> changes there, just bump VERSION please >>>>> >>>> >>>> Martin, >>>> >>>> Thanks for your hints, seems to work, please have a look at it... >>>> >>>> Thanks, >>>> >>>> Luc >>>> >>>> >>> Thanks, >>> >>> please change the comment too >>> >>> -IPA_API_VERSION_MINOR=116 >>> +IPA_API_VERSION_MINOR=117 >>> # Last change: tbordaz - Add stageuser_add command" >>> >>> Otherwise patch looks good, but Nathaniel is the OTP guru, he should >>> say >>> final ack. >> >> I'm also a tough reviewer. :) >> >> 1. Remove the unnecessary code comment. >> >> 2. There appears to be inconsistent indentation in the flag parameter >> specification. It is probably a mix of tabs and spaces. >> >> 3. The git commit comment should contain one short summary line >> without terminating punctuation followed by any necessary explanatory >> paragraphs. You can change this via the "--amend" option to "git >> commit". Try the following: >> >> Enable YubiKey carriage return emission via otptoken-add-yubikey >> >> Before this patch, YubiKeys programmed by IPA would not emit the >> carriage return character at the end of the OTP value. This requires >> the user to press his YubiKey and then (unnecessarily) the Enter or >> Return key. After this patch, the user only needs to press the YubiKey. >> >> Should a user desire to omit the carriage return character, the --no- >> cr option can be specified. >> >> Nathaniel >> > > One more note to the API. By my experience, using a Flag for a boolean > data input has often proved to be a bad call. > > Let's say you now introduce --no-cr flag. What if we decide to change > the default to False? How would you then change the option/API? You would have to add --cr flag. > > It is more flexible IMO to just use something like > > --cr=TRUE|FALSE with TRUE being the default I would say --append-cr=TRUE|FALSE with no default, meaning do not add the flag to the config at all. > > Martin > -- Jan Cholasta From tbordaz at redhat.com Thu Apr 9 10:42:43 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 09 Apr 2015 12:42:43 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <55252E30.7060301@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> <55252E30.7060301@redhat.com> Message-ID: <552657A3.7040503@redhat.com> On 04/08/2015 03:33 PM, Jan Cholasta wrote: > Dne 8.4.2015 v 15:00 thierry bordaz napsal(a): >> On 04/08/2015 08:34 AM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): >>>> Hello, >>>> >>>> In user life cycle, Active entries are moved to Delete >>>> container and >>>> Delete entries can be moved back to Staging container. >>>> This requires a LDAP modrdn with new superior that is not >>>> supported >>>> in ldap2. >>> >>> Since update_entry_rdn() is used only in one spot in baseldap, I think >>> we can merge it and move_entry_newsuperior() into a single method >>> move_entry(): >>> >>> def move_entry(self, dn, new_dn, del_old=True): >>> >>> We can easily detect whether the superior needs to be updated by >>> comparing dn[1:] and new_dn[1:]. >> >> Hello Jan, >> >> Yes that is a good idea to merge those two methods. They both rely on >> modrdn and a single method is enough. > > Well, I had something like this in mind: > > def move_entry(self, dn, new_dn, del_old=True): > assert isinstance(dn, DN) > assert isinstance(new_dn, DN) > > if new_dn == dn: > raise errors.EmptyModlist() > > new_rdn = new_dn[0] > if new_rdn == dn[0]: > new_rdn = None > > new_superior = new_dn[1:] > if new_superior == dn[1:]: > new_superior = None > > with self.error_handler(): > self.conn.rename_s(dn, new_rdn, new_superior, int(del_old)) > time.sleep(.3) # Give memberOf plugin a chance to work > > so that you don't have to care if you should change the RDN or the > superior and it just does the right thing. > >> >>> >>> Maybe we can also get rid of del_old, if it's always gonna be True in >>> our code? >> >> I think it is better to get this interface as close as possible as the >> MODRDN call, so that del_old option will be already available for future >> usage. >> I agree that currently del_old is always true in case of IPA but it >> could be the default value. > > OK, it's not a big piece of code, so I guess we can leave it. > Thank for the reviews and the help. Here is a new patch. thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0004-3-User-life-cycle-allows-MODRDN-from-ldap2.patch Type: text/x-patch Size: 3660 bytes Desc: not available URL: From mkosek at redhat.com Thu Apr 9 10:42:58 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Apr 2015 12:42:58 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <552654AB.4070408@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> Message-ID: <552657B2.8090706@redhat.com> On 04/09/2015 12:30 PM, Jan Cholasta wrote: > Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): >> On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: >>> On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: >>>> On 08/04/15 17:46, Luc de Louw wrote: >>>>> On 04/08/2015 05:14 PM, Martin Basti wrote: >>>>>> On 08/04/15 17:12, Luc de Louw wrote: >>>>>>> >>>>>>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>>>>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>>>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>>>>>> Hi there, >>>>>>>>>> >>>>>>>>>> At the moment ipa otptoken-add-yubikey does not add the >>>>>>>>>> parameter >>>>>>>>>> "APPEND_CR". This prevents submit the password+OTP. >>>>>>>>>> APPEND_CR is >>>>>>>>>> usually >>>>>>>>>> very handy, most people use this functionality. >>>>>>>>>> >>>>>>>>>> The patch changes the behavior to set APPEND_CR by >>>>>>>>>> default and let >>>>>>>>>> the >>>>>>>>>> user override this by using the the --do-not-append-cr >>>>>>>>>> option. >>>>>>>>> This patch is very helpful and I would like to see it >>>>>>>>> merged. Thanks >>>>>>>>> Luc! >>>>>>>>> >>>>>>>>> 1. This patch needs to be formatted according to the >>>>>>>>> FreeIPA >>>>>>>>> formatting. See: >>>>>>>>> https://www.freeipa.org/page/Contribute/Patch_Format >>>>>>>>> >>>>>>>>> 2. The flag should be named "no_cr" instead of >>>>>>>>> "do_not_append_cr". >>>>>>>>> >>>>>>>>> 3. The comment is not necessary since what the code does >>>>>>>>> is obvious. >>>>>>>>> >>>>>>>>> Nathaniel >>>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> 4) this patch changes API, so please run ./makeapi to >>>>>>>> regenerate >>>>>>>> API.txt >>>>>>>> file and add changes into patch + please bum API minor >>>>>>>> version in >>>>>>>> VERSION file >>>>>>>> >>>>>>>> thanks. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> When running makeaip, I get the following error: >>>>>>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>>>>>> >>>>>>> from ipaplatform.paths import paths >>>>>>> ImportError: No module named paths >>>>>>> >>>>>>> Any hints? >>>>>>> >>>>>>> The other changes are ready to submit. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Luc >>>>>> You may need to run 'make version-upgrade' or 'make' to prepare >>>>>> the >>>>>> module. >>>>>> >>>>>> If it will not work, you can send incomplete patch, I will add >>>>>> API >>>>>> changes there, just bump VERSION please >>>>>> >>>>> >>>>> Martin, >>>>> >>>>> Thanks for your hints, seems to work, please have a look at it... >>>>> >>>>> Thanks, >>>>> >>>>> Luc >>>>> >>>>> >>>> Thanks, >>>> >>>> please change the comment too >>>> >>>> -IPA_API_VERSION_MINOR=116 >>>> +IPA_API_VERSION_MINOR=117 >>>> # Last change: tbordaz - Add stageuser_add command" >>>> >>>> Otherwise patch looks good, but Nathaniel is the OTP guru, he should >>>> say >>>> final ack. >>> >>> I'm also a tough reviewer. :) >>> >>> 1. Remove the unnecessary code comment. >>> >>> 2. There appears to be inconsistent indentation in the flag parameter >>> specification. It is probably a mix of tabs and spaces. >>> >>> 3. The git commit comment should contain one short summary line >>> without terminating punctuation followed by any necessary explanatory >>> paragraphs. You can change this via the "--amend" option to "git >>> commit". Try the following: >>> >>> Enable YubiKey carriage return emission via otptoken-add-yubikey >>> >>> Before this patch, YubiKeys programmed by IPA would not emit the >>> carriage return character at the end of the OTP value. This requires >>> the user to press his YubiKey and then (unnecessarily) the Enter or >>> Return key. After this patch, the user only needs to press the YubiKey. >>> >>> Should a user desire to omit the carriage return character, the --no- >>> cr option can be specified. >>> >>> Nathaniel >>> >> >> One more note to the API. By my experience, using a Flag for a boolean >> data input has often proved to be a bad call. >> >> Let's say you now introduce --no-cr flag. What if we decide to change >> the default to False? How would you then change the option/API? > > You would have to add --cr flag. That was the point - some clients would send "ct" flag, some "no_cr" and there would have to be special handling. >> It is more flexible IMO to just use something like >> >> --cr=TRUE|FALSE with TRUE being the default > > I would say --append-cr=TRUE|FALSE with no default, meaning do not add the flag > to the config at all. I though the idea was to append the CR by default, i.e. --append-cr=TRUE|FALSE with TRUE being the default. From pvoborni at redhat.com Thu Apr 9 11:56:16 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 09 Apr 2015 13:56:16 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <551D11C2.4070902@redhat.com> References: <551A72DB.3020105@redhat.com> <551D11C2.4070902@redhat.com> Message-ID: <552668E0.4050601@redhat.com> On 04/02/2015 11:54 AM, Petr Viktorin wrote: > On 03/31/2015 12:11 PM, Petr Vobornik wrote: >> The only different thing is a lack of utf-8 encoded str support(as >> input). I don't know how much important the support is. > > I don't think that support is too important (assuming IPA doesn't use > it!). However, the behavior with this patch is dangerous. > It allows unicode and ASCII strings, but fails on non-ASCII strings. > That means things will usually work, but as soon as a non-ASCII > component is introduced at the wrong place, you get an error. > > Restoring support for utf-8 encoded str looks easy to do; here's a patch > you can squash in. Or did I miss something? I also had to fix creation of AVAs to support utf-8 encoded str as input for attr and value (separately). > >> maybe it could be attached to ticket >> https://fedorahosted.org/freeipa/ticket/4947 >> ----- >> DN code was optimized to be faster if DNs are created from string. This >> is the major use case, since most DNs come from LDAP. >> >> With this patch, DN creation is almost 8-10x faster (with 30K-100K DNs). >> >> Second mojor use case - deepcopy in LDAPEntry is about 20x faster - done >> by custom __deepcopy__ function. >> >> The major change is that DN is no longer internally composed of RDNs >> and AVAs but it rather keeps the data in open ldap format - the same as >> output of str2dn function. Therefore, for immutable DNs, no other >> transformations are required on instantiation. >> >> The format is: >> >> DN: [RDN, RDN,...] >> RDN: [AVA, AVA,...] >> AVA: ['utf-8 encoded str - attr', 'utf-8 encode str -value', FLAG] >> FLAG: int >> >> Further indexing of DN object constructs an RDN which is just an >> encapsulation of the RDN part of open ldap representation. Indexing of >> RDN constructs AVA in the same fashion. >> >> Obtained EditableAVA, EditableRDN from EditableDN shares the respected >> lists of the open ldap repr. so that the change of value or attr is >> reflected in parent object. > > > Looks good. A couple of comments: > > RDN.to_openldap: _avas always has 3 components, right? I'd prefer > `list(a)` over `[a[0], a[1], a[2]]`. Similarly for tuple in in __add__ > and RDN._avas_from_sequence. Fixed > > DN._rdns_from_value: the error message at the end is wrong, RDN is also > accepted. (And, `type(value)` would be more informative than > `value.__class__.__name__`.) Fixed > > You can optimize __deepcopy__ for immutable DNs even further: just > return self! Fixed, but kept part for EditableDN > > In DN.find & rfind, RDNs are not accepted but the error message says > they are. messages fixed > > You removed the newline at end of file. > line readded -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0811-1-performance-faster-DN-implementation.patch Type: text/x-patch Size: 37436 bytes Desc: not available URL: From pvoborni at redhat.com Thu Apr 9 11:56:34 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 09 Apr 2015 13:56:34 +0200 Subject: [Freeipa-devel] [PATCH] 809 speed up convert_attribute_members In-Reply-To: <551CF415.3070100@redhat.com> References: <551A72CE.2070403@redhat.com> <551CF415.3070100@redhat.com> Message-ID: <552668F2.4000505@redhat.com> On 04/02/2015 09:47 AM, Jan Cholasta wrote: > Hi, > > Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): >> A workaround to avoid usage of slow LDAPEntry._sync_attr #4946. >> >> I originally wanted to avoid DN processing as well but we can't do that >> because of DNs which are encoded - e.g. contains '+' or ','. Therefore >> patch 811 - faster DN implementation is very useful. Also patch 809 is >> useful to avoid high load of 389. >> >> https://fedorahosted.org/freeipa/ticket/4965 > > > 1) > > + dn = container_dns.get(ldap_obj_name, None) > + if not dn: > + ldap_obj = self.api.Object[ldap_obj_name] > + dn = DN(ldap_obj.container_dn, api.env.basedn) > + container_dns[ldap_obj_name] = dn > + return dn > > a) The second argument of .get() is None by default > > b) "not dn" matches None as well as empty DNs, use "dn is not None" > (it's not that there could be empty DNs here, but let's not give a > potential reader the wrong idea) > > c) It would be better to catch KeyError rather than call .get() and > check the result: > > try: > dn = container_dns[ldap_obj_name] > except KeyError: > dn = ... > container_dns[ldap_obj_name] = dn Changed > > > 2) Does get_new_attr() actually provide any speed up? Unless I'm missing > something, it just mirrors the virtual member attributes already readily > available from entry_attrs in new_attrs. Yes, a bit. With 30K members and my vm get_new_attr takes ~ 0.114s. setdefault takes ~ 0.686s which is about 7-10% of the entire convert_attribute_members. Pure dict is faster. > > > 3) get_container_dn() and get_new_attr() do not need to be functions, > since each is called just from a single spot. Changed > > > 4) "memberdn = DN(member)" could be one for loop up. > Changed > > Here's what I ended up with trying to fix the above (untested): > > for attr in self.attribute_members: > try: > value = entry_attrs.raw[attr] > except KeyError: > continue > del entry_attrs[attr] > > ldap_objs = {} > for ldap_obj_name in self.attribute_members[attr]: > ldap_obj = self.api.Object[ldap_obj_name] > container_dn = DN(ldap_obj.container_dn, api.env.basedn) > ldap_objs[container_dn] = ldap_obj > > for member in value: > memberdn = DN(member) > try: > ldap_obj = ldap_objs[DN(*memberdn[1:])] > except KeyError: > continue > > new_attr = '%s_%s' % (attr, ldap_obj.name) > new_value = ldap_obj.get_primary_key_from_dn(memberdn) > entry_attrs.setdefault(new_attr, []).append(new_value) Without any modifications the code is ~ 2.3x slower than mine. In patch 811 DN's slice, __hash__ and __eq__ functions are optimized. > > Honza > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0809-1-speed-up-convert_attribute_members.patch Type: text/x-patch Size: 2892 bytes Desc: not available URL: From pvoborni at redhat.com Thu Apr 9 11:56:45 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 09 Apr 2015 13:56:45 +0200 Subject: [Freeipa-devel] [PATCH] 810 speed up indirect member processing In-Reply-To: <5524E517.9000704@redhat.com> References: <551A72D4.9080002@redhat.com> <5524E517.9000704@redhat.com> Message-ID: <552668FD.1080101@redhat.com> On 04/08/2015 10:21 AM, Jan Cholasta wrote: > Hi, > > Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): >> the old implementation tried to get all entries which are member of >> group. That means also user. User can't have any members therefore this >> costly processing was unnecessary. >> >> New implementation reduces the search only to entries which can have >> entries. >> >> Also page size was removed to avoid paging by small pages(default size: >> 100) which is very slow for many members. >> >> https://fedorahosted.org/freeipa/ticket/4947 >> >> Useful to test with #809 > > 1) To search for entries with members, you should search for entries > with the member attribute set ('(member=*)'), not for entries with some > arbitrary object class. Replaced, new presence index added > > > 2) I don't like how the search in get_memberindirect is limited to an > arbitrary hard-coded subtree. You should go through the object's > attribute_members to figure out which subtrees to search. > The subtree search was removed. > > 3) Since memberindirect and memberofindirect are not real attributes, > you must define their syntax in ipaldap before you cat set them using > .raw[], otherwise they will be decoded to wrong type. Added. > > 4) The processing of memberof should be done even when memberofindirect > is not requested, otherwise its value will depend on whether > memberofindirect was requested or not. True, but it's the same behavior as before. Could be changed in other patch. > > > 5) I would prefer if all membership processing > (.convert_attribute_members() and .get_indirect_members()) was done in a > single LDAPObject method. Now, as before, get_indirect_members is called before post callbacks and convert_attribute_members after. If it should be combined, it should be done separately. > > > Honza > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0810-1-speed-up-indirect-member-processing.patch Type: text/x-patch Size: 13206 bytes Desc: not available URL: From jcholast at redhat.com Thu Apr 9 12:28:21 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 14:28:21 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <552657B2.8090706@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> Message-ID: <55267065.4090900@redhat.com> Dne 9.4.2015 v 12:42 Martin Kosek napsal(a): > On 04/09/2015 12:30 PM, Jan Cholasta wrote: >> Dne 8.4.2015 v 22:52 Martin Kosek napsal(a): >>> On 04/08/2015 06:03 PM, Nathaniel McCallum wrote: >>>> On Wed, 2015-04-08 at 17:53 +0200, Martin Basti wrote: >>>>> On 08/04/15 17:46, Luc de Louw wrote: >>>>>> On 04/08/2015 05:14 PM, Martin Basti wrote: >>>>>>> On 08/04/15 17:12, Luc de Louw wrote: >>>>>>>> >>>>>>>> On 04/08/2015 05:05 PM, Martin Basti wrote: >>>>>>>>> On 08/04/15 16:55, Nathaniel McCallum wrote: >>>>>>>>>> On Wed, 2015-04-08 at 11:57 +0200, Luc de Louw wrote: >>>>>>>>>>> Hi there, >>>>>>>>>>> >>>>>>>>>>> At the moment ipa otptoken-add-yubikey does not add the >>>>>>>>>>> parameter >>>>>>>>>>> "APPEND_CR". This prevents submit the password+OTP. >>>>>>>>>>> APPEND_CR is >>>>>>>>>>> usually >>>>>>>>>>> very handy, most people use this functionality. >>>>>>>>>>> >>>>>>>>>>> The patch changes the behavior to set APPEND_CR by >>>>>>>>>>> default and let >>>>>>>>>>> the >>>>>>>>>>> user override this by using the the --do-not-append-cr >>>>>>>>>>> option. >>>>>>>>>> This patch is very helpful and I would like to see it >>>>>>>>>> merged. Thanks >>>>>>>>>> Luc! >>>>>>>>>> >>>>>>>>>> 1. This patch needs to be formatted according to the >>>>>>>>>> FreeIPA >>>>>>>>>> formatting. See: >>>>>>>>>> https://www.freeipa.org/page/Contribute/Patch_Format >>>>>>>>>> >>>>>>>>>> 2. The flag should be named "no_cr" instead of >>>>>>>>>> "do_not_append_cr". >>>>>>>>>> >>>>>>>>>> 3. The comment is not necessary since what the code does >>>>>>>>>> is obvious. >>>>>>>>>> >>>>>>>>>> Nathaniel >>>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> 4) this patch changes API, so please run ./makeapi to >>>>>>>>> regenerate >>>>>>>>> API.txt >>>>>>>>> file and add changes into patch + please bum API minor >>>>>>>>> version in >>>>>>>>> VERSION file >>>>>>>>> >>>>>>>>> thanks. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> When running makeaip, I get the following error: >>>>>>>> File "/home/luc/freeipa/ipalib/constants.py", line 25, in >>>>>>>> >>>>>>>> from ipaplatform.paths import paths >>>>>>>> ImportError: No module named paths >>>>>>>> >>>>>>>> Any hints? >>>>>>>> >>>>>>>> The other changes are ready to submit. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Luc >>>>>>> You may need to run 'make version-upgrade' or 'make' to prepare >>>>>>> the >>>>>>> module. >>>>>>> >>>>>>> If it will not work, you can send incomplete patch, I will add >>>>>>> API >>>>>>> changes there, just bump VERSION please >>>>>>> >>>>>> >>>>>> Martin, >>>>>> >>>>>> Thanks for your hints, seems to work, please have a look at it... >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Luc >>>>>> >>>>>> >>>>> Thanks, >>>>> >>>>> please change the comment too >>>>> >>>>> -IPA_API_VERSION_MINOR=116 >>>>> +IPA_API_VERSION_MINOR=117 >>>>> # Last change: tbordaz - Add stageuser_add command" >>>>> >>>>> Otherwise patch looks good, but Nathaniel is the OTP guru, he should >>>>> say >>>>> final ack. >>>> >>>> I'm also a tough reviewer. :) >>>> >>>> 1. Remove the unnecessary code comment. >>>> >>>> 2. There appears to be inconsistent indentation in the flag parameter >>>> specification. It is probably a mix of tabs and spaces. >>>> >>>> 3. The git commit comment should contain one short summary line >>>> without terminating punctuation followed by any necessary explanatory >>>> paragraphs. You can change this via the "--amend" option to "git >>>> commit". Try the following: >>>> >>>> Enable YubiKey carriage return emission via otptoken-add-yubikey >>>> >>>> Before this patch, YubiKeys programmed by IPA would not emit the >>>> carriage return character at the end of the OTP value. This requires >>>> the user to press his YubiKey and then (unnecessarily) the Enter or >>>> Return key. After this patch, the user only needs to press the YubiKey. >>>> >>>> Should a user desire to omit the carriage return character, the --no- >>>> cr option can be specified. >>>> >>>> Nathaniel >>>> >>> >>> One more note to the API. By my experience, using a Flag for a boolean >>> data input has often proved to be a bad call. >>> >>> Let's say you now introduce --no-cr flag. What if we decide to change >>> the default to False? How would you then change the option/API? >> >> You would have to add --cr flag. > > That was the point - some clients would send "ct" flag, some "no_cr" and there > would have to be special handling. > >>> It is more flexible IMO to just use something like >>> >>> --cr=TRUE|FALSE with TRUE being the default >> >> I would say --append-cr=TRUE|FALSE with no default, meaning do not add the flag >> to the config at all. > > I though the idea was to append the CR by default, i.e. --append-cr=TRUE|FALSE > with TRUE being the default. > If you want to hardcode the default into the plugin, there is no benefit in using Bool over Flag, because Flag is actually a Bool with hardcoded default value. -- Jan Cholasta From simo at redhat.com Thu Apr 9 12:41:26 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2015 08:41:26 -0400 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <5512936A.2010007@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> Message-ID: <1428583286.19641.219.camel@willson.usersys.redhat.com> On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: > On 03/23/2015 03:13 PM, Simo Sorce wrote: > > On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: > >> On 23.3.2015 14:08, Simo Sorce wrote: > >>> On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: > >>>> On 03/17/2015 06:00 PM, Simo Sorce wrote: > >>>>> On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: > >>>>>> On 03/16/2015 12:15 PM, Martin Kosek wrote: > >>>>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote: > >>>>>>>> Attaching the next iteration of patches. > >>>>>>>> > >>>>>>>> I have tried my best to reword the ipa-client-install man page bit about the > >>>>>>>> new option. Any suggestions to further improve it are welcome. > >>>>>>>> > >>>>>>>> I have also slightly modified the 'kinit_keytab' function so that in Kerberos > >>>>>>>> errors are reported for each attempt and the text of the last error is retained > >>>>>>>> when finally raising exception. > >>>>>>> > >>>>>>> The approach looks very good. I think that my only concern with this patch is > >>>>>>> this part: > >>>>>>> > >>>>>>> + ccache.init_creds_keytab(keytab=ktab, principal=princ) > >>>>>>> ... > >>>>>>> + except krbV.Krb5Error as e: > >>>>>>> + last_exc = str(e) > >>>>>>> + root_logger.debug("Attempt %d/%d: failed: %s" > >>>>>>> + % (attempt, attempts, last_exc)) > >>>>>>> + time.sleep(1) > >>>>>>> + > >>>>>>> + root_logger.debug("Maximum number of attempts (%d) reached" > >>>>>>> + % attempts) > >>>>>>> + raise StandardError("Error initializing principal %s: %s" > >>>>>>> + % (principal, last_exc)) > >>>>>>> > >>>>>>> The problem here is that this function will raise the super-generic > >>>>>>> StandardError instead of the proper with all the context and information about > >>>>>>> the error that the caller can then process. > >>>>>>> > >>>>>>> I think that > >>>>>>> > >>>>>>> except krbV.Krb5Error as e: > >>>>>>> if attempt == max_attempts: > >>>>>>> log something > >>>>>>> raise > >>>>>>> > >>>>>>> would be better. > >>>>>>> > >>>>>> > >>>>>> Yes that seems reasonable. I'm just thinking whether we should re-raise > >>>>>> Krb5Error or raise ipalib.errors.KerberosError? the latter options makes > >>>>>> more sense to me as we would not have to additionally import Krb5Error > >>>>>> everywhere and it would also make the resulting errors more consistent. > >>>>>> > >>>>>> I am thinking about someting like this: > >>>>>> > >>>>>> except krbV.Krb5Error as e: > >>>>>> if attempt == attempts: > >>>>>> # log that we have reaches maximum number of attempts > >>>>>> raise KerberosError(minor=str(e)) > >>>>>> > >>>>>> What do you think? > >>>>> > >>>>> Are you retrying on any error ? > >>>>> Please do *not* do that, if you retry many times on an error that > >>>>> indicates the password is wrong you may end up locking an administrative > >>>>> account. If you want to retry you should do it only for very specific > >>>>> timeout errors. > >>>>> > >>>>> Simo. > >>>>> > >>>>> > >>>> I have taken a look at the logs attached to the original BZ > >>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). > >>>> > >>>> In ipaclient-install.log the kinit error is: > >>>> > >>>> "Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial > >>>> credentials" > >>>> > >>>> which can be translated to krbV.KRB5_KDC_UNREACH error. However, > >>>> krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors > >>>> which are seemingly unrelated to the root cause (kinit timing out on > >>>> getting host TGT). > >>>> > >>>> Thus I'm not quite sure which errors should we chceck against in this > >>>> case, anyone care to advise? These are potential candidates: > >>>> > >>>> KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is > >>>> required to process the request" > >>>> KRB5KRB_ERR_RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP" > >>>> KRB5_REALM_UNKNOWN, "Cannot find KDC for requested realm" > >>>> KRB5_KDC_UNREACH, "Cannot contact any KDC for requested realm" > >>>> > >>> > >>> The only ones that you should retry on, at first glance are > >>> KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. > >>> > >>> You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it > >>> should be handled automatically by the library, and if you get > >>> KRB5_REALM_UNKNOWN I do not think that retrying will make any > >>> difference. > >> > >> I might be wrong but I was under the impression that this feature was also for > >> workarounding replication delay - service is not available / key is not > >> present / something like that. > >> > >> (This could happen if host/principal was added to one server but then the > >> client connected to another server or so.) > > > > If we have that problem we should instead use a temporary krb5.conf file > > that lists explicitly only the server we are joining. > > > > Simo. > > > > This is already done since ipa-3-0: by default only one server/KDC is > used during client install so there are actually no problems with > replication delay, only with KDC timeouts. > > Anyway I'm sending updated patches. LGTM! Simo. -- Simo Sorce * Red Hat, Inc * New York From ldelouw at redhat.com Thu Apr 9 13:11:43 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Thu, 09 Apr 2015 15:11:43 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55267065.4090900@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> <55267065.4090900@redhat.com> Message-ID: <55267A8F.3030203@redhat.com> On 04/09/2015 02:28 PM, Jan Cholasta wrote: >>>> Let's say you now introduce --no-cr flag. What if we decide to change >>>> the default to False? How would you then change the option/API? >>> >>> You would have to add --cr flag. >> >> That was the point - some clients would send "ct" flag, some "no_cr" >> and there >> would have to be special handling. >> >>>> It is more flexible IMO to just use something like >>>> >>>> --cr=TRUE|FALSE with TRUE being the default >>> >>> I would say --append-cr=TRUE|FALSE with no default, meaning do not >>> add the flag >>> to the config at all. >> >> I though the idea was to append the CR by default, i.e. >> --append-cr=TRUE|FALSE >> with TRUE being the default. >> > > If you want to hardcode the default into the plugin, there is no benefit > in using Bool over Flag, because Flag is actually a Bool with hardcoded > default value. > I actually started with a bool, default=True. I had the problem that the Default value was ignored, the value was None. Changing the default behavior is IMHO bad anyway does not matter if Bool or Flag. Please advise what is you wish to be implemented :-) Thanks, Luc From jcholast at redhat.com Thu Apr 9 13:38:58 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 15:38:58 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <1428583286.19641.219.camel@willson.usersys.redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> Message-ID: <552680F2.3050208@redhat.com> Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): > On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: >> On 03/23/2015 03:13 PM, Simo Sorce wrote: >>> On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: >>>> On 23.3.2015 14:08, Simo Sorce wrote: >>>>> On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: >>>>>> On 03/17/2015 06:00 PM, Simo Sorce wrote: >>>>>>> On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: >>>>>>>> On 03/16/2015 12:15 PM, Martin Kosek wrote: >>>>>>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote: >>>>>>>>>> Attaching the next iteration of patches. >>>>>>>>>> >>>>>>>>>> I have tried my best to reword the ipa-client-install man page bit about the >>>>>>>>>> new option. Any suggestions to further improve it are welcome. >>>>>>>>>> >>>>>>>>>> I have also slightly modified the 'kinit_keytab' function so that in Kerberos >>>>>>>>>> errors are reported for each attempt and the text of the last error is retained >>>>>>>>>> when finally raising exception. >>>>>>>>> >>>>>>>>> The approach looks very good. I think that my only concern with this patch is >>>>>>>>> this part: >>>>>>>>> >>>>>>>>> + ccache.init_creds_keytab(keytab=ktab, principal=princ) >>>>>>>>> ... >>>>>>>>> + except krbV.Krb5Error as e: >>>>>>>>> + last_exc = str(e) >>>>>>>>> + root_logger.debug("Attempt %d/%d: failed: %s" >>>>>>>>> + % (attempt, attempts, last_exc)) >>>>>>>>> + time.sleep(1) >>>>>>>>> + >>>>>>>>> + root_logger.debug("Maximum number of attempts (%d) reached" >>>>>>>>> + % attempts) >>>>>>>>> + raise StandardError("Error initializing principal %s: %s" >>>>>>>>> + % (principal, last_exc)) >>>>>>>>> >>>>>>>>> The problem here is that this function will raise the super-generic >>>>>>>>> StandardError instead of the proper with all the context and information about >>>>>>>>> the error that the caller can then process. >>>>>>>>> >>>>>>>>> I think that >>>>>>>>> >>>>>>>>> except krbV.Krb5Error as e: >>>>>>>>> if attempt == max_attempts: >>>>>>>>> log something >>>>>>>>> raise >>>>>>>>> >>>>>>>>> would be better. >>>>>>>>> >>>>>>>> >>>>>>>> Yes that seems reasonable. I'm just thinking whether we should re-raise >>>>>>>> Krb5Error or raise ipalib.errors.KerberosError? the latter options makes >>>>>>>> more sense to me as we would not have to additionally import Krb5Error >>>>>>>> everywhere and it would also make the resulting errors more consistent. >>>>>>>> >>>>>>>> I am thinking about someting like this: >>>>>>>> >>>>>>>> except krbV.Krb5Error as e: >>>>>>>> if attempt == attempts: >>>>>>>> # log that we have reaches maximum number of attempts >>>>>>>> raise KerberosError(minor=str(e)) >>>>>>>> >>>>>>>> What do you think? >>>>>>> >>>>>>> Are you retrying on any error ? >>>>>>> Please do *not* do that, if you retry many times on an error that >>>>>>> indicates the password is wrong you may end up locking an administrative >>>>>>> account. If you want to retry you should do it only for very specific >>>>>>> timeout errors. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>>> >>>>>> I have taken a look at the logs attached to the original BZ >>>>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). >>>>>> >>>>>> In ipaclient-install.log the kinit error is: >>>>>> >>>>>> "Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial >>>>>> credentials" >>>>>> >>>>>> which can be translated to krbV.KRB5_KDC_UNREACH error. However, >>>>>> krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors >>>>>> which are seemingly unrelated to the root cause (kinit timing out on >>>>>> getting host TGT). >>>>>> >>>>>> Thus I'm not quite sure which errors should we chceck against in this >>>>>> case, anyone care to advise? These are potential candidates: >>>>>> >>>>>> KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is >>>>>> required to process the request" >>>>>> KRB5KRB_ERR_RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP" >>>>>> KRB5_REALM_UNKNOWN, "Cannot find KDC for requested realm" >>>>>> KRB5_KDC_UNREACH, "Cannot contact any KDC for requested realm" >>>>>> >>>>> >>>>> The only ones that you should retry on, at first glance are >>>>> KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. >>>>> >>>>> You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it >>>>> should be handled automatically by the library, and if you get >>>>> KRB5_REALM_UNKNOWN I do not think that retrying will make any >>>>> difference. >>>> >>>> I might be wrong but I was under the impression that this feature was also for >>>> workarounding replication delay - service is not available / key is not >>>> present / something like that. >>>> >>>> (This could happen if host/principal was added to one server but then the >>>> client connected to another server or so.) >>> >>> If we have that problem we should instead use a temporary krb5.conf file >>> that lists explicitly only the server we are joining. >>> >>> Simo. >>> >> >> This is already done since ipa-3-0: by default only one server/KDC is >> used during client install so there are actually no problems with >> replication delay, only with KDC timeouts. >> >> Anyway I'm sending updated patches. > > LGTM! > > Simo. > > Some comments: Patch 15: 1) The functions should be as similar as possible: a) kinit_password() should have a 'ccache_path' argument instead of passing the path in KRB5CCNAME in the 'env' argument. b) I don't think kinit_password() should have the 'env' argument at all. You can always call kinit with LC_ALL=C and set other variables in os.environ if you want. c) The arguments should have the same ordering. d) Either set KRB5CCNAME in both kinit_keytab() and kinit_password() or in none of them. e) Either rename armor_ccache to armor_ccache_path or ccache_path to ccache. 2) Space before comma in docstring: + Given a ccache_path , keytab file and a principal kinit as that user. 3) I would prefer if the default value of 'armor_ccache' in kinit_password() was None. Patch 16: 1) The callback should not be named 'validate_kinit_attempts_option', but rather 'kinit_attempts_callback', as it doesn't just validate the value. 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A comment with explanation would be nice. Patch 17: 1) Is there a reason for the ccache filename changes in DNSSEC code? -- Jan Cholasta From rcritten at redhat.com Thu Apr 9 14:05:48 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 10:05:48 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters Message-ID: <5526873C.90504@redhat.com> Right now when a new master is installed it is not configured with a CA unless one passes in --setup-ca (or afterward runs ipa-ca-install). Over and over we've seen people who have multiple masters and a single CA, in some cases that CA machine is gone, leaving the realm with no CA at all. I think this is due to the fact that CA replicas are not created by default and the users are not aware of the implications of a single point-of-failure since things otherwise seem to be working. So perhaps the default should be to install a CA unless the user requests one not be installed. A related task may be to create an uninstaller for just the CA. rob From simo at redhat.com Thu Apr 9 14:15:27 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2015 10:15:27 -0400 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <552680F2.3050208@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> Message-ID: <1428588927.19641.238.camel@willson.usersys.redhat.com> On Thu, 2015-04-09 at 15:38 +0200, Jan Cholasta wrote: > Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): > > On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: > >> On 03/23/2015 03:13 PM, Simo Sorce wrote: > >>> On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: > >>>> On 23.3.2015 14:08, Simo Sorce wrote: > >>>>> On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: > >>>>>> On 03/17/2015 06:00 PM, Simo Sorce wrote: > >>>>>>> On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: > >>>>>>>> On 03/16/2015 12:15 PM, Martin Kosek wrote: > >>>>>>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote: > >>>>>>>>>> Attaching the next iteration of patches. > >>>>>>>>>> > >>>>>>>>>> I have tried my best to reword the ipa-client-install man page bit about the > >>>>>>>>>> new option. Any suggestions to further improve it are welcome. > >>>>>>>>>> > >>>>>>>>>> I have also slightly modified the 'kinit_keytab' function so that in Kerberos > >>>>>>>>>> errors are reported for each attempt and the text of the last error is retained > >>>>>>>>>> when finally raising exception. > >>>>>>>>> > >>>>>>>>> The approach looks very good. I think that my only concern with this patch is > >>>>>>>>> this part: > >>>>>>>>> > >>>>>>>>> + ccache.init_creds_keytab(keytab=ktab, principal=princ) > >>>>>>>>> ... > >>>>>>>>> + except krbV.Krb5Error as e: > >>>>>>>>> + last_exc = str(e) > >>>>>>>>> + root_logger.debug("Attempt %d/%d: failed: %s" > >>>>>>>>> + % (attempt, attempts, last_exc)) > >>>>>>>>> + time.sleep(1) > >>>>>>>>> + > >>>>>>>>> + root_logger.debug("Maximum number of attempts (%d) reached" > >>>>>>>>> + % attempts) > >>>>>>>>> + raise StandardError("Error initializing principal %s: %s" > >>>>>>>>> + % (principal, last_exc)) > >>>>>>>>> > >>>>>>>>> The problem here is that this function will raise the super-generic > >>>>>>>>> StandardError instead of the proper with all the context and information about > >>>>>>>>> the error that the caller can then process. > >>>>>>>>> > >>>>>>>>> I think that > >>>>>>>>> > >>>>>>>>> except krbV.Krb5Error as e: > >>>>>>>>> if attempt == max_attempts: > >>>>>>>>> log something > >>>>>>>>> raise > >>>>>>>>> > >>>>>>>>> would be better. > >>>>>>>>> > >>>>>>>> > >>>>>>>> Yes that seems reasonable. I'm just thinking whether we should re-raise > >>>>>>>> Krb5Error or raise ipalib.errors.KerberosError? the latter options makes > >>>>>>>> more sense to me as we would not have to additionally import Krb5Error > >>>>>>>> everywhere and it would also make the resulting errors more consistent. > >>>>>>>> > >>>>>>>> I am thinking about someting like this: > >>>>>>>> > >>>>>>>> except krbV.Krb5Error as e: > >>>>>>>> if attempt == attempts: > >>>>>>>> # log that we have reaches maximum number of attempts > >>>>>>>> raise KerberosError(minor=str(e)) > >>>>>>>> > >>>>>>>> What do you think? > >>>>>>> > >>>>>>> Are you retrying on any error ? > >>>>>>> Please do *not* do that, if you retry many times on an error that > >>>>>>> indicates the password is wrong you may end up locking an administrative > >>>>>>> account. If you want to retry you should do it only for very specific > >>>>>>> timeout errors. > >>>>>>> > >>>>>>> Simo. > >>>>>>> > >>>>>>> > >>>>>> I have taken a look at the logs attached to the original BZ > >>>>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). > >>>>>> > >>>>>> In ipaclient-install.log the kinit error is: > >>>>>> > >>>>>> "Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial > >>>>>> credentials" > >>>>>> > >>>>>> which can be translated to krbV.KRB5_KDC_UNREACH error. However, > >>>>>> krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors > >>>>>> which are seemingly unrelated to the root cause (kinit timing out on > >>>>>> getting host TGT). > >>>>>> > >>>>>> Thus I'm not quite sure which errors should we chceck against in this > >>>>>> case, anyone care to advise? These are potential candidates: > >>>>>> > >>>>>> KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is > >>>>>> required to process the request" > >>>>>> KRB5KRB_ERR_RESPONSE_TOO_BIG, "Response too big for UDP, retry with TCP" > >>>>>> KRB5_REALM_UNKNOWN, "Cannot find KDC for requested realm" > >>>>>> KRB5_KDC_UNREACH, "Cannot contact any KDC for requested realm" > >>>>>> > >>>>> > >>>>> The only ones that you should retry on, at first glance are > >>>>> KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. > >>>>> > >>>>> You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it > >>>>> should be handled automatically by the library, and if you get > >>>>> KRB5_REALM_UNKNOWN I do not think that retrying will make any > >>>>> difference. > >>>> > >>>> I might be wrong but I was under the impression that this feature was also for > >>>> workarounding replication delay - service is not available / key is not > >>>> present / something like that. > >>>> > >>>> (This could happen if host/principal was added to one server but then the > >>>> client connected to another server or so.) > >>> > >>> If we have that problem we should instead use a temporary krb5.conf file > >>> that lists explicitly only the server we are joining. > >>> > >>> Simo. > >>> > >> > >> This is already done since ipa-3-0: by default only one server/KDC is > >> used during client install so there are actually no problems with > >> replication delay, only with KDC timeouts. > >> > >> Anyway I'm sending updated patches. > > > > LGTM! > > > > Simo. > > > > > > Some comments: > > Patch 15: > > 1) The functions should be as similar as possible: > > a) kinit_password() should have a 'ccache_path' argument instead of > passing the path in KRB5CCNAME in the 'env' argument. > > b) I don't think kinit_password() should have the 'env' argument at > all. You can always call kinit with LC_ALL=C and set other variables in > os.environ if you want. > > c) The arguments should have the same ordering. > > d) Either set KRB5CCNAME in both kinit_keytab() and > kinit_password() or in none of them. > > e) Either rename armor_ccache to armor_ccache_path or ccache_path > to ccache. > > > 2) Space before comma in docstring: > > + Given a ccache_path , keytab file and a principal kinit as that user. > > > 3) I would prefer if the default value of 'armor_ccache' in > kinit_password() was None. > > > Patch 16: > > 1) The callback should not be named 'validate_kinit_attempts_option', > but rather 'kinit_attempts_callback', as it doesn't just validate the value. > > > 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A > comment with explanation would be nice. > > > Patch 17: > > 1) Is there a reason for the ccache filename changes in DNSSEC code? > Good catches, although I think they are mostly nitpicks, it would be nice to get these changed as you ask before pushing. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Thu Apr 9 14:27:43 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 09 Apr 2015 16:27:43 +0200 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <5526873C.90504@redhat.com> References: <5526873C.90504@redhat.com> Message-ID: <55268C5F.2040901@redhat.com> On 04/09/2015 04:05 PM, Rob Crittenden wrote: > Right now when a new master is installed it is not configured with a CA > unless one passes in --setup-ca (or afterward runs ipa-ca-install). > > Over and over we've seen people who have multiple masters and a single > CA, in some cases that CA machine is gone, leaving the realm with no CA > at all. > > I think this is due to the fact that CA replicas are not created by > default and the users are not aware of the implications of a single > point-of-failure since things otherwise seem to be working. > > So perhaps the default should be to install a CA unless the user > requests one not be installed. A related task may be to create an > uninstaller for just the CA. > > rob > From a general perspective: When I hear "replica" it evokes a "clone", something equal/identical. Based on this, the expected behavior for me would be that: - if master has DNS and CA, then the new replica would also have DNS and CA (without any configuration option needed). - if an optional service is missing then replica wouldn't have it as well by default This would required reverse options like: --no-dns. -- Petr Vobornik From pviktori at redhat.com Thu Apr 9 15:28:00 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 09 Apr 2015 17:28:00 +0200 Subject: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject In-Reply-To: <55252ABF.5010608@redhat.com> References: <55252ABF.5010608@redhat.com> Message-ID: <55269A80.1020309@redhat.com> On 04/08/2015 03:18 PM, Jan Cholasta wrote: > Hi, > > the attached patches remove IPASimpleLDAPObject from ipaldap. > > As a result, the one and only IPA LDAP API is the LDAPClient API. This is definitely an improvement :) 0408: ACK (woohoo!) 0409: ACK 0410: I quite like the new __init__ signature, and the context manager functionality. Can you add a comment for the `object.__setattr__(self, '_conn', None)` in _disconnect? It's a real eyesore. 0411: ACK 0412: Can _force_schema_updates be set already in __init__? 0413: ACK 0414: ACK 0415: ACK 0416: I think you should show off the `with` statement support here. 0417: ... and here 0418: ACK 0419: ACK 0420: ACK 0421: ACK 0422: ACK, and good riddance -- Petr Viktorin From rcritten at redhat.com Thu Apr 9 19:42:10 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 15:42:10 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <55268C5F.2040901@redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> Message-ID: <5526D612.2030107@redhat.com> Petr Vobornik wrote: > On 04/09/2015 04:05 PM, Rob Crittenden wrote: >> Right now when a new master is installed it is not configured with a CA >> unless one passes in --setup-ca (or afterward runs ipa-ca-install). >> >> Over and over we've seen people who have multiple masters and a single >> CA, in some cases that CA machine is gone, leaving the realm with no CA >> at all. >> >> I think this is due to the fact that CA replicas are not created by >> default and the users are not aware of the implications of a single >> point-of-failure since things otherwise seem to be working. >> >> So perhaps the default should be to install a CA unless the user >> requests one not be installed. A related task may be to create an >> uninstaller for just the CA. >> >> rob >> > > From a general perspective: > > When I hear "replica" it evokes a "clone", something equal/identical. > > Based on this, the expected behavior for me would be that: > > - if master has DNS and CA, then the new replica would also have DNS and > CA (without any configuration option needed). > - if an optional service is missing then replica wouldn't have it as > well by default > > This would required reverse options like: --no-dns. Pretty much exactly what I was thinking. For the option I think we should go with a more generic --ca, --dns, with the default value matching what the remote master has configured. But that's bike shedding. The real question is, what do others think? Is this worth filing a ticket for? It would be a subtle but significant change. This might tie in nicely with planned topology management too. rob From simo at redhat.com Thu Apr 9 20:47:03 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2015 16:47:03 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <5526D612.2030107@redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> Message-ID: <1428612423.19641.278.camel@willson.usersys.redhat.com> On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: > Petr Vobornik wrote: > > On 04/09/2015 04:05 PM, Rob Crittenden wrote: > >> Right now when a new master is installed it is not configured with a CA > >> unless one passes in --setup-ca (or afterward runs ipa-ca-install). > >> > >> Over and over we've seen people who have multiple masters and a single > >> CA, in some cases that CA machine is gone, leaving the realm with no CA > >> at all. > >> > >> I think this is due to the fact that CA replicas are not created by > >> default and the users are not aware of the implications of a single > >> point-of-failure since things otherwise seem to be working. > >> > >> So perhaps the default should be to install a CA unless the user > >> requests one not be installed. A related task may be to create an > >> uninstaller for just the CA. > >> > >> rob > >> > > > > From a general perspective: > > > > When I hear "replica" it evokes a "clone", something equal/identical. > > > > Based on this, the expected behavior for me would be that: > > > > - if master has DNS and CA, then the new replica would also have DNS and > > CA (without any configuration option needed). > > - if an optional service is missing then replica wouldn't have it as > > well by default > > > > This would required reverse options like: --no-dns. > > Pretty much exactly what I was thinking. > > For the option I think we should go with a more generic --ca, --dns, > with the default value matching what the remote master has configured. > > But that's bike shedding. > > The real question is, what do others think? Is this worth filing a > ticket for? It would be a subtle but significant change. This might tie > in nicely with planned topology management too. I think I would like to see questions in interactive mode, but not force CA and DNS to be installed just because the other replica has them. The replica originating machines has more to do with topology (what master you want to replicate off) then features. So if you are doing an interactive install and the remote replica has CA and DNS features, it may be nice to ask: do you want to setup CA too ? Do you want to setup DNS too ? But not do it by default w/o positive confirmation. Esp for DNS it makes little sense as you need a change in DHCP/other infra for it to be of any use and all data is in LDAP anyway The CA case is a little bit more critical as you noted, but I think nagging in interactive is probably good enough. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Apr 9 20:52:52 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 16:52:52 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <1428612423.19641.278.camel@willson.usersys.redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> Message-ID: <5526E6A4.6090403@redhat.com> Simo Sorce wrote: > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: >> Petr Vobornik wrote: >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: >>>> Right now when a new master is installed it is not configured with a CA >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). >>>> >>>> Over and over we've seen people who have multiple masters and a single >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA >>>> at all. >>>> >>>> I think this is due to the fact that CA replicas are not created by >>>> default and the users are not aware of the implications of a single >>>> point-of-failure since things otherwise seem to be working. >>>> >>>> So perhaps the default should be to install a CA unless the user >>>> requests one not be installed. A related task may be to create an >>>> uninstaller for just the CA. >>>> >>>> rob >>>> >>> >>> From a general perspective: >>> >>> When I hear "replica" it evokes a "clone", something equal/identical. >>> >>> Based on this, the expected behavior for me would be that: >>> >>> - if master has DNS and CA, then the new replica would also have DNS and >>> CA (without any configuration option needed). >>> - if an optional service is missing then replica wouldn't have it as >>> well by default >>> >>> This would required reverse options like: --no-dns. >> >> Pretty much exactly what I was thinking. >> >> For the option I think we should go with a more generic --ca, --dns, >> with the default value matching what the remote master has configured. >> >> But that's bike shedding. >> >> The real question is, what do others think? Is this worth filing a >> ticket for? It would be a subtle but significant change. This might tie >> in nicely with planned topology management too. > > I think I would like to see questions in interactive mode, but not force > CA and DNS to be installed just because the other replica has them. > > The replica originating machines has more to do with topology (what > master you want to replicate off) then features. > > So if you are doing an interactive install and the remote replica has CA > and DNS features, it may be nice to ask: do you want to setup CA too ? > Do you want to setup DNS too ? > But not do it by default w/o positive confirmation. > Esp for DNS it makes little sense as you need a change in DHCP/other > infra for it to be of any use and all data is in LDAP anyway > The CA case is a little bit more critical as you noted, but I think > nagging in interactive is probably good enough. That's why I suggested this be tied to the topology plugin, so the user has a chance to massage things afterward in an easy manner. A less obtrusive suggestion would be to be to try to count the number of CAs and spit out a scary warning if it is just one. rob From simo at redhat.com Thu Apr 9 21:06:31 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2015 17:06:31 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <5526E6A4.6090403@redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> <5526E6A4.6090403@redhat.com> Message-ID: <1428613591.19641.279.camel@willson.usersys.redhat.com> On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: > >> Petr Vobornik wrote: > >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: > >>>> Right now when a new master is installed it is not configured with a CA > >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). > >>>> > >>>> Over and over we've seen people who have multiple masters and a single > >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA > >>>> at all. > >>>> > >>>> I think this is due to the fact that CA replicas are not created by > >>>> default and the users are not aware of the implications of a single > >>>> point-of-failure since things otherwise seem to be working. > >>>> > >>>> So perhaps the default should be to install a CA unless the user > >>>> requests one not be installed. A related task may be to create an > >>>> uninstaller for just the CA. > >>>> > >>>> rob > >>>> > >>> > >>> From a general perspective: > >>> > >>> When I hear "replica" it evokes a "clone", something equal/identical. > >>> > >>> Based on this, the expected behavior for me would be that: > >>> > >>> - if master has DNS and CA, then the new replica would also have DNS and > >>> CA (without any configuration option needed). > >>> - if an optional service is missing then replica wouldn't have it as > >>> well by default > >>> > >>> This would required reverse options like: --no-dns. > >> > >> Pretty much exactly what I was thinking. > >> > >> For the option I think we should go with a more generic --ca, --dns, > >> with the default value matching what the remote master has configured. > >> > >> But that's bike shedding. > >> > >> The real question is, what do others think? Is this worth filing a > >> ticket for? It would be a subtle but significant change. This might tie > >> in nicely with planned topology management too. > > > > I think I would like to see questions in interactive mode, but not force > > CA and DNS to be installed just because the other replica has them. > > > > The replica originating machines has more to do with topology (what > > master you want to replicate off) then features. > > > > So if you are doing an interactive install and the remote replica has CA > > and DNS features, it may be nice to ask: do you want to setup CA too ? > > Do you want to setup DNS too ? > > But not do it by default w/o positive confirmation. > > Esp for DNS it makes little sense as you need a change in DHCP/other > > infra for it to be of any use and all data is in LDAP anyway > > The CA case is a little bit more critical as you noted, but I think > > nagging in interactive is probably good enough. > > That's why I suggested this be tied to the topology plugin, so the user > has a chance to massage things afterward in an easy manner. > > A less obtrusive suggestion would be to be to try to count the number of > CAs and spit out a scary warning if it is just one. Maybe force CA on if there is only one CA ? (Ie first 2 servers get to be CAs) then a new CA is force installed only if one of the 2 is killed ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Fri Apr 10 00:44:11 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Apr 2015 10:44:11 +1000 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <1428613591.19641.279.camel@willson.usersys.redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> <5526E6A4.6090403@redhat.com> <1428613591.19641.279.camel@willson.usersys.redhat.com> Message-ID: <20150410004411.GW18024@dhcp-40-8.bne.redhat.com> On Thu, Apr 09, 2015 at 05:06:31PM -0400, Simo Sorce wrote: > On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: > > >> Petr Vobornik wrote: > > >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: > > >>>> Right now when a new master is installed it is not configured with a CA > > >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). > > >>>> > > >>>> Over and over we've seen people who have multiple masters and a single > > >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA > > >>>> at all. > > >>>> > > >>>> I think this is due to the fact that CA replicas are not created by > > >>>> default and the users are not aware of the implications of a single > > >>>> point-of-failure since things otherwise seem to be working. > > >>>> > > >>>> So perhaps the default should be to install a CA unless the user > > >>>> requests one not be installed. A related task may be to create an > > >>>> uninstaller for just the CA. > > >>>> > > >>>> rob > > >>>> > > >>> > > >>> From a general perspective: > > >>> > > >>> When I hear "replica" it evokes a "clone", something equal/identical. > > >>> > > >>> Based on this, the expected behavior for me would be that: > > >>> > > >>> - if master has DNS and CA, then the new replica would also have DNS and > > >>> CA (without any configuration option needed). > > >>> - if an optional service is missing then replica wouldn't have it as > > >>> well by default > > >>> > > >>> This would required reverse options like: --no-dns. > > >> > > >> Pretty much exactly what I was thinking. > > >> > > >> For the option I think we should go with a more generic --ca, --dns, > > >> with the default value matching what the remote master has configured. > > >> > > >> But that's bike shedding. > > >> > > >> The real question is, what do others think? Is this worth filing a > > >> ticket for? It would be a subtle but significant change. This might tie > > >> in nicely with planned topology management too. > > > > > > I think I would like to see questions in interactive mode, but not force > > > CA and DNS to be installed just because the other replica has them. > > > > > > The replica originating machines has more to do with topology (what > > > master you want to replicate off) then features. > > > > > > So if you are doing an interactive install and the remote replica has CA > > > and DNS features, it may be nice to ask: do you want to setup CA too ? > > > Do you want to setup DNS too ? > > > But not do it by default w/o positive confirmation. > > > Esp for DNS it makes little sense as you need a change in DHCP/other > > > infra for it to be of any use and all data is in LDAP anyway > > > The CA case is a little bit more critical as you noted, but I think > > > nagging in interactive is probably good enough. > > > > That's why I suggested this be tied to the topology plugin, so the user > > has a chance to massage things afterward in an easy manner. > > > > A less obtrusive suggestion would be to be to try to count the number of > > CAs and spit out a scary warning if it is just one. > > "Nagging in interactive", "scary warning if < 2 CAs" are probably good enough to avoid the horror stories, but is it good enough UX to require user intervention to avoid the loss of CA on losing a single replica? > > Maybe force CA on if there is only one CA ? (Ie first 2 servers get to > be CAs) then a new CA is force installed only if one of the 2 is > killed ? > > Simo. > We would only need this special case if there is a problem with having a CA clone for each replica, right? Is there a problem? Cheers, Fraser > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From simo at redhat.com Fri Apr 10 02:58:35 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Apr 2015 22:58:35 -0400 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <20150410004411.GW18024@dhcp-40-8.bne.redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> <5526E6A4.6090403@redhat.com> <1428613591.19641.279.camel@willson.usersys.redhat.com> <20150410004411.GW18024@dhcp-40-8.bne.redhat.com> Message-ID: <1428634715.19641.282.camel@willson.usersys.redhat.com> On Fri, 2015-04-10 at 10:44 +1000, Fraser Tweedale wrote: > On Thu, Apr 09, 2015 at 05:06:31PM -0400, Simo Sorce wrote: > > On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: > > > >> Petr Vobornik wrote: > > > >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: > > > >>>> Right now when a new master is installed it is not configured with a CA > > > >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). > > > >>>> > > > >>>> Over and over we've seen people who have multiple masters and a single > > > >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA > > > >>>> at all. > > > >>>> > > > >>>> I think this is due to the fact that CA replicas are not created by > > > >>>> default and the users are not aware of the implications of a single > > > >>>> point-of-failure since things otherwise seem to be working. > > > >>>> > > > >>>> So perhaps the default should be to install a CA unless the user > > > >>>> requests one not be installed. A related task may be to create an > > > >>>> uninstaller for just the CA. > > > >>>> > > > >>>> rob > > > >>>> > > > >>> > > > >>> From a general perspective: > > > >>> > > > >>> When I hear "replica" it evokes a "clone", something equal/identical. > > > >>> > > > >>> Based on this, the expected behavior for me would be that: > > > >>> > > > >>> - if master has DNS and CA, then the new replica would also have DNS and > > > >>> CA (without any configuration option needed). > > > >>> - if an optional service is missing then replica wouldn't have it as > > > >>> well by default > > > >>> > > > >>> This would required reverse options like: --no-dns. > > > >> > > > >> Pretty much exactly what I was thinking. > > > >> > > > >> For the option I think we should go with a more generic --ca, --dns, > > > >> with the default value matching what the remote master has configured. > > > >> > > > >> But that's bike shedding. > > > >> > > > >> The real question is, what do others think? Is this worth filing a > > > >> ticket for? It would be a subtle but significant change. This might tie > > > >> in nicely with planned topology management too. > > > > > > > > I think I would like to see questions in interactive mode, but not force > > > > CA and DNS to be installed just because the other replica has them. > > > > > > > > The replica originating machines has more to do with topology (what > > > > master you want to replicate off) then features. > > > > > > > > So if you are doing an interactive install and the remote replica has CA > > > > and DNS features, it may be nice to ask: do you want to setup CA too ? > > > > Do you want to setup DNS too ? > > > > But not do it by default w/o positive confirmation. > > > > Esp for DNS it makes little sense as you need a change in DHCP/other > > > > infra for it to be of any use and all data is in LDAP anyway > > > > The CA case is a little bit more critical as you noted, but I think > > > > nagging in interactive is probably good enough. > > > > > > That's why I suggested this be tied to the topology plugin, so the user > > > has a chance to massage things afterward in an easy manner. > > > > > > A less obtrusive suggestion would be to be to try to count the number of > > > CAs and spit out a scary warning if it is just one. > > > > "Nagging in interactive", "scary warning if < 2 CAs" are probably > good enough to avoid the horror stories, but is it good enough UX > to require user intervention to avoid the loss of CA on losing a > single replica? I think it is better than the current situation. > > Maybe force CA on if there is only one CA ? (Ie first 2 servers get to > > be CAs) then a new CA is force installed only if one of the 2 is > > killed ? > > > > Simo. > > > We would only need this special case if there is a problem with > having a CA clone for each replica, right? Is there a problem? Private CA key exposed on additional servers. Added replication load. Added CPU/Memory load (dogtag is not exactly lightweight). Simo. -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Fri Apr 10 03:25:29 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Apr 2015 13:25:29 +1000 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <1428634715.19641.282.camel@willson.usersys.redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> <5526E6A4.6090403@redhat.com> <1428613591.19641.279.camel@willson.usersys.redhat.com> <20150410004411.GW18024@dhcp-40-8.bne.redhat.com> <1428634715.19641.282.camel@willson.usersys.redhat.com> Message-ID: <20150410032529.GC18024@dhcp-40-8.bne.redhat.com> On Thu, Apr 09, 2015 at 10:58:35PM -0400, Simo Sorce wrote: > On Fri, 2015-04-10 at 10:44 +1000, Fraser Tweedale wrote: > > On Thu, Apr 09, 2015 at 05:06:31PM -0400, Simo Sorce wrote: > > > On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: > > > > Simo Sorce wrote: > > > > > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: > > > > >> Petr Vobornik wrote: > > > > >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: > > > > >>>> Right now when a new master is installed it is not configured with a CA > > > > >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). > > > > >>>> > > > > >>>> Over and over we've seen people who have multiple masters and a single > > > > >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA > > > > >>>> at all. > > > > >>>> > > > > >>>> I think this is due to the fact that CA replicas are not created by > > > > >>>> default and the users are not aware of the implications of a single > > > > >>>> point-of-failure since things otherwise seem to be working. > > > > >>>> > > > > >>>> So perhaps the default should be to install a CA unless the user > > > > >>>> requests one not be installed. A related task may be to create an > > > > >>>> uninstaller for just the CA. > > > > >>>> > > > > >>>> rob > > > > >>>> > > > > >>> > > > > >>> From a general perspective: > > > > >>> > > > > >>> When I hear "replica" it evokes a "clone", something equal/identical. > > > > >>> > > > > >>> Based on this, the expected behavior for me would be that: > > > > >>> > > > > >>> - if master has DNS and CA, then the new replica would also have DNS and > > > > >>> CA (without any configuration option needed). > > > > >>> - if an optional service is missing then replica wouldn't have it as > > > > >>> well by default > > > > >>> > > > > >>> This would required reverse options like: --no-dns. > > > > >> > > > > >> Pretty much exactly what I was thinking. > > > > >> > > > > >> For the option I think we should go with a more generic --ca, --dns, > > > > >> with the default value matching what the remote master has configured. > > > > >> > > > > >> But that's bike shedding. > > > > >> > > > > >> The real question is, what do others think? Is this worth filing a > > > > >> ticket for? It would be a subtle but significant change. This might tie > > > > >> in nicely with planned topology management too. > > > > > > > > > > I think I would like to see questions in interactive mode, but not force > > > > > CA and DNS to be installed just because the other replica has them. > > > > > > > > > > The replica originating machines has more to do with topology (what > > > > > master you want to replicate off) then features. > > > > > > > > > > So if you are doing an interactive install and the remote replica has CA > > > > > and DNS features, it may be nice to ask: do you want to setup CA too ? > > > > > Do you want to setup DNS too ? > > > > > But not do it by default w/o positive confirmation. > > > > > Esp for DNS it makes little sense as you need a change in DHCP/other > > > > > infra for it to be of any use and all data is in LDAP anyway > > > > > The CA case is a little bit more critical as you noted, but I think > > > > > nagging in interactive is probably good enough. > > > > > > > > That's why I suggested this be tied to the topology plugin, so the user > > > > has a chance to massage things afterward in an easy manner. > > > > > > > > A less obtrusive suggestion would be to be to try to count the number of > > > > CAs and spit out a scary warning if it is just one. > > > > > > "Nagging in interactive", "scary warning if < 2 CAs" are probably > > good enough to avoid the horror stories, but is it good enough UX > > to require user intervention to avoid the loss of CA on losing a > > single replica? > > I think it is better than the current situation. > > > > Maybe force CA on if there is only one CA ? (Ie first 2 servers get to > > > be CAs) then a new CA is force installed only if one of the 2 is > > > killed ? > > > > > > Simo. > > > > > We would only need this special case if there is a problem with > > having a CA clone for each replica, right? Is there a problem? > > Private CA key exposed on additional servers. > The main reason we are having this discussion is because people have lost the private keys. Almost everything else is recoverable, except certificates that were issued using Dogtag directly (if any) or KRA data (Which is the Vault backend where secrets are stored). > Added replication load. > Added CPU/Memory load (dogtag is not exactly lightweight). > Granted, but is it so bad? (Genuine question; I really don't know much yet about replication and costs thereof). They already have all the things running on the first host, and presumably will be deploying replica on similar hardware. Cheers, Fraser > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From pspacek at redhat.com Fri Apr 10 07:00:59 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 10 Apr 2015 09:00:59 +0200 Subject: [Freeipa-devel] Proposal: reverse stance on installing CA on new masters In-Reply-To: <20150410032529.GC18024@dhcp-40-8.bne.redhat.com> References: <5526873C.90504@redhat.com> <55268C5F.2040901@redhat.com> <5526D612.2030107@redhat.com> <1428612423.19641.278.camel@willson.usersys.redhat.com> <5526E6A4.6090403@redhat.com> <1428613591.19641.279.camel@willson.usersys.redhat.com> <20150410004411.GW18024@dhcp-40-8.bne.redhat.com> <1428634715.19641.282.camel@willson.usersys.redhat.com> <20150410032529.GC18024@dhcp-40-8.bne.redhat.com> Message-ID: <5527752B.9030705@redhat.com> On 10.4.2015 05:25, Fraser Tweedale wrote: > On Thu, Apr 09, 2015 at 10:58:35PM -0400, Simo Sorce wrote: >> > On Fri, 2015-04-10 at 10:44 +1000, Fraser Tweedale wrote: >>> > > On Thu, Apr 09, 2015 at 05:06:31PM -0400, Simo Sorce wrote: >>>> > > > On Thu, 2015-04-09 at 16:52 -0400, Rob Crittenden wrote: >>>>> > > > > Simo Sorce wrote: >>>>>> > > > > > On Thu, 2015-04-09 at 15:42 -0400, Rob Crittenden wrote: >>>>>>> > > > > >> Petr Vobornik wrote: >>>>>>>> > > > > >>> On 04/09/2015 04:05 PM, Rob Crittenden wrote: >>>>>>>>> > > > > >>>> Right now when a new master is installed it is not configured with a CA >>>>>>>>> > > > > >>>> unless one passes in --setup-ca (or afterward runs ipa-ca-install). >>>>>>>>> > > > > >>>> >>>>>>>>> > > > > >>>> Over and over we've seen people who have multiple masters and a single >>>>>>>>> > > > > >>>> CA, in some cases that CA machine is gone, leaving the realm with no CA >>>>>>>>> > > > > >>>> at all. >>>>>>>>> > > > > >>>> >>>>>>>>> > > > > >>>> I think this is due to the fact that CA replicas are not created by >>>>>>>>> > > > > >>>> default and the users are not aware of the implications of a single >>>>>>>>> > > > > >>>> point-of-failure since things otherwise seem to be working. >>>>>>>>> > > > > >>>> >>>>>>>>> > > > > >>>> So perhaps the default should be to install a CA unless the user >>>>>>>>> > > > > >>>> requests one not be installed. A related task may be to create an >>>>>>>>> > > > > >>>> uninstaller for just the CA. >>>>>>>>> > > > > >>>> >>>>>>>>> > > > > >>>> rob >>>>>>>>> > > > > >>>> >>>>>>>> > > > > >>> >>>>>>>> > > > > >>> From a general perspective: >>>>>>>> > > > > >>> >>>>>>>> > > > > >>> When I hear "replica" it evokes a "clone", something equal/identical. >>>>>>>> > > > > >>> >>>>>>>> > > > > >>> Based on this, the expected behavior for me would be that: >>>>>>>> > > > > >>> >>>>>>>> > > > > >>> - if master has DNS and CA, then the new replica would also have DNS and >>>>>>>> > > > > >>> CA (without any configuration option needed). >>>>>>>> > > > > >>> - if an optional service is missing then replica wouldn't have it as >>>>>>>> > > > > >>> well by default >>>>>>>> > > > > >>> >>>>>>>> > > > > >>> This would required reverse options like: --no-dns. >>>>>>> > > > > >> >>>>>>> > > > > >> Pretty much exactly what I was thinking. >>>>>>> > > > > >> >>>>>>> > > > > >> For the option I think we should go with a more generic --ca, --dns, >>>>>>> > > > > >> with the default value matching what the remote master has configured. >>>>>>> > > > > >> >>>>>>> > > > > >> But that's bike shedding. >>>>>>> > > > > >> >>>>>>> > > > > >> The real question is, what do others think? Is this worth filing a >>>>>>> > > > > >> ticket for? It would be a subtle but significant change. This might tie >>>>>>> > > > > >> in nicely with planned topology management too. >>>>>> > > > > > >>>>>> > > > > > I think I would like to see questions in interactive mode, but not force >>>>>> > > > > > CA and DNS to be installed just because the other replica has them. I can see slight misunderstanding here: Rob and Petr^1 were talking about defaults, not about any enforcement. My understanding is that ipa-replica-install should have options --dns and --ca which would override default values inherited from the master used to run ipa-replica-prepare. It seems very reasonable to me, I support Rob's proposal. These 'defaults' can be easily combined with scary warning if CA/DNS is running on single replica. -- Petr^2 Spacek From pvoborni at redhat.com Fri Apr 10 10:55:05 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Apr 2015 12:55:05 +0200 Subject: [Freeipa-devel] [PATCH] 814-818 migrate-ds: optimize adding users to default group Message-ID: <5527AC09.7060707@redhat.com> The essential patch is 814. 815 a proposal for new option. 816 and 818 are cleanup patches. 817 little optimization. == [PATCH] 814 migrate-ds: optimize adding users to default group == Migrate-ds searches for user without a group and adds them to default group. There is no point in checking if the user's selected by previous query are not member of default group because they are not member of any group. The operation is also speeded up by not fetching the default group. Users are added right away. https://fedorahosted.org/freeipa/ticket/4950 == [PATCH] 815 migrate-ds: skip default group options == New option --use-default-group=False could be used to disable adding of migrated users into default group. By default, the default group is no longer POSIX therefore it doesn't fulfill the original idea of providing GID and therefore it could be skipped during migration. == [PATCH] 816 migrate-ds: remove unused def_group_gid context property == it's no longer used anywhere == [PATCH] migrate-ds: optimize gid checks by utilizing dictionary nature of set == == [PATCH] migrate-ds: log migrated group members only on debug level == It pollutes error_log. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0818-migrate-ds-log-migrated-group-members-only-on-debug-.patch Type: text/x-patch Size: 1172 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0817-migrate-ds-optimize-gid-checks-by-utilizing-dictiona.patch Type: text/x-patch Size: 1877 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0816-migrate-ds-remove-unused-def_group_gid-context-prope.patch Type: text/x-patch Size: 978 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0814-migrate-ds-optimize-adding-users-to-default-group.patch Type: text/x-patch Size: 2912 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0815-migrate-ds-skip-default-group-options.patch Type: text/x-patch Size: 5140 bytes Desc: not available URL: From lslebodn at redhat.com Fri Apr 10 10:55:56 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 10 Apr 2015 12:55:56 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <1428497595.19641.166.camel@willson.usersys.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> Message-ID: <20150410105554.GB26699@mail.corp.redhat.com> On (08/04/15 08:53), Simo Sorce wrote: >On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >> On 04/06/2015 02:48 PM, Simo Sorce wrote: >> > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >> >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >> >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >> >>>> On 27.3.2015 14:58, David Kupka wrote: >> >>>>> pylint changed slightly so we must react otherwise we'll be unable to >> >>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure >> >>>>> but I don't know if we want it in 4.1. >> >>>>> >> >>>> >> >>>> ACK >> >>> >> >>> Are all the new disables really just false positives? >> >> >> >> It seems to me as a false positives. >> >> >> >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >> >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >> >> >> >> >>> import ssl >> >> >>> ssl.PROTOCOL_TLSv1 >> >> 3 >> >> >> >> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >> >> convertDate] Instance of 'tuple' has no 'tzinfo' member) >> >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >> >> convertDate] Instance of 'tuple' has no 'timetuple' member) >> >> >> >> dateutil.parser.parse() returns datetime.datetime object and it has >> >> both tzinfo and timetuple methods >> >> (https://docs.python.org/2/library/datetime.html#datetime-objects) >> >> >> >> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >> >> uri_escape] Slice index is not an int, None, or instance with __index__) >> >> >> >> This is the line lint is complaining about: >> >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >> >> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >> >> >> >>> >> >>>> >> >>>> tested on: >> >>>> - F21: ipa-4-1, master branch >> >>>> - F22: master branch. >> >>>> >> >>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >> >>> >> > >> > This patch doesn't seem to fix all my issues building on F22, so >> > tentative NACK. >> >> I tested it this way: >> 1. started with Fedora-22-x86_64-minimal system >> 2. dnf install git >> 3. clone freeipa >> 4. make version-update # to get freeipa.spec >> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >> 6. ./make-lint >> >> > >> > It seem the main offenders are "No value for argument 'second' in method >> > call" (this one only in test_ipautul.py) and "No value for argument >> > 'extClass' in method call" sprinkled around various test plugins. >> > These cause E1120(no-value-for-parameter). >> >> Could you please paste the output of make-lint somewhere? > >Here it is. >This is with my f22 desktop, fully updated with buildrequires running >make-lint straight after applying your patch: > >************* Module ipatests.test_ipapython.test_ipautil >ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) >ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) >ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) >ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) >ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) >ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >************* Module ipatests.test_xmlrpc.test_cert_plugin >ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) >************* Module ipatests.test_xmlrpc.test_automount_plugin >ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) >************* Module ipatests.test_xmlrpc.test_sudorule_plugin >ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) >************* Module ipatests.test_xmlrpc.test_passwd_plugin >ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) >************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) >************* Module ipatests.test_xmlrpc.test_hbac_plugin >ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) >************* Module ipatests.test_ipaserver.test_ldap >ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) > I cannot see such warnings and make-lint passed without any problem with David's patch. [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest pytest-2.6.4-1.fc22.noarch python-pytest-sourceorder-0.4-2.fc22.noarch python-pytest-multihost-0.6-2.fc22.noarch LS From pviktori at redhat.com Fri Apr 10 11:11:43 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 10 Apr 2015 13:11:43 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <552668E0.4050601@redhat.com> References: <551A72DB.3020105@redhat.com> <551D11C2.4070902@redhat.com> <552668E0.4050601@redhat.com> Message-ID: <5527AFEF.3060704@redhat.com> On 04/09/2015 01:56 PM, Petr Vobornik wrote: > On 04/02/2015 11:54 AM, Petr Viktorin wrote: >> On 03/31/2015 12:11 PM, Petr Vobornik wrote: >>> The only different thing is a lack of utf-8 encoded str support(as >>> input). I don't know how much important the support is. >> >> I don't think that support is too important (assuming IPA doesn't use >> it!). However, the behavior with this patch is dangerous. >> It allows unicode and ASCII strings, but fails on non-ASCII strings. >> That means things will usually work, but as soon as a non-ASCII >> component is introduced at the wrong place, you get an error. >> >> Restoring support for utf-8 encoded str looks easy to do; here's a patch >> you can squash in. Or did I miss something? > > I also had to fix creation of AVAs to support utf-8 encoded str as input > for attr and value (separately). > >> >>> maybe it could be attached to ticket >>> https://fedorahosted.org/freeipa/ticket/4947 >>> ----- >>> DN code was optimized to be faster if DNs are created from string. This >>> is the major use case, since most DNs come from LDAP. >>> >>> With this patch, DN creation is almost 8-10x faster (with 30K-100K DNs). >>> >>> Second mojor use case - deepcopy in LDAPEntry is about 20x faster - done >>> by custom __deepcopy__ function. >>> >>> The major change is that DN is no longer internally composed of RDNs >>> and AVAs but it rather keeps the data in open ldap format - the same as >>> output of str2dn function. Therefore, for immutable DNs, no other >>> transformations are required on instantiation. >>> >>> The format is: >>> >>> DN: [RDN, RDN,...] >>> RDN: [AVA, AVA,...] >>> AVA: ['utf-8 encoded str - attr', 'utf-8 encode str -value', FLAG] >>> FLAG: int >>> >>> Further indexing of DN object constructs an RDN which is just an >>> encapsulation of the RDN part of open ldap representation. Indexing of >>> RDN constructs AVA in the same fashion. >>> >>> Obtained EditableAVA, EditableRDN from EditableDN shares the respected >>> lists of the open ldap repr. so that the change of value or attr is >>> reflected in parent object. >> >> >> Looks good. A couple of comments: >> >> RDN.to_openldap: _avas always has 3 components, right? I'd prefer >> `list(a)` over `[a[0], a[1], a[2]]`. Similarly for tuple in in __add__ >> and RDN._avas_from_sequence. > > Fixed > >> >> DN._rdns_from_value: the error message at the end is wrong, RDN is also >> accepted. (And, `type(value)` would be more informative than >> `value.__class__.__name__`.) > > Fixed > >> >> You can optimize __deepcopy__ for immutable DNs even further: just >> return self! > > Fixed, but kept part for EditableDN > >> >> In DN.find & rfind, RDNs are not accepted but the error message says >> they are. > > messages fixed > >> >> You removed the newline at end of file. >> > > line readded ACK -- Petr Viktorin From mbasti at redhat.com Fri Apr 10 11:19:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Apr 2015 13:19:06 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <20150410105554.GB26699@mail.corp.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> Message-ID: <5527B1AA.8090506@redhat.com> On 10/04/15 12:55, Lukas Slebodnik wrote: > On (08/04/15 08:53), Simo Sorce wrote: >> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>> pylint changed slightly so we must react otherwise we'll be unable to >>>>>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure >>>>>>>> but I don't know if we want it in 4.1. >>>>>>>> >>>>>>> ACK >>>>>> Are all the new disables really just false positives? >>>>> It seems to me as a false positives. >>>>> >>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>>>> >>>>> >>> import ssl >>>>> >>> ssl.PROTOCOL_TLSv1 >>>>> 3 >>>>> >>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>> >>>>> dateutil.parser.parse() returns datetime.datetime object and it has >>>>> both tzinfo and timetuple methods >>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>> >>>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>>> uri_escape] Slice index is not an int, None, or instance with __index__) >>>>> >>>>> This is the line lint is complaining about: >>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >>>>> >>>>>>> tested on: >>>>>>> - F21: ipa-4-1, master branch >>>>>>> - F22: master branch. >>>>>>> >>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>> This patch doesn't seem to fix all my issues building on F22, so >>>> tentative NACK. >>> I tested it this way: >>> 1. started with Fedora-22-x86_64-minimal system >>> 2. dnf install git >>> 3. clone freeipa >>> 4. make version-update # to get freeipa.spec >>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>> 6. ./make-lint >>> >>>> It seem the main offenders are "No value for argument 'second' in method >>>> call" (this one only in test_ipautul.py) and "No value for argument >>>> 'extClass' in method call" sprinkled around various test plugins. >>>> These cause E1120(no-value-for-parameter). >>> Could you please paste the output of make-lint somewhere? >> Here it is. >> This is with my f22 desktop, fully updated with buildrequires running >> make-lint straight after applying your patch: >> >> ************* Module ipatests.test_ipapython.test_ipautil >> ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) >> ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) >> ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) >> ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) >> ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) >> ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >> ************* Module ipatests.test_xmlrpc.test_cert_plugin >> ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_xmlrpc.test_automount_plugin >> ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >> ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >> ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) >> ************* Module ipatests.test_ipaserver.test_ldap >> ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) >> > I cannot see such warnings and make-lint passed without any problem with > David's patch. > > [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest > pytest-2.6.4-1.fc22.noarch > python-pytest-sourceorder-0.4-2.fc22.noarch > python-pytest-multihost-0.6-2.fc22.noarch > > LS > Same here. I build IPA with this patch from both IPA-4-1 and master branch, with latest F22 packages. Lint was successful. Martin^2 -- Martin Basti From dkupka at redhat.com Fri Apr 10 12:19:56 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 10 Apr 2015 14:19:56 +0200 Subject: [Freeipa-devel] [PATCHES 0213 - 0221] Server Upgrade: LDAPI, Update plugins In-Reply-To: <551C0D1B.4@redhat.com> References: <55102781.5060809@redhat.com> <551126AF.3040207@redhat.com> <551145BB.3090909@redhat.com> <551C0D1B.4@redhat.com> Message-ID: <5527BFEC.9090300@redhat.com> On 04/01/2015 05:22 PM, Martin Basti wrote: > On 24/03/15 12:08, Martin Basti wrote: >> On 24/03/15 09:56, Martin Basti wrote: >>> On 23/03/15 15:47, Martin Basti wrote: >>>> Hello, >>>> >>>> The patches: >>>> * allows to specify order of update plugins in update files. >>>> * requires to use LDAPI by ipa-ldap-updater >>>> >>>> patches attached >>>> >>>> >>>> >>> Rebased patches attached. >>> >>> -- >>> Martin Basti >>> >>> >> I accidentally merged two patches into one in previos rebase. >> >> So properly rebased patches attached. >> >> -- >> Martin Basti >> >> > Patch 221 updated: use option to require root user > > Requires patch mbasti-223 to work with replica install > > Patches attached > Code looks good to me and upgrade process works as expected, ACK. -- David Kupka From simo at redhat.com Fri Apr 10 12:55:42 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Apr 2015 08:55:42 -0400 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <20150410105554.GB26699@mail.corp.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> Message-ID: <1428670542.19641.297.camel@willson.usersys.redhat.com> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: > On (08/04/15 08:53), Simo Sorce wrote: > >On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: > >> On 04/06/2015 02:48 PM, Simo Sorce wrote: > >> > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: > >> >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: > >> >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): > >> >>>> On 27.3.2015 14:58, David Kupka wrote: > >> >>>>> pylint changed slightly so we must react otherwise we'll be unable to > >> >>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure > >> >>>>> but I don't know if we want it in 4.1. > >> >>>>> > >> >>>> > >> >>>> ACK > >> >>> > >> >>> Are all the new disables really just false positives? > >> >> > >> >> It seems to me as a false positives. > >> >> > >> >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), > >> >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) > >> >> > >> >> >>> import ssl > >> >> >>> ssl.PROTOCOL_TLSv1 > >> >> 3 > >> >> > >> >> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), > >> >> convertDate] Instance of 'tuple' has no 'tzinfo' member) > >> >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), > >> >> convertDate] Instance of 'tuple' has no 'timetuple' member) > >> >> > >> >> dateutil.parser.parse() returns datetime.datetime object and it has > >> >> both tzinfo and timetuple methods > >> >> (https://docs.python.org/2/library/datetime.html#datetime-objects) > >> >> > >> >> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), > >> >> uri_escape] Slice index is not an int, None, or instance with __index__) > >> >> > >> >> This is the line lint is complaining about: > >> >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) > >> >> I don't see a chance for 'i' or 'i+1' to be anything else than integers. > >> >> > >> >>> > >> >>>> > >> >>>> tested on: > >> >>>> - F21: ipa-4-1, master branch > >> >>>> - F22: master branch. > >> >>>> > >> >>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 > >> >>> > >> > > >> > This patch doesn't seem to fix all my issues building on F22, so > >> > tentative NACK. > >> > >> I tested it this way: > >> 1. started with Fedora-22-x86_64-minimal system > >> 2. dnf install git > >> 3. clone freeipa > >> 4. make version-update # to get freeipa.spec > >> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` > >> 6. ./make-lint > >> > >> > > >> > It seem the main offenders are "No value for argument 'second' in method > >> > call" (this one only in test_ipautul.py) and "No value for argument > >> > 'extClass' in method call" sprinkled around various test plugins. > >> > These cause E1120(no-value-for-parameter). > >> > >> Could you please paste the output of make-lint somewhere? > > > >Here it is. > >This is with my f22 desktop, fully updated with buildrequires running > >make-lint straight after applying your patch: > > > >************* Module ipatests.test_ipapython.test_ipautil > >ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) > >ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) > >ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) > >ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) > >ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) > >ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) > >************* Module ipatests.test_xmlrpc.test_cert_plugin > >ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) > >************* Module ipatests.test_xmlrpc.test_automount_plugin > >ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) > >************* Module ipatests.test_xmlrpc.test_sudorule_plugin > >ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) > >ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) > >************* Module ipatests.test_xmlrpc.test_passwd_plugin > >ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) > >************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin > >ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) > >************* Module ipatests.test_xmlrpc.test_hbac_plugin > >ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) > >************* Module ipatests.test_ipaserver.test_ldap > >ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) > > > > I cannot see such warnings and make-lint passed without any problem with > David's patch. > > [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest > pytest-2.6.4-1.fc22.noarch > python-pytest-sourceorder-0.4-2.fc22.noarch > python-pytest-multihost-0.6-2.fc22.noarch I have the same packages What version of pylint ? I have pylint-1.4.1-3.fc22.noarch Simo. -- Simo Sorce * Red Hat, Inc * New York From tscherf at redhat.com Fri Apr 10 13:35:50 2015 From: tscherf at redhat.com (Thorsten Scherf) Date: Fri, 10 Apr 2015 15:35:50 +0200 Subject: [Freeipa-devel] [PATCH 001] Remove recommendation from ipa-adtrust-install Message-ID: <20150410133550.GA14560@tscherf.redhat.com> -------------- next part -------------- From e50ff3591460cad40beaaf8c97b5c43cae44e985 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf Date: Fri, 10 Apr 2015 15:26:28 +0200 Subject: [PATCH] Removed recommendation from ipa-adtrust-install In the wiki we say it's not longer necessary to make the IPA LDAP server not reachable by any AD domain controller. To be consistence, the setup tool should reflext this statement. https://fedorahosted.org/freeipa/ticket/4977 --- install/tools/ipa-adtrust-install | 9 --------- 1 file changed, 9 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 6e55bbe3e57f1c609398dc571e90cb8677d91a33..ac1d13a130f7ae295825dd1a16da2b3f946fe002 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -429,15 +429,6 @@ You must make sure these network ports are open: \t * 389: (C)LDAP \t * 445: microsoft-ds -Additionally you have to make sure the FreeIPA LDAP server is not reachable -by any domain controller in the Active Directory domain by closing down -the following ports for these servers: -\tTCP Ports: -\t * 389, 636: LDAP/LDAPS - -You may want to choose to REJECT the network packets instead of DROPing -them to avoid timeouts on the AD domain controllers. - ============================================================================= """ if admin_password: -- 1.9.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: From pviktori at redhat.com Fri Apr 10 13:58:53 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 10 Apr 2015 15:58:53 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes Message-ID: <5527D71D.5020209@redhat.com> The attached patches remove EditableDN, EditableRDN and EditableAVA. They depend on Petr Voborn?k's patch 811 (performance: faster DN implementation). Mutable DNs are not very useful. When creating them it is easier to work with lists or generators, and needing to change DNs aside from operations like `DN(new_rdn, original[1:])` is very rare -- I'd even say theoretical. Mutable DNs are not hashable, so they can't be used as dist keys. Storing them as "keys" in other structures (e.g. in a LDAPEntry) is dangerous -- it's hard to reason about outside modifications. The first patch removes the last use of EditableDN. I could be convinced it's not an improvement in elegance/readability, but I believe this is the strongest case for EditableDN in IPA, and it doesn't justify keeping it. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0688-rename_managed-Remove-use-of-EditableDN.patch Type: text/x-patch Size: 4671 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0689-Remove-Editable-DN-and-DN-component-classes.patch Type: text/x-patch Size: 135634 bytes Desc: not available URL: From tbordaz at redhat.com Sun Apr 12 16:51:09 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Sun, 12 Apr 2015 18:51:09 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <552657A3.7040503@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> <55252E30.7060301@redhat.com> <552657A3.7040503@redhat.com> Message-ID: <552AA27D.3060000@redhat.com> On 04/09/2015 12:42 PM, thierry bordaz wrote: > On 04/08/2015 03:33 PM, Jan Cholasta wrote: >> Dne 8.4.2015 v 15:00 thierry bordaz napsal(a): >>> On 04/08/2015 08:34 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): >>>>> Hello, >>>>> >>>>> In user life cycle, Active entries are moved to Delete >>>>> container and >>>>> Delete entries can be moved back to Staging container. >>>>> This requires a LDAP modrdn with new superior that is not >>>>> supported >>>>> in ldap2. >>>> >>>> Since update_entry_rdn() is used only in one spot in baseldap, I think >>>> we can merge it and move_entry_newsuperior() into a single method >>>> move_entry(): >>>> >>>> def move_entry(self, dn, new_dn, del_old=True): >>>> >>>> We can easily detect whether the superior needs to be updated by >>>> comparing dn[1:] and new_dn[1:]. >>> >>> Hello Jan, >>> >>> Yes that is a good idea to merge those two methods. They both rely on >>> modrdn and a single method is enough. >> >> Well, I had something like this in mind: >> >> def move_entry(self, dn, new_dn, del_old=True): >> assert isinstance(dn, DN) >> assert isinstance(new_dn, DN) >> >> if new_dn == dn: >> raise errors.EmptyModlist() >> >> new_rdn = new_dn[0] >> if new_rdn == dn[0]: >> new_rdn = None >> >> new_superior = new_dn[1:] >> if new_superior == dn[1:]: >> new_superior = None >> >> with self.error_handler(): >> self.conn.rename_s(dn, new_rdn, new_superior, int(del_old)) >> time.sleep(.3) # Give memberOf plugin a chance to work >> >> so that you don't have to care if you should change the RDN or the >> superior and it just does the right thing. >> >>> >>>> >>>> Maybe we can also get rid of del_old, if it's always gonna be True in >>>> our code? >>> >>> I think it is better to get this interface as close as possible as the >>> MODRDN call, so that del_old option will be already available for >>> future >>> usage. >>> I agree that currently del_old is always true in case of IPA but it >>> could be the default value. >> >> OK, it's not a big piece of code, so I guess we can leave it. >> > Thank for the reviews and the help. Here is a new patch. > > thierry > Hello, After additional tests, the previous patch was incomplete... thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0004-4-User-life-cycle-allows-MODRDN-from-ldap2.patch Type: text/x-patch Size: 3623 bytes Desc: not available URL: From jcholast at redhat.com Mon Apr 13 06:12:18 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 13 Apr 2015 08:12:18 +0200 Subject: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject In-Reply-To: <55269A80.1020309@redhat.com> References: <55252ABF.5010608@redhat.com> <55269A80.1020309@redhat.com> Message-ID: <552B5E42.2070604@redhat.com> Dne 9.4.2015 v 17:28 Petr Viktorin napsal(a): > On 04/08/2015 03:18 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patches remove IPASimpleLDAPObject from ipaldap. >> >> As a result, the one and only IPA LDAP API is the LDAPClient API. > > This is definitely an improvement :) > > 0408: ACK (woohoo!) > 0409: ACK > 0410: > I quite like the new __init__ signature, and the context manager > functionality. > Can you add a comment for the `object.__setattr__(self, '_conn', None)` > in _disconnect? It's a real eyesore. Added. > 0411: ACK > 0412: Can _force_schema_updates be set already in __init__? Unfortunately not. ldap2 is now used with different API instances, and the current API instance is not available in __init__. I'm working on an additional patch for to pass the API object to plugins in their __init__ (because why do it somewhere else), which will fix this. > 0413: ACK > 0414: ACK > 0415: ACK > 0416: I think you should show off the `with` statement support here. Fixed. > 0417: ... and here Fixed. > 0418: ACK > 0419: ACK > 0420: ACK > 0421: ACK Added a comment about ldap2's locking here as well. Also moved LDAPClient.schema back to its original location to save some lines in the patch. > 0422: ACK, and good riddance You missed 423 :-) Thanks for the review. Updated patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-408.1-ldap-Drop-python-ldap-tuple-compatibility.patch Type: text/x-patch Size: 4580 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-409.1-ldap-Remove-unused-IPAdmin-methods.patch Type: text/x-patch Size: 976 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-410.1-ldap-Add-connection-management-to-LDAPClient.patch Type: text/x-patch Size: 5054 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-411.1-ldap-Use-LDAPClient-connection-management-in-IPAdmin.patch Type: text/x-patch Size: 1604 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-412.1-ldap-Use-LDAPClient-connection-management-in-ldap2.patch Type: text/x-patch Size: 1731 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-413.1-ldap-Add-bind-and-unbind-methods-to-LDAPClient.patch Type: text/x-patch Size: 2028 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-414.1-ldap-Use-LDAPClient-bind-and-unbind-methods-in-IPAdm.patch Type: text/x-patch Size: 2904 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-415.1-ldap-Use-LDAPClient-bind-and-unbind-methods-in-ldap2.patch Type: text/x-patch Size: 4192 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-416.1-ldap-Use-LDAPClient-instead-of-IPASimpleLDAPObject-i.patch Type: text/x-patch Size: 1372 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-417.1-cainstance-Use-LDAPClient-instead-of-IPASimpleLDAPOb.patch Type: text/x-patch Size: 1688 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-418.1-makeaci-Use-LDAPClient-instead-of-IPASimpleLDAPObjec.patch Type: text/x-patch Size: 1440 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-419.1-ldap-Move-value-encoding-from-IPASimpleLDAPObject-to.patch Type: text/x-patch Size: 18200 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-420.1-ldap-Use-LDAPClient-instead-of-IPASimpleLDAPObject-i.patch Type: text/x-patch Size: 3149 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-421.1-ldap-Move-schema-handling-from-IPASimpleLDAPObject-t.patch Type: text/x-patch Size: 30711 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-422.1-ldap-Use-SimpleLDAPObject-instead-of-IPASimpleLDAPOb.patch Type: text/x-patch Size: 1261 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-423.1-ldap-Remove-IPASimpleLDAPObject.patch Type: text/x-patch Size: 5122 bytes Desc: not available URL: From lkrispen at redhat.com Mon Apr 13 08:56:37 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 13 Apr 2015 10:56:37 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree Message-ID: <552B84C5.80300@redhat.com> Hi, in the attachment you find the latest state of the "topology plugin", it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0003-manage-replication-topology-in-the-shaerd-tree.patch Type: text/x-patch Size: 171383 bytes Desc: not available URL: From dkupka at redhat.com Mon Apr 13 11:23:19 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 13 Apr 2015 13:23:19 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <1428670542.19641.297.camel@willson.usersys.redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> Message-ID: <552BA727.2010307@redhat.com> On 04/10/2015 02:55 PM, Simo Sorce wrote: > On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >> On (08/04/15 08:53), Simo Sorce wrote: >>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>> pylint changed slightly so we must react otherwise we'll be unable to >>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to master for sure >>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>> >>>>>>>> >>>>>>>> ACK >>>>>>> >>>>>>> Are all the new disables really just false positives? >>>>>> >>>>>> It seems to me as a false positives. >>>>>> >>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>>>>> >>>>>> >>> import ssl >>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>> 3 >>>>>> >>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>> >>>>>> dateutil.parser.parse() returns datetime.datetime object and it has >>>>>> both tzinfo and timetuple methods >>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>> >>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>>>> uri_escape] Slice index is not an int, None, or instance with __index__) >>>>>> >>>>>> This is the line lint is complaining about: >>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than integers. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> tested on: >>>>>>>> - F21: ipa-4-1, master branch >>>>>>>> - F22: master branch. >>>>>>>> >>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>>>>>> >>>>> >>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>> tentative NACK. >>>> >>>> I tested it this way: >>>> 1. started with Fedora-22-x86_64-minimal system >>>> 2. dnf install git >>>> 3. clone freeipa >>>> 4. make version-update # to get freeipa.spec >>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>> 6. ./make-lint >>>> >>>>> >>>>> It seem the main offenders are "No value for argument 'second' in method >>>>> call" (this one only in test_ipautul.py) and "No value for argument >>>>> 'extClass' in method call" sprinkled around various test plugins. >>>>> These cause E1120(no-value-for-parameter). >>>> >>>> Could you please paste the output of make-lint somewhere? >>> >>> Here it is. >>> This is with my f22 desktop, fully updated with buildrequires running >>> make-lint straight after applying your patch: >>> >>> ************* Module ipatests.test_ipapython.test_ipautil >>> ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) >>> ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:128: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:130: [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:140: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:143: [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:161: [E1120(no-value-for-parameter), TestCIDict.test_items] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:179: [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:189: [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:199: [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:207: [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:217: [E1120(no-value-for-parameter), TestCIDict.test_values] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:229: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:232: [E1120(no-value-for-parameter), TestCIDict.test_update] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:253: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_dict] No value for argument 'excClass' in method call) >>> ipatests/test_ipapython/test_ipautil.py:257: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_list] No value for argument 'excClass' in method call) >>> ipatests/test_ipapython/test_ipautil.py:261: [E1120(no-value-for-parameter), TestCIDict.test_update_duplicate_values_kwargs] No value for argument 'excClass' in method call) >>> ipatests/test_ipapython/test_ipautil.py:270: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:273: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:275: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:278: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:280: [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:283: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:286: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:289: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:290: [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for argument 'excClass' in method call) >>> ipatests/test_ipapython/test_ipautil.py:295: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:298: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:303: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:308: [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:323: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:324: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:325: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:326: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:327: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:328: [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:334: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:335: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:336: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:337: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:338: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:339: [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:345: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:346: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:347: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:348: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:349: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:350: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:355: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:356: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:357: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:358: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:359: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:360: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:365: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:366: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:367: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:368: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:369: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:370: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:371: [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:377: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:378: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:380: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:385: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:386: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:388: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:393: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:394: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:398: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:403: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:404: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:406: [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No value for argument 'second' in method call) >>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>> ipatests/test_xmlrpc/test_cert_plugin.py:132: [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>> ipatests/test_xmlrpc/test_automount_plugin.py:297: [E1120(no-value-for-parameter), test_automount.test_b_automountkey_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:309: [E1120(no-value-for-parameter), test_automount.test_c_automountlocation_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:318: [E1120(no-value-for-parameter), test_automount.test_d_automountmap_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:378: [E1120(no-value-for-parameter), test_automount_direct.test_3_automountlocation_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:453: [E1120(no-value-for-parameter), test_automount_indirect.test_3_automountkey_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:465: [E1120(no-value-for-parameter), test_automount_indirect.test_4_automountmap_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:477: [E1120(no-value-for-parameter), test_automount_indirect.test_5_automountlocation_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:560: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_3_automountkey_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:572: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_4_automountmap_del] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_automount_plugin.py:584: [E1120(no-value-for-parameter), test_automount_indirect_no_parent.test_5_automountlocation_del] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] No value for argument 'excClass' in method call) >>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No value for argument 'excClass' in method call) >>> ************* Module ipatests.test_ipaserver.test_ldap >>> ipatests/test_ipaserver/test_ldap.py:232: [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value for argument 'excClass' in method call) >>> >> >> I cannot see such warnings and make-lint passed without any problem with >> David's patch. >> >> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >> pytest-2.6.4-1.fc22.noarch >> python-pytest-sourceorder-0.4-2.fc22.noarch >> python-pytest-multihost-0.6-2.fc22.noarch > > I have the same packages > What version of pylint ? > > I have pylint-1.4.1-3.fc22.noarch > > Simo. > Thanks to Honza I've finally found a way to get the same errors you're reporting. All of them seems to be false positives but I'll investigate little more to be sure. The thing is that python-nose package that is still used in some test is not in BuildRequires so I didn't install it. Another weird thing is that lint do not complain that tests are importing nose that is not installed. -- David Kupka From mbabinsk at redhat.com Mon Apr 13 12:16:56 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Apr 2015 14:16:56 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <552680F2.3050208@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> Message-ID: <552BB3B8.9040103@redhat.com> On 04/09/2015 03:38 PM, Jan Cholasta wrote: > > Some comments: > > Patch 15: > > 1) The functions should be as similar as possible: > > a) kinit_password() should have a 'ccache_path' argument instead of > passing the path in KRB5CCNAME in the 'env' argument. > > b) I don't think kinit_password() should have the 'env' argument at > all. You can always call kinit with LC_ALL=C and set other variables in > os.environ if you want. > > c) The arguments should have the same ordering. > > d) Either set KRB5CCNAME in both kinit_keytab() and > kinit_password() or in none of them. > > e) Either rename armor_ccache to armor_ccache_path or ccache_path > to ccache. > I have done some reordering of parameters in both functions so they are very similar now and the parameter ordering should make more sense (at least to me). Neither of them sets KRB5CCNAME env. variable since I think that it is not a very good practice and the developer should be responsible for pointing to correct CCache path. Jan agrees with this and the other patches are updated accordingly. > > 2) Space before comma in docstring: > > + Given a ccache_path , keytab file and a principal kinit as that user. > > > 3) I would prefer if the default value of 'armor_ccache' in > kinit_password() was None. > Fixed. > > Patch 16: > > 1) The callback should not be named 'validate_kinit_attempts_option', > but rather 'kinit_attempts_callback', as it doesn't just validate the > value. > Fixed. > > 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A > comment with explanation would be nice. > It actually doesn't make much sense to have such upper bound, so I have removed it from the check and updated the error message accordingly. > > Patch 17: > > 1) Is there a reason for the ccache filename changes in DNSSEC code? > That was Petr Spacek's request since a sane naming of persistent Ccaches makes debugging of Kerberos-related errors a bit easier for him. Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0015-7-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch Type: text/x-patch Size: 4702 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0016-6-ipa-client-install-try-to-get-host-TGT-several-times.patch Type: text/x-patch Size: 8227 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0017-5-Adopted-kinit_keytab-and-kinit_password-for-kerberos.patch Type: text/x-patch Size: 11973 bytes Desc: not available URL: From pviktori at redhat.com Mon Apr 13 12:57:32 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 13 Apr 2015 14:57:32 +0200 Subject: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject In-Reply-To: <552B5E42.2070604@redhat.com> References: <55252ABF.5010608@redhat.com> <55269A80.1020309@redhat.com> <552B5E42.2070604@redhat.com> Message-ID: <552BBD3C.5060609@redhat.com> On 04/13/2015 08:12 AM, Jan Cholasta wrote: > Dne 9.4.2015 v 17:28 Petr Viktorin napsal(a): >> On 04/08/2015 03:18 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patches remove IPASimpleLDAPObject from ipaldap. >>> >>> As a result, the one and only IPA LDAP API is the LDAPClient API. >> >> This is definitely an improvement :) >> >> 0408: ACK (woohoo!) >> 0409: ACK >> 0410: >> I quite like the new __init__ signature, and the context manager >> functionality. >> Can you add a comment for the `object.__setattr__(self, '_conn', None)` >> in _disconnect? It's a real eyesore. > > Added. > >> 0411: ACK >> 0412: Can _force_schema_updates be set already in __init__? > > Unfortunately not. ldap2 is now used with different API instances, and > the current API instance is not available in __init__. > > I'm working on an additional patch for > to pass the API object to > plugins in their __init__ (because why do it somewhere else), which will > fix this. > >> 0413: ACK >> 0414: ACK >> 0415: ACK >> 0416: I think you should show off the `with` statement support here. > > Fixed. > >> 0417: ... and here > > Fixed. > >> 0418: ACK >> 0419: ACK >> 0420: ACK >> 0421: ACK > > Added a comment about ldap2's locking here as well. > > Also moved LDAPClient.schema back to its original location to save some > lines in the patch. > >> 0422: ACK, and good riddance > > You missed 423 :-) Ah, that comment was meant for 423 :) ACK for all -- Petr Viktorin From mkubik at redhat.com Mon Apr 13 14:07:59 2015 From: mkubik at redhat.com (Milan Kubik) Date: Mon, 13 Apr 2015 16:07:59 +0200 Subject: [Freeipa-devel] [PATCH 0210] DNSSEC: CI test In-Reply-To: <552506F8.1050702@redhat.com> References: <55102929.9030702@redhat.com> <5523DF64.6050405@redhat.com> <552506F8.1050702@redhat.com> Message-ID: <552BCDBF.8090303@redhat.com> On 04/08/2015 12:46 PM, Martin Basti wrote: > On 07/04/15 15:45, Milan Kubik wrote: >> >> >> On 03/23/2015 03:54 PM, Martin Basti wrote: >>> Hello, >>> >>> a patch with DNSSEC CI tests attached. >>> >>> * Two types of installation tested >>> * Tests check if zones are signed on both replica and master >>> * The root zone test also checks chain of trust >>> >>> Can somebody very familiar with pytest do review? I'm not sure If I >>> used pytest friendly constructions. >>> >>> PS: test may failure occasionally due a bug in DNSSEC code, but CI >>> test itself should be OK >>> >>> Useful information: http://www.freeipa.org/page/Howto/DNSSEC >>> >>> >>> >> Hello, >> >> the patch looks good to me. >> >> Fix the pep8 complaints please (unused imports and long lines). >> >> Thanks, >> Milan > Thanks, > > updated patch attached. > > -- > Martin Basti Thanks, ack. Milan -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Apr 13 15:05:26 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Apr 2015 17:05:26 +0200 Subject: [Freeipa-devel] [PATCH 0026-0028] Fix nits in user-visible output Message-ID: <552BDB36.4090006@redhat.com> Hello, documentation team proposed few changes in user-visible messages so here it is. It was not worth a ticket and related overhead. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0026-Clarify-messages-related-to-adding-DNS-forwarders.patch Type: text/x-patch Size: 1803 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0027-Grammar-nazi-fix.patch Type: text/x-patch Size: 975 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0028-Clarify-host-name-output-in-ipa-client-install.patch Type: text/x-patch Size: 1095 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Apr 13 15:54:45 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Apr 2015 17:54:45 +0200 Subject: [Freeipa-devel] [PATCH 0028] update 'api.env.ca_host' if a different hostname is used during server install Message-ID: <552BE6C5.2050603@redhat.com> https://fedorahosted.org/freeipa/ticket/4936 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0028-1-update-api.env.ca_host-if-a-different-hostname-is-us.patch Type: text/x-patch Size: 1465 bytes Desc: not available URL: From mkosek at redhat.com Tue Apr 14 07:10:38 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 09:10:38 +0200 Subject: [Freeipa-devel] [PATCH 0026-0028] Fix nits in user-visible output In-Reply-To: <552BDB36.4090006@redhat.com> References: <552BDB36.4090006@redhat.com> Message-ID: <552CBD6E.7080609@redhat.com> On 04/13/2015 05:05 PM, Petr Spacek wrote: > Hello, > > documentation team proposed few changes in user-visible messages so here it > is. It was not worth a ticket and related overhead. The changes look OK to me. I would just have one (prudish) request to not add nazi reference to our git history - whether they are grammar or not. Please keep the git technical :-) From pspacek at redhat.com Tue Apr 14 07:32:36 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Apr 2015 09:32:36 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <5527AFEF.3060704@redhat.com> References: <551A72DB.3020105@redhat.com> <551D11C2.4070902@redhat.com> <552668E0.4050601@redhat.com> <5527AFEF.3060704@redhat.com> Message-ID: <552CC294.6030908@redhat.com> On 10.4.2015 13:11, Petr Viktorin wrote: > ACK Please be so kind and fix naming. AFAIK the patch refers to 'openldap' DN format but in fact it is python-ldap-ishm. It will surely confuse next generation of FreeIPA developers :-) -- Petr^2 Spacek From pspacek at redhat.com Tue Apr 14 07:43:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Apr 2015 09:43:18 +0200 Subject: [Freeipa-devel] [PATCH 0026-0028] Fix nits in user-visible output In-Reply-To: <552CBD6E.7080609@redhat.com> References: <552BDB36.4090006@redhat.com> <552CBD6E.7080609@redhat.com> Message-ID: <552CC516.3030500@redhat.com> On 14.4.2015 09:10, Martin Kosek wrote: > On 04/13/2015 05:05 PM, Petr Spacek wrote: >> Hello, >> >> documentation team proposed few changes in user-visible messages so here it >> is. It was not worth a ticket and related overhead. > > The changes look OK to me. I would just have one (prudish) request to not add > nazi reference to our git history - whether they are grammar or not. Please > keep the git technical :-) Sure, here is the same patch with modified commit message. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: 0027-Grammar-fix-in-Estimated-time-messages-printed-by-in.patch Type: text/x-patch Size: 1020 bytes Desc: not available URL: From jcholast at redhat.com Tue Apr 14 08:39:15 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Apr 2015 10:39:15 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <552AA27D.3060000@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> <55252E30.7060301@redhat.com> <552657A3.7040503@redhat.com> <552AA27D.3060000@redhat.com> Message-ID: <552CD233.2090805@redhat.com> Dne 12.4.2015 v 18:51 thierry bordaz napsal(a): > On 04/09/2015 12:42 PM, thierry bordaz wrote: >> On 04/08/2015 03:33 PM, Jan Cholasta wrote: >>> Dne 8.4.2015 v 15:00 thierry bordaz napsal(a): >>>> On 04/08/2015 08:34 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 1.4.2015 v 17:40 thierry bordaz napsal(a): >>>>>> Hello, >>>>>> >>>>>> In user life cycle, Active entries are moved to Delete >>>>>> container and >>>>>> Delete entries can be moved back to Staging container. >>>>>> This requires a LDAP modrdn with new superior that is not >>>>>> supported >>>>>> in ldap2. >>>>> >>>>> Since update_entry_rdn() is used only in one spot in baseldap, I think >>>>> we can merge it and move_entry_newsuperior() into a single method >>>>> move_entry(): >>>>> >>>>> def move_entry(self, dn, new_dn, del_old=True): >>>>> >>>>> We can easily detect whether the superior needs to be updated by >>>>> comparing dn[1:] and new_dn[1:]. >>>> >>>> Hello Jan, >>>> >>>> Yes that is a good idea to merge those two methods. They both rely on >>>> modrdn and a single method is enough. >>> >>> Well, I had something like this in mind: >>> >>> def move_entry(self, dn, new_dn, del_old=True): >>> assert isinstance(dn, DN) >>> assert isinstance(new_dn, DN) >>> >>> if new_dn == dn: >>> raise errors.EmptyModlist() >>> >>> new_rdn = new_dn[0] >>> if new_rdn == dn[0]: >>> new_rdn = None >>> >>> new_superior = new_dn[1:] >>> if new_superior == dn[1:]: >>> new_superior = None >>> >>> with self.error_handler(): >>> self.conn.rename_s(dn, new_rdn, new_superior, int(del_old)) >>> time.sleep(.3) # Give memberOf plugin a chance to work >>> >>> so that you don't have to care if you should change the RDN or the >>> superior and it just does the right thing. >>> >>>> >>>>> >>>>> Maybe we can also get rid of del_old, if it's always gonna be True in >>>>> our code? >>>> >>>> I think it is better to get this interface as close as possible as the >>>> MODRDN call, so that del_old option will be already available for >>>> future >>>> usage. >>>> I agree that currently del_old is always true in case of IPA but it >>>> could be the default value. >>> >>> OK, it's not a big piece of code, so I guess we can leave it. >>> >> Thank for the reviews and the help. Here is a new patch. >> >> thierry >> > Hello, > > After additional tests, the previous patch was incomplete... > > thierry Please wrap long lines: new_dn = DN((self.obj.primary_key.name, entry_attrs[self.obj.primary_key.name]), *entry_attrs.dn[1:]) self._exc_wrapper(keys, options, ldap.move_entry)( entry_attrs.dn, new_dn) and: self.conn.rename_s(dn, new_rdn, newsuperior=new_superior, delold=int(del_old)) Also, you don't need to include your login in the author header (it's part of your email address) or the reviewed by line in the commit message (it's automatically added by ipatool when the commit is pushed). -- Jan Cholasta From mkosek at redhat.com Tue Apr 14 11:39:08 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 13:39:08 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <552B84C5.80300@redhat.com> References: <552B84C5.80300@redhat.com> Message-ID: <552CFC5C.1010001@redhat.com> On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: > Hi, > > in the attachment you find the latest state of the "topology plugin", it > implements what is defined in the design page: > http://www.freeipa.org/page/V4/Manage_replication_topology (which is also > waiting for a reviewer) > > It contains the plugin itself and a core of ipa commands to manage a topology. > to be really applicable, some work outside is required, eg the management of > the domain level and a decision where the binddn group should be maintained. Hi Ludwig, Thanks for updates. My suggestions would be: 1) Update/finalize the design to fully match the current implementation - there were several discussions around this plugin and I am not sure if all were implemented. The design page often talks about "first implementation" etc. It should rather talk about the final design for this feature. I went through the design page and fixed formatting of some sections (Use Cases, created table for config attributes - this needs your revision and filling in the gaps) to make it more readable. Overall, the design should only use verbatim (monospace) sections only where absolutely necessary, it is otherwise hard to read. I fixed many typos, I think the docs could use one more complete proof read and cleaning from you so that it can be further reviewed. 2) The code itself should be checked. Will Thierry and Simo check the C parts? From tbordaz at redhat.com Tue Apr 14 11:46:04 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 14 Apr 2015 13:46:04 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <552CFC5C.1010001@redhat.com> References: <552B84C5.80300@redhat.com> <552CFC5C.1010001@redhat.com> Message-ID: <552CFDFC.2070106@redhat.com> On 04/14/2015 01:39 PM, Martin Kosek wrote: > On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >> Hi, >> >> in the attachment you find the latest state of the "topology plugin", it >> implements what is defined in the design page: >> http://www.freeipa.org/page/V4/Manage_replication_topology (which is also >> waiting for a reviewer) >> >> It contains the plugin itself and a core of ipa commands to manage a topology. >> to be really applicable, some work outside is required, eg the management of >> the domain level and a decision where the binddn group should be maintained. > Hi Ludwig, > > Thanks for updates. My suggestions would be: > > 1) Update/finalize the design to fully match the current implementation - > there were several discussions around this plugin and I am not sure if all were > implemented. The design page often talks about "first implementation" etc. It > should rather talk about the final design for this feature. > > I went through the design page and fixed formatting of some sections (Use > Cases, created table for config attributes - this needs your revision and > filling in the gaps) to make it more readable. > > Overall, the design should only use verbatim (monospace) sections only where > absolutely necessary, it is otherwise hard to read. > > I fixed many typos, I think the docs could use one more complete proof read and > cleaning from you so that it can be further reviewed. > > 2) The code itself should be checked. Will Thierry and Simo check the C parts? Yes I will and it will be a pleasure :-) thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Apr 14 12:25:17 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Apr 2015 14:25:17 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall Message-ID: <552D072D.3040002@redhat.com> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 The noise during rollback/uninstall is caused mainly by unsuccessful attempts to remove files that do not exist anymore. These errors are now logged at debug level and do not pop-up to stdout/stderr. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0029-1-suppress-errors-arising-from-deleting-non-existent-f.patch Type: text/x-patch Size: 4015 bytes Desc: not available URL: From lkrispen at redhat.com Tue Apr 14 12:30:56 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 14 Apr 2015 14:30:56 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <552CFC5C.1010001@redhat.com> References: <552B84C5.80300@redhat.com> <552CFC5C.1010001@redhat.com> Message-ID: <552D0880.9020804@redhat.com> Hi Martin, thanks for your time and comments. The design page should match the current implemtation, but as you said there were some iterations and I will check again and address the points you raised. Ludwig On 04/14/2015 01:39 PM, Martin Kosek wrote: > On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >> Hi, >> >> in the attachment you find the latest state of the "topology plugin", it >> implements what is defined in the design page: >> http://www.freeipa.org/page/V4/Manage_replication_topology (which is also >> waiting for a reviewer) >> >> It contains the plugin itself and a core of ipa commands to manage a topology. >> to be really applicable, some work outside is required, eg the management of >> the domain level and a decision where the binddn group should be maintained. > Hi Ludwig, > > Thanks for updates. My suggestions would be: > > 1) Update/finalize the design to fully match the current implementation - > there were several discussions around this plugin and I am not sure if all were > implemented. The design page often talks about "first implementation" etc. It > should rather talk about the final design for this feature. > > I went through the design page and fixed formatting of some sections (Use > Cases, created table for config attributes - this needs your revision and > filling in the gaps) to make it more readable. > > Overall, the design should only use verbatim (monospace) sections only where > absolutely necessary, it is otherwise hard to read. > > I fixed many typos, I think the docs could use one more complete proof read and > cleaning from you so that it can be further reviewed. > > 2) The code itself should be checked. Will Thierry and Simo check the C parts? From mkubik at redhat.com Tue Apr 14 13:20:16 2015 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 14 Apr 2015 15:20:16 +0200 Subject: [Freeipa-devel] [PATCH 0025] proper client host setup/teardown in forced client reenrollment integration test suite In-Reply-To: <551A5DF0.6000200@redhat.com> References: <551A5DF0.6000200@redhat.com> Message-ID: <552D1410.6030001@redhat.com> On 03/31/2015 10:42 AM, Martin Babinsky wrote: > During the investigation of > https://fedorahosted.org/freeipa/ticket/4614 I discovered a bug (?) in > forced client reenrollment integration test. > > During test scenario, master and replica are setup correctly at the > beginning of the test, but the client is never setup resulting in a > couple of tracebacks. > > After some investigation I realized that the setUp/tearDown methods > are actually never called because they are supposed to be inherited > from unittest.TestCase. However, IntegrationTest no longer inherits > from this class, hence the bug. > > I have tried to fix this by adding a fixture which runs client > fixup/teardown and doing some other small modifications. Tests now > work as expected, but I need a review from QE guys or someone > well-versed in pytest framework. > > TL;DR: I think I have fixed a bug in integration test but I need > someone to review the fix because I may not know what I'm doing. > Hello, please fix the pep8 complaints. Otherwise looks good to me. Thanks, Milan From mkubik at redhat.com Tue Apr 14 13:26:35 2015 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 14 Apr 2015 15:26:35 +0200 Subject: [Freeipa-devel] [PATCH 0027] do not install CA on replica during integration test if setup_ca=False In-Reply-To: <5524CE37.9070504@redhat.com> References: <5524CE37.9070504@redhat.com> Message-ID: <552D158B.3000509@redhat.com> On 04/08/2015 08:44 AM, Martin Babinsky wrote: > I have discovered another little bug in the integration test suite. > > Attaching a patch that fixes it. > > > Hello, thanks for the patch. I hereby invoke the "One Liner" rule. Cheers, Milan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkubik at redhat.com Tue Apr 14 13:54:02 2015 From: mkubik at redhat.com (Milan Kubik) Date: Tue, 14 Apr 2015 15:54:02 +0200 Subject: [Freeipa-devel] [PATCH 0025] proper client host setup/teardown in forced client reenrollment integration test suite In-Reply-To: <552D1410.6030001@redhat.com> References: <551A5DF0.6000200@redhat.com> <552D1410.6030001@redhat.com> Message-ID: <552D1BFA.1090302@redhat.com> On 04/14/2015 03:20 PM, Milan Kubik wrote: > > > On 03/31/2015 10:42 AM, Martin Babinsky wrote: >> During the investigation of >> https://fedorahosted.org/freeipa/ticket/4614 I discovered a bug (?) >> in forced client reenrollment integration test. >> >> During test scenario, master and replica are setup correctly at the >> beginning of the test, but the client is never setup resulting in a >> couple of tracebacks. >> >> After some investigation I realized that the setUp/tearDown methods >> are actually never called because they are supposed to be inherited >> from unittest.TestCase. However, IntegrationTest no longer inherits >> from this class, hence the bug. >> >> I have tried to fix this by adding a fixture which runs client >> fixup/teardown and doing some other small modifications. Tests now >> work as expected, but I need a review from QE guys or someone >> well-versed in pytest framework. >> >> TL;DR: I think I have fixed a bug in integration test but I need >> someone to review the fix because I may not know what I'm doing. >> > Hello, > > please fix the pep8 complaints. Otherwise looks good to me. > > Thanks, > Milan > Taking back request on pep8, this is not related to the patch introduced code. ACK. Milan From mbasti at redhat.com Tue Apr 14 14:12:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Apr 2015 16:12:16 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <552D072D.3040002@redhat.com> References: <552D072D.3040002@redhat.com> Message-ID: <552D2040.0@redhat.com> On 14/04/15 14:25, Martin Babinsky wrote: > This patch addresses https://fedorahosted.org/freeipa/ticket/4966 > > The noise during rollback/uninstall is caused mainly by unsuccessful > attempts to remove files that do not exist anymore. These errors are > now logged at debug level and do not pop-up to stdout/stderr. > > > Hello, thank you for the patch. 1) The option add_warning is quite unclear to me. It does not show warning but error. I suggest something like, show_hint, show_user_action, or something show_additional_..., or promt_manual_removal Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Apr 14 14:24:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Apr 2015 16:24:34 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <552D2040.0@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> Message-ID: <552D2322.5020002@redhat.com> On 14/04/15 16:12, Martin Basti wrote: > On 14/04/15 14:25, Martin Babinsky wrote: >> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >> >> The noise during rollback/uninstall is caused mainly by unsuccessful >> attempts to remove files that do not exist anymore. These errors are >> now logged at debug level and do not pop-up to stdout/stderr. >> >> >> > Hello, thank you for the patch. > > 1) > The option add_warning is quite unclear to me. It does not show > warning but error. I suggest something like, show_hint, > show_user_action, or something show_additional_..., or > promt_manual_removal > > Martin^2 > > Continue... 2) if file_exists(preferences_fname): try: os.remove(preferences_fname) except OSError as e: log_file_removal_error(e, preferences_fname, True) In this case file not found error should never happen. Could you remove the 'if file_exists' part and handle just exception? 3) this is inconsistent with change above, choose one style please: if os.path.exists(ca_file): try: os.unlink(ca_file) except OSError, e: root_logger.error( "Failed to remove '%s': %s", ca_file, e) -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Tue Apr 14 14:38:24 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 14 Apr 2015 16:38:24 +0200 Subject: [Freeipa-devel] Splitting out ipaldap Message-ID: <552D2660.9030600@redhat.com> Hello! As some of you know, I'm looking to help porting FreeIPA to Python 3. One of the major dependencies holding this back is python-ldap, which hasn't been ported yet. Some preliminary porting patches by Rapha?l Barrois [0] are ready and have been sent to the python-ldap list. The python-ldap upstream has been very quiet about reviewing them so far, but they're something for me to test against, and maybe improve. To make the testing easier, I'd like to split out "ipaldap" to a stand-alone package, and port it to Python 3 first. This split will make it easier to test (since I don't have to port all of IPA), and being able to use our generic LDAP wrappers in non-IPA projects could maybe also invite some community participation. Also, ipaldap unit tests are somewhat lacking, so I'll help with that. Packaging-wise, I want "ipaldap" to be on the same level as "ipapython" or "ipaserver"; additionally I want to release it on PyPI [1]. My general plan is: - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for old scripts/plugins) - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to replace this with something based on collections.MutableMapping, since the semantics of subclassing "dict" aren't very well defined. - Create a new module for ipaldap-specific exceptions. IPA will use a hook to swap out this module for its own set of exceptions. (Yes, this is a hack, but I'd like to keep ipaldap clean of IPA dependencies. A proper solution will be quite involved, given translatable error messages and XML-RPC numbers.) - Split ipapython.ipaldap into ipaldap.entry, ipaldap.client, ipaldap.schema_cache; but keep some IPA-specific logic in ipapython.ipaldap (and again keeping all the old names importable). I'll port everything to Python 3 as I move it, but I won't add a py3 run to IPA's test suite, at least until the dependencies are ported. Any breakage on py3 will be mine to fix, for the time being. Speaking of dependencies, one of my goals for this effort is to determine whether replacing python-ldap by another library, ldap3, would be worth it. Let me know if you disagree with this direction. -- Petr Viktorin [0] https://github.com/rbarrois/python-ldap/compare/py3 [1] https://pypi.python.org/pypi From jdennis at redhat.com Tue Apr 14 15:19:51 2015 From: jdennis at redhat.com (John Dennis) Date: Tue, 14 Apr 2015 11:19:51 -0400 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D2660.9030600@redhat.com> References: <552D2660.9030600@redhat.com> Message-ID: <552D3017.2060306@redhat.com> On 04/14/2015 10:38 AM, Petr Viktorin wrote: > Hello! > > As some of you know, I'm looking to help porting FreeIPA to Python 3. > One of the major dependencies holding this back is python-ldap, which > hasn't been ported yet. Some preliminary porting patches by Rapha?l > Barrois [0] are ready and have been sent to the python-ldap list. The > python-ldap upstream has been very quiet about reviewing them so far, > but they're something for me to test against, and maybe improve. Openstack is successfully running a py3 version of python-ldap. Maybe you should look at what Openstack is doing. -- John From jcholast at redhat.com Tue Apr 14 15:22:11 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Apr 2015 17:22:11 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D2660.9030600@redhat.com> References: <552D2660.9030600@redhat.com> Message-ID: <552D30A3.1020209@redhat.com> Hi, Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): > Hello! > > As some of you know, I'm looking to help porting FreeIPA to Python 3. > One of the major dependencies holding this back is python-ldap, which > hasn't been ported yet. Some preliminary porting patches by Rapha?l > Barrois [0] are ready and have been sent to the python-ldap list. The > python-ldap upstream has been very quiet about reviewing them so far, > but they're something for me to test against, and maybe improve. > > To make the testing easier, I'd like to split out "ipaldap" to a > stand-alone package, and port it to Python 3 first. > This split will make it easier to test (since I don't have to port all > of IPA), and being able to use our generic LDAP wrappers in non-IPA > projects could maybe also invite some community participation. Also, > ipaldap unit tests are somewhat lacking, so I'll help with that. > Packaging-wise, I want "ipaldap" to be on the same level as "ipapython" > or "ipaserver"; additionally I want to release it on PyPI [1]. Note that I don't consider ipaldap API stable and don't want to put any effort in maintaining backward compatibility when something needs to be changed, so you might want to hold the PyPI release, or at least put a big fat warning in some visible place. > > > My general plan is: > - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for > old scripts/plugins) DNs are not strictly LDAP specific, so I would rather move ipapython.dn to a new ipautil package. > - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to > replace this with something based on collections.MutableMapping, since > the semantics of subclassing "dict" aren't very well defined. I have WIP which does just that. > - Create a new module for ipaldap-specific exceptions. IPA will use a > hook to swap out this module for its own set of exceptions. (Yes, this > is a hack, but I'd like to keep ipaldap clean of IPA dependencies. A > proper solution will be quite involved, given translatable error > messages and XML-RPC numbers.) I have given this some thought since our last conversation about this and I think there won't always be 1-to-1 mapping between ipaldap and ipalib errors, so IMO we should go with the usual monkey patching approach in ipapython.ipaldap: import ipaldap import ipaldap.errors from ipalib import errors ipaldap.errors.SomeError = errors.SomeError ipaldap.errors.SomeSimilarError = errors.SomeError ipaldap.errors.SomeOtherError = errors.SomeOtherError ... try: ipaldap.something() except ipaldap.errors.BaseError as e: # catch ipaldap errors that weren't monkey-patched raise errors.DatabaseError(str(e)) > - Split ipapython.ipaldap into ipaldap.entry, ipaldap.client, > ipaldap.schema_cache; but keep some IPA-specific logic in > ipapython.ipaldap (and again keeping all the old names importable). I don't think schema cache deserves it's own module. > > I'll port everything to Python 3 as I move it, but I won't add a py3 run > to IPA's test suite, at least until the dependencies are ported. Any > breakage on py3 will be mine to fix, for the time being. > Speaking of dependencies, one of my goals for this effort is to > determine whether replacing python-ldap by another library, ldap3, > would be worth it. +1 on looking into ldap3 > > > Let me know if you disagree with this direction. > Honza -- Jan Cholasta From pviktori at redhat.com Tue Apr 14 15:31:50 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 14 Apr 2015 17:31:50 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D3017.2060306@redhat.com> References: <552D2660.9030600@redhat.com> <552D3017.2060306@redhat.com> Message-ID: <552D32E6.1070702@redhat.com> On 04/14/2015 05:19 PM, John Dennis wrote: > On 04/14/2015 10:38 AM, Petr Viktorin wrote: >> Hello! >> >> As some of you know, I'm looking to help porting FreeIPA to Python 3. >> One of the major dependencies holding this back is python-ldap, which >> hasn't been ported yet. Some preliminary porting patches by Rapha?l >> Barrois [0] are ready and have been sent to the python-ldap list. The >> python-ldap upstream has been very quiet about reviewing them so far, >> but they're something for me to test against, and maybe improve. > > Openstack is successfully running a py3 version of python-ldap. Maybe > you should look at what Openstack is doing. I've heard this from several people, but by now I think it's just a rumor. Can you point me to an actual packaged version or a repo of python-ldap for Python 3, or to someone who would know where to find it? https://wiki.openstack.org/wiki/Python3 says python-ldap is not ported at all, and seems dead. -- Petr Viktorin From pviktori at redhat.com Tue Apr 14 15:50:01 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 14 Apr 2015 17:50:01 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D30A3.1020209@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> Message-ID: <552D3729.1090707@redhat.com> On 04/14/2015 05:22 PM, Jan Cholasta wrote: > Hi, > > Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >> Hello! >> >> As some of you know, I'm looking to help porting FreeIPA to Python 3. >> One of the major dependencies holding this back is python-ldap, which >> hasn't been ported yet. Some preliminary porting patches by Rapha?l >> Barrois [0] are ready and have been sent to the python-ldap list. The >> python-ldap upstream has been very quiet about reviewing them so far, >> but they're something for me to test against, and maybe improve. >> >> To make the testing easier, I'd like to split out "ipaldap" to a >> stand-alone package, and port it to Python 3 first. >> This split will make it easier to test (since I don't have to port all >> of IPA), and being able to use our generic LDAP wrappers in non-IPA >> projects could maybe also invite some community participation. Also, >> ipaldap unit tests are somewhat lacking, so I'll help with that. >> Packaging-wise, I want "ipaldap" to be on the same level as "ipapython" >> or "ipaserver"; additionally I want to release it on PyPI [1]. > > Note that I don't consider ipaldap API stable and don't want to put any > effort in maintaining backward compatibility when something needs to be > changed, so you might want to hold the PyPI release, or at least put a > big fat warning in some visible place. If it's released early & often, it'll at least be visible to interested people. It would be nice to include a roadmap file saying what needs to change before we start claiming API stability. >> My general plan is: >> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for >> old scripts/plugins) > > DNs are not strictly LDAP specific, so I would rather move ipapython.dn > to a new ipautil package. I'd rather not, at least until there's something that needs it (and doesn't also depend on ipaldap). The scope of "ipautil" is far too badly defined for such a package to be useful. >> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >> replace this with something based on collections.MutableMapping, since >> the semantics of subclassing "dict" aren't very well defined. > > I have WIP which does just that. Could you send it? >> - Create a new module for ipaldap-specific exceptions. IPA will use a >> hook to swap out this module for its own set of exceptions. (Yes, this >> is a hack, but I'd like to keep ipaldap clean of IPA dependencies. A >> proper solution will be quite involved, given translatable error >> messages and XML-RPC numbers.) > > I have given this some thought since our last conversation about this > and I think there won't always be 1-to-1 mapping between ipaldap and > ipalib errors, so IMO we should go with the usual monkey patching > approach in ipapython.ipaldap: > > import ipaldap > import ipaldap.errors > from ipalib import errors > > ipaldap.errors.SomeError = errors.SomeError > ipaldap.errors.SomeSimilarError = errors.SomeError > ipaldap.errors.SomeOtherError = errors.SomeOtherError > > ... > > try: > ipaldap.something() > except ipaldap.errors.BaseError as e: > # catch ipaldap errors that weren't monkey-patched > raise errors.DatabaseError(str(e)) I don't like this idea at all; action-at-a-distance bugs caused by monkeypatching are some of the worst bugs to have to deal with. If someone builds a library on top of ipaldap, and then uses it in a project that also uses ipapython, then the library would suddenly start raising IPA-specific errors. If you pass a collection of errors to LDAPClient to use, or even if you subclass, or monkeypatch a specific instance, other IPAClient instances/subclasses are not affected. I think limiting the impact of a hack is more preferable than a somewhat cleaner solution. >> - Split ipapython.ipaldap into ipaldap.entry, ipaldap.client, >> ipaldap.schema_cache; but keep some IPA-specific logic in >> ipapython.ipaldap (and again keeping all the old names importable). > > I don't think schema cache deserves it's own module. Sure. When I paint that shed, I'll use whatever color looks most convenient :) >> I'll port everything to Python 3 as I move it, but I won't add a py3 run >> to IPA's test suite, at least until the dependencies are ported. Any >> breakage on py3 will be mine to fix, for the time being. >> Speaking of dependencies, one of my goals for this effort is to >> determine whether replacing python-ldap by another library, ldap3, >> would be worth it. > > +1 on looking into ldap3 -- Petr Viktorin From rcritten at redhat.com Tue Apr 14 16:03:14 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2015 12:03:14 -0400 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D32E6.1070702@redhat.com> References: <552D2660.9030600@redhat.com> <552D3017.2060306@redhat.com> <552D32E6.1070702@redhat.com> Message-ID: <552D3A42.3030906@redhat.com> Petr Viktorin wrote: > On 04/14/2015 05:19 PM, John Dennis wrote: >> On 04/14/2015 10:38 AM, Petr Viktorin wrote: >>> Hello! >>> >>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>> One of the major dependencies holding this back is python-ldap, which >>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>> Barrois [0] are ready and have been sent to the python-ldap list. The >>> python-ldap upstream has been very quiet about reviewing them so far, >>> but they're something for me to test against, and maybe improve. >> >> Openstack is successfully running a py3 version of python-ldap. Maybe >> you should look at what Openstack is doing. > > I've heard this from several people, but by now I think it's just a > rumor. Can you point me to an actual packaged version or a repo of > python-ldap for Python 3, or to someone who would know where to find it? > > https://wiki.openstack.org/wiki/Python3 says python-ldap is not ported > at all, and seems dead. > https://review.openstack.org/#/c/95827/ rob From jcholast at redhat.com Tue Apr 14 16:18:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Apr 2015 18:18:54 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D3729.1090707@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> Message-ID: <552D3DEE.1070005@redhat.com> Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): > On 04/14/2015 05:22 PM, Jan Cholasta wrote: >> Hi, >> >> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>> Hello! >>> >>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>> One of the major dependencies holding this back is python-ldap, which >>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>> Barrois [0] are ready and have been sent to the python-ldap list. The >>> python-ldap upstream has been very quiet about reviewing them so far, >>> but they're something for me to test against, and maybe improve. >>> >>> To make the testing easier, I'd like to split out "ipaldap" to a >>> stand-alone package, and port it to Python 3 first. >>> This split will make it easier to test (since I don't have to port all >>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>> projects could maybe also invite some community participation. Also, >>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>> Packaging-wise, I want "ipaldap" to be on the same level as "ipapython" >>> or "ipaserver"; additionally I want to release it on PyPI [1]. >> >> Note that I don't consider ipaldap API stable and don't want to put any >> effort in maintaining backward compatibility when something needs to be >> changed, so you might want to hold the PyPI release, or at least put a >> big fat warning in some visible place. > > If it's released early & often, it'll at least be visible to interested > people. > It would be nice to include a roadmap file saying what needs to change > before we start claiming API stability. From the top of my head, in no particular order: * High-level class for attribute values * High-level classes for schema elements * Support different schema styles (LDAPv3, AD), or at least make it possible * High-level class for filters * Some better way of doing "extended" operations (paged search, deref search, etc.) * Support different transports (LDAP, local LDIF file), or at least make it possible > >>> My general plan is: >>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for >>> old scripts/plugins) >> >> DNs are not strictly LDAP specific, so I would rather move ipapython.dn >> to a new ipautil package. > > I'd rather not, at least until there's something that needs it (and > doesn't also depend on ipaldap). The scope of "ipautil" is far too badly > defined for such a package to be useful. IMO generic stuff should be in a package for generic stuff. I guess it should originally have been ipapython, but it's too fused with ipalib ATM, hence my proposal to use a new package. > >>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>> replace this with something based on collections.MutableMapping, since >>> the semantics of subclassing "dict" aren't very well defined. >> >> I have WIP which does just that. > > Could you send it? Not yet unfortunately, CIDict removal is actually just a side effect of other changes, and it still needs a lot of work before it is sendable. > >>> - Create a new module for ipaldap-specific exceptions. IPA will use a >>> hook to swap out this module for its own set of exceptions. (Yes, this >>> is a hack, but I'd like to keep ipaldap clean of IPA dependencies. A >>> proper solution will be quite involved, given translatable error >>> messages and XML-RPC numbers.) >> >> I have given this some thought since our last conversation about this >> and I think there won't always be 1-to-1 mapping between ipaldap and >> ipalib errors, so IMO we should go with the usual monkey patching >> approach in ipapython.ipaldap: >> >> import ipaldap >> import ipaldap.errors >> from ipalib import errors >> >> ipaldap.errors.SomeError = errors.SomeError >> ipaldap.errors.SomeSimilarError = errors.SomeError >> ipaldap.errors.SomeOtherError = errors.SomeOtherError >> >> ... >> >> try: >> ipaldap.something() >> except ipaldap.errors.BaseError as e: >> # catch ipaldap errors that weren't monkey-patched >> raise errors.DatabaseError(str(e)) > > I don't like this idea at all; action-at-a-distance bugs caused by > monkeypatching are some of the worst bugs to have to deal with. > > If someone builds a library on top of ipaldap, and then uses it in a > project that also uses ipapython, then the library would suddenly start > raising IPA-specific errors. > If you pass a collection of errors to LDAPClient to use, or even if you > subclass, or monkeypatch a specific instance, other IPAClient > instances/subclasses are not affected. > > I think limiting the impact of a hack is more preferable than a somewhat > cleaner solution. Right you are. I don't really care how it's done as long as it's possible to make the mapping not 1-to-1. -- Jan Cholasta From pviktori at redhat.com Tue Apr 14 16:55:32 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 14 Apr 2015 18:55:32 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D3A42.3030906@redhat.com> References: <552D2660.9030600@redhat.com> <552D3017.2060306@redhat.com> <552D32E6.1070702@redhat.com> <552D3A42.3030906@redhat.com> Message-ID: <552D4684.10204@redhat.com> On 04/14/2015 06:03 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 04/14/2015 05:19 PM, John Dennis wrote: >>> On 04/14/2015 10:38 AM, Petr Viktorin wrote: >>>> Hello! >>>> >>>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>>> One of the major dependencies holding this back is python-ldap, which >>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>> Barrois [0] are ready and have been sent to the python-ldap list. The >>>> python-ldap upstream has been very quiet about reviewing them so far, >>>> but they're something for me to test against, and maybe improve. >>> >>> Openstack is successfully running a py3 version of python-ldap. Maybe >>> you should look at what Openstack is doing. >> >> I've heard this from several people, but by now I think it's just a >> rumor. Can you point me to an actual packaged version or a repo of >> python-ldap for Python 3, or to someone who would know where to find it? >> >> https://wiki.openstack.org/wiki/Python3 says python-ldap is not ported >> at all, and seems dead. >> > > https://review.openstack.org/#/c/95827/ Ah, so it's the same patchset I am looking at. Thanks! -- Petr Viktorin From pvoborni at redhat.com Tue Apr 14 17:04:24 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:04:24 +0200 Subject: [Freeipa-devel] [PATCH] 786 webui: unable to select single value in CB by enter key In-Reply-To: <551AC641.3050407@redhat.com> References: <551AACD8.2080106@redhat.com> <551AC641.3050407@redhat.com> Message-ID: <552D4898.2030600@redhat.com> On 03/31/2015 06:07 PM, Martin Babinsky wrote: > On 03/31/2015 04:19 PM, Petr Vobornik wrote: >> This little fellow was hiding in a cupboard (patchset 784-786 was >> abandoned). >> >> Fix: If editable combobox has one value, the value is selected and >> changed by hand, it can't be re-selected by enter key. >> >> > Works as expected, ACK. > Pushed to master: f7eeaa4ce04883d4d8ffbd3305050fabfcd6deb4 -- Petr Vobornik From pvoborni at redhat.com Tue Apr 14 17:05:51 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:05:51 +0200 Subject: [Freeipa-devel] [PATCH] webui: use no_members option in entity select search In-Reply-To: <551BEC39.9060003@redhat.com> References: <551AAC38.3070507@redhat.com> <551BEC39.9060003@redhat.com> Message-ID: <552D48EF.7040005@redhat.com> On 04/01/2015 03:01 PM, Martin Babinsky wrote: > On 03/31/2015 04:16 PM, Petr Vobornik wrote: >> Obtaining member information for entity selects is not needed and it >> causes unwanted performance hit, especially with larger groups. >> >> This patch removes it. >> >> https://fedorahosted.org/freeipa/ticket/4948 >> >> > > Works as expected and the speedup is substantial (ca 10x faster lookup > of default group in user group rules for 16 groups with 100 members each). > > ACK. > Pushed to master: efcd48ad01a39a67f131a2cea9d54771642222fb -- Petr Vobornik From pvoborni at redhat.com Tue Apr 14 17:13:43 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:13:43 +0200 Subject: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install In-Reply-To: <5523FBDF.20601@redhat.com> References: <551D596E.3040802@redhat.com> <55239605.3080401@redhat.com> <5523FBDF.20601@redhat.com> Message-ID: <552D4AC7.203@redhat.com> On 04/07/2015 05:46 PM, Martin Basti wrote: > On 07/04/15 17:06, Gabe Alford wrote: >> Stupid me. I realized that chronyd was running which messed up my >> testing and such (sorry about that). New patch attached that >> implements 'else' >> >> On Tue, Apr 7, 2015 at 2:32 AM, Martin Basti > > wrote: >> >> On 02/04/15 17:47, Gabe Alford wrote: >>> On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti >> > wrote: >>> >>> On 30/03/15 15:25, Gabe Alford wrote: >>>> Hello, >>>> >>>> With the merging of ticket 4842 >>>> , I believe >>>> that half of ticket 3092 >>>> has been >>>> done. This patch just adds a message that says that NTP >>>> configuration was skipped which I believe should finish 3092 >>>> . >>>> >>>> Thanks, >>>> >>>> Gabe >>>> >>>> >>> Hello, thank you for the patch. >>> >>> 1) >>> IMO there should be: >>> if *not* options.conf_ntp >>> >>> >>> So, if --no-ntp is not specified, print message that the client >>> is skipping NTP sync? >> Yes, or did I miss something? I though the message should be shown >> only if --no-ntp option is used. >> >> With your current patch: >> >> # ipa-client-install --no-ntp >> >> >> >> # ipa-client-install >> >> Attempting to sync time using ntpd. Will timeout after 15 seconds >> Unable to sync time with IPA NTP server, assuming the time is in >> sync. Please check that 123 UDP port is opened. >> Skipping synchronizing time with IPA NTP server. >> >> >> But in this case the client did synchronization with NTP (which >> failed), IMO the message "Skipping ..." should not be there. >> This message is shown even the synchronization with NTP is >> successful. >> >>> 2) >>> wouldnt be better to use just else? >>> >>> >>> I actually ran ipa-client-install with no options on a system >>> where I used 'else', and it printed the skipping NTP sync when it >>> should not have. >>> That is why the patch does not use 'else'. >> Interesting, I expected the messages only on client installed on >> IPA server, or with using --no-ntp option >>> >>> >>> Martin >>> >>> -- Martin Basti >>> >>> >> >> -- Martin Basti >> >> > Thank you! > ACK > Pushed to master: e537fd202e23a507dd0c43d2dfdf88fd6921e183 -- Petr Vobornik From pviktori at redhat.com Tue Apr 14 17:21:25 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 14 Apr 2015 19:21:25 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D3DEE.1070005@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> <552D3DEE.1070005@redhat.com> Message-ID: <552D4C95.1080706@redhat.com> On 04/14/2015 06:18 PM, Jan Cholasta wrote: > Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): >> On 04/14/2015 05:22 PM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>>> Hello! >>>> >>>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>>> One of the major dependencies holding this back is python-ldap, which >>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>> Barrois [0] are ready and have been sent to the python-ldap list. The >>>> python-ldap upstream has been very quiet about reviewing them so far, >>>> but they're something for me to test against, and maybe improve. >>>> >>>> To make the testing easier, I'd like to split out "ipaldap" to a >>>> stand-alone package, and port it to Python 3 first. >>>> This split will make it easier to test (since I don't have to port all >>>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>>> projects could maybe also invite some community participation. Also, >>>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>>> Packaging-wise, I want "ipaldap" to be on the same level as "ipapython" >>>> or "ipaserver"; additionally I want to release it on PyPI [1]. >>> >>> Note that I don't consider ipaldap API stable and don't want to put any >>> effort in maintaining backward compatibility when something needs to be >>> changed, so you might want to hold the PyPI release, or at least put a >>> big fat warning in some visible place. >> >> If it's released early & often, it'll at least be visible to interested >> people. >> It would be nice to include a roadmap file saying what needs to change >> before we start claiming API stability. > > From the top of my head, in no particular order: > > * High-level class for attribute values +1 > * High-level classes for schema elements > * Support different schema styles (LDAPv3, AD), or at least make it > possible Here I'm inclined to just say the schema API isn't done. > * High-level class for filters As long as we still accept filters as text, I don't see any backcompat problems here. (Assuming we don't expose the current filter-making helpers, which I'd rather kep IPA-specific, anyway.) > * Some better way of doing "extended" operations (paged search, deref > search, etc.) > * Support different transports (LDAP, local LDIF file), or at least > make it possible Those two should be possible to add while keeping compatibility. >>>> My general plan is: >>>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for >>>> old scripts/plugins) >>> >>> DNs are not strictly LDAP specific, so I would rather move ipapython.dn >>> to a new ipautil package. >> >> I'd rather not, at least until there's something that needs it (and >> doesn't also depend on ipaldap). The scope of "ipautil" is far too badly >> defined for such a package to be useful. > > IMO generic stuff should be in a package for generic stuff. I guess it > should originally have been ipapython, but it's too fused with ipalib > ATM, hence my proposal to use a new package. No. Any vaguely defined collection of generic utilities needed in a project is really a single-purpose package. Nobody likes pulling in a bunch of unrelated stuff because of one particular thing they need, and without a scope the amount of unnecessary stuff grows without bound. I'd be OK with an "ipadn", if you can manage the overhead of a package. >>>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>>> replace this with something based on collections.MutableMapping, since >>>> the semantics of subclassing "dict" aren't very well defined. >>> >>> I have WIP which does just that. >> >> Could you send it? > > Not yet unfortunately, CIDict removal is actually just a side effect of > other changes, and it still needs a lot of work before it is sendable. I was thinking the Python 3 boundary is a good point to switch, since stuff will be breaking anyway. I can import the new one under py3, and keep the old one for py2. -- Petr Viktorin From pvoborni at redhat.com Tue Apr 14 17:26:50 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:26:50 +0200 Subject: [Freeipa-devel] [PATCHES 0213 - 0221] Server Upgrade: LDAPI, Update plugins In-Reply-To: <5527BFEC.9090300@redhat.com> References: <55102781.5060809@redhat.com> <551126AF.3040207@redhat.com> <551145BB.3090909@redhat.com> <551C0D1B.4@redhat.com> <5527BFEC.9090300@redhat.com> Message-ID: <552D4DDA.5010000@redhat.com> On 04/10/2015 02:19 PM, David Kupka wrote: > On 04/01/2015 05:22 PM, Martin Basti wrote: >> On 24/03/15 12:08, Martin Basti wrote: >>> On 24/03/15 09:56, Martin Basti wrote: >>>> On 23/03/15 15:47, Martin Basti wrote: >>>>> Hello, >>>>> >>>>> The patches: >>>>> * allows to specify order of update plugins in update files. >>>>> * requires to use LDAPI by ipa-ldap-updater >>>>> >>>>> patches attached >>>>> >>>>> >>>>> >>>> Rebased patches attached. >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> I accidentally merged two patches into one in previos rebase. >>> >>> So properly rebased patches attached. >>> >>> -- >>> Martin Basti >>> >>> >> Patch 221 updated: use option to require root user >> >> Requires patch mbasti-223 to work with replica install >> >> Patches attached >> > > Code looks good to me and upgrade process works as expected, ACK. > pushed to master: master: * 13c4631813b7e8ac4afc8d5f350ef136c7107d89 Server Upgrade: use only LDAPI connection * b4ca5c57d230c80ecc4f8eaaa01d8e7a36bcb3b4 Server Upgrade: remove unused code in upgrade * cc19b5a76a37d1fb87deb45d9cbfc71472a99fa4 Server Upgrade: Apply plugin updates immediately * f24f614396de809350b54423ca128b478601a64e Server Upgrade: specify order of plugins in update files * 0e752aab297ad0a2c43d6c8755db175f45de028e Server Upgrade: plugins should use ldapupdater API instance * 4aec9d2280a5ebbf1acae3abee215cd7a28f23c2 Server Upgrade: Handle connection better in updates_from_dict * b605ccc94bef9a280aa500d57caa74d95e230b4b Server Upgrade: use ldap2 connection in fix_replica_agreements * d09706a8c8ed02506a9486f919df3d1c2a8e8087 Server Upgrade: restart DS using ipaplatfom service * b9c5744031675beb831210831f9d4b327ccd5544 Server Upgrade: only root can run updates -- Petr Vobornik From pvoborni at redhat.com Tue Apr 14 17:30:35 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:30:35 +0200 Subject: [Freeipa-devel] [PATCH 0210] DNSSEC: CI test In-Reply-To: <552BCDBF.8090303@redhat.com> References: <55102929.9030702@redhat.com> <5523DF64.6050405@redhat.com> <552506F8.1050702@redhat.com> <552BCDBF.8090303@redhat.com> Message-ID: <552D4EBB.5080201@redhat.com> On 04/13/2015 04:07 PM, Milan Kubik wrote: > On 04/08/2015 12:46 PM, Martin Basti wrote: >> On 07/04/15 15:45, Milan Kubik wrote: >> >> updated patch attached. >> >> -- >> Martin Basti > Thanks, > > ack. > > Milan > Pushed to: master: 0a1a3d73120bdf20ae05bcf663f14ca1a8b02c25 ipa-4-1: f3b5d163bf7432d1a89e7798a3192968bd08dde7 -- Petr Vobornik From pvoborni at redhat.com Tue Apr 14 17:32:42 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:32:42 +0200 Subject: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation In-Reply-To: <552CC294.6030908@redhat.com> References: <551A72DB.3020105@redhat.com> <551D11C2.4070902@redhat.com> <552668E0.4050601@redhat.com> <5527AFEF.3060704@redhat.com> <552CC294.6030908@redhat.com> Message-ID: <552D4F3A.90705@redhat.com> On 04/14/2015 09:32 AM, Petr Spacek wrote: > On 10.4.2015 13:11, Petr Viktorin wrote: >> ACK Pushed to master: 11bd9d96f191066f7ba760549f00179c128a9787 > > Please be so kind and fix naming. AFAIK the patch refers to 'openldap' DN > format but in fact it is python-ldap-ishm. It will surely confuse next > generation of FreeIPA developers :-) > Will be in separate patch. -- Petr Vobornik From pvoborni at redhat.com Tue Apr 14 17:38:46 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Apr 2015 19:38:46 +0200 Subject: [Freeipa-devel] [PATCH 0025] proper client host setup/teardown in forced client reenrollment integration test suite In-Reply-To: <552D1BFA.1090302@redhat.com> References: <551A5DF0.6000200@redhat.com> <552D1410.6030001@redhat.com> <552D1BFA.1090302@redhat.com> Message-ID: <552D50A6.505@redhat.com> On 04/14/2015 03:54 PM, Milan Kubik wrote: > > > On 04/14/2015 03:20 PM, Milan Kubik wrote: >> >> >> On 03/31/2015 10:42 AM, Martin Babinsky wrote: >>> During the investigation of >>> https://fedorahosted.org/freeipa/ticket/4614 I discovered a bug (?) >>> in forced client reenrollment integration test. >>> >>> During test scenario, master and replica are setup correctly at the >>> beginning of the test, but the client is never setup resulting in a >>> couple of tracebacks. >>> >>> After some investigation I realized that the setUp/tearDown methods >>> are actually never called because they are supposed to be inherited >>> from unittest.TestCase. However, IntegrationTest no longer inherits >>> from this class, hence the bug. >>> >>> I have tried to fix this by adding a fixture which runs client >>> fixup/teardown and doing some other small modifications. Tests now >>> work as expected, but I need a review from QE guys or someone >>> well-versed in pytest framework. >>> >>> TL;DR: I think I have fixed a bug in integration test but I need >>> someone to review the fix because I may not know what I'm doing. >>> >> Hello, >> >> please fix the pep8 complaints. Otherwise looks good to me. >> >> Thanks, >> Milan >> > Taking back request on pep8, this is not related to the patch introduced > code. > > ACK. > > Milan > Pushed to master: c8fae594df474669416b96b8033528332daf9b37 -- Petr Vobornik From jcholast at redhat.com Wed Apr 15 06:30:49 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Apr 2015 08:30:49 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552D4C95.1080706@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> <552D3DEE.1070005@redhat.com> <552D4C95.1080706@redhat.com> Message-ID: <552E0599.3040506@redhat.com> Dne 14.4.2015 v 19:21 Petr Viktorin napsal(a): > On 04/14/2015 06:18 PM, Jan Cholasta wrote: >> Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): >>> On 04/14/2015 05:22 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>>>> Hello! >>>>> >>>>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>>>> One of the major dependencies holding this back is python-ldap, which >>>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>>> Barrois [0] are ready and have been sent to the python-ldap list. The >>>>> python-ldap upstream has been very quiet about reviewing them so far, >>>>> but they're something for me to test against, and maybe improve. >>>>> >>>>> To make the testing easier, I'd like to split out "ipaldap" to a >>>>> stand-alone package, and port it to Python 3 first. >>>>> This split will make it easier to test (since I don't have to port all >>>>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>>>> projects could maybe also invite some community participation. Also, >>>>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>>>> Packaging-wise, I want "ipaldap" to be on the same level as >>>>> "ipapython" >>>>> or "ipaserver"; additionally I want to release it on PyPI [1]. >>>> >>>> Note that I don't consider ipaldap API stable and don't want to put any >>>> effort in maintaining backward compatibility when something needs to be >>>> changed, so you might want to hold the PyPI release, or at least put a >>>> big fat warning in some visible place. >>> >>> If it's released early & often, it'll at least be visible to interested >>> people. >>> It would be nice to include a roadmap file saying what needs to change >>> before we start claiming API stability. >> >> From the top of my head, in no particular order: >> >> * High-level class for attribute values > > +1 > >> * High-level classes for schema elements >> * Support different schema styles (LDAPv3, AD), or at least make it >> possible > > Here I'm inclined to just say the schema API isn't done. It will affect how syntax mapping is done, so it depends on whether syntax mapping is exposed or not. There are also some schema-related LDAPClient methods (like get_allowed_attributes) which will be (re)moved when the schema API is done. > >> * High-level class for filters > > As long as we still accept filters as text, I don't see any backcompat > problems here. (Assuming we don't expose the current filter-making > helpers, which I'd rather kep IPA-specific, anyway.) Yes, the helpers need to go away. > >> * Some better way of doing "extended" operations (paged search, deref >> search, etc.) >> * Support different transports (LDAP, local LDIF file), or at least >> make it possible > > Those two should be possible to add while keeping compatibility. I don't think I want the paged_search argument of find_entries to be supported. > >>>>> My general plan is: >>>>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable for >>>>> old scripts/plugins) >>>> >>>> DNs are not strictly LDAP specific, so I would rather move ipapython.dn >>>> to a new ipautil package. >>> >>> I'd rather not, at least until there's something that needs it (and >>> doesn't also depend on ipaldap). The scope of "ipautil" is far too badly >>> defined for such a package to be useful. >> >> IMO generic stuff should be in a package for generic stuff. I guess it >> should originally have been ipapython, but it's too fused with ipalib >> ATM, hence my proposal to use a new package. > > No. Any vaguely defined collection of generic utilities needed in a > project is really a single-purpose package. Nobody likes pulling in a > bunch of unrelated stuff because of one particular thing they need, and > without a scope the amount of unnecessary stuff grows without bound. > I'd be OK with an "ipadn", if you can manage the overhead of a package. IMO "ipadn" is just too specific. I guess we can use X.500 as scope, since the basic types like DN or OID are defined in X.500, and put it in "ipax500". Does that sound OK? > >>>>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>>>> replace this with something based on collections.MutableMapping, since >>>>> the semantics of subclassing "dict" aren't very well defined. >>>> >>>> I have WIP which does just that. >>> >>> Could you send it? >> >> Not yet unfortunately, CIDict removal is actually just a side effect of >> other changes, and it still needs a lot of work before it is sendable. > > I was thinking the Python 3 boundary is a good point to switch, since > stuff will be breaking anyway. I can import the new one under py3, and > keep the old one for py2. > I'm a bit lost here, what do you mean by "new one" and "old one"? -- Jan Cholasta From mkosek at redhat.com Wed Apr 15 11:11:07 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Apr 2015 13:11:07 +0200 Subject: [Freeipa-devel] [PATCH 0027] do not install CA on replica during integration test if setup_ca=False In-Reply-To: <552D158B.3000509@redhat.com> References: <5524CE37.9070504@redhat.com> <552D158B.3000509@redhat.com> Message-ID: <552E474B.1050405@redhat.com> On 04/14/2015 03:26 PM, Milan Kubik wrote: > > > On 04/08/2015 08:44 AM, Martin Babinsky wrote: >> I have discovered another little bug in the integration test suite. >> >> Attaching a patch that fixes it. >> >> >> > Hello, > > thanks for the patch. > > I hereby invoke the "One Liner" rule. > > Cheers, > Milan Pushed to: master: 1bd099a114a29e461307e0defcca3bfe422fabb5 ipa-4-1: f47da5a400df741577add0fff94cf1415bc8e109 From mbabinsk at redhat.com Wed Apr 15 13:17:56 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Apr 2015 15:17:56 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <552BB3B8.9040103@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> <552BB3B8.9040103@redhat.com> Message-ID: <552E6504.7020408@redhat.com> On 04/13/2015 02:16 PM, Martin Babinsky wrote: > On 04/09/2015 03:38 PM, Jan Cholasta wrote: > >> >> Some comments: >> >> Patch 15: >> >> 1) The functions should be as similar as possible: >> >> a) kinit_password() should have a 'ccache_path' argument instead of >> passing the path in KRB5CCNAME in the 'env' argument. >> >> b) I don't think kinit_password() should have the 'env' argument at >> all. You can always call kinit with LC_ALL=C and set other variables in >> os.environ if you want. >> >> c) The arguments should have the same ordering. >> >> d) Either set KRB5CCNAME in both kinit_keytab() and >> kinit_password() or in none of them. >> >> e) Either rename armor_ccache to armor_ccache_path or ccache_path >> to ccache. >> > I have done some reordering of parameters in both functions so they are > very similar now and the parameter ordering should make more sense (at > least to me). > > Neither of them sets KRB5CCNAME env. variable since I think that it is > not a very good practice and the developer should be responsible for > pointing to correct CCache path. Jan agrees with this and the other > patches are updated accordingly. >> >> 2) Space before comma in docstring: >> >> + Given a ccache_path , keytab file and a principal kinit as that >> user. >> >> >> 3) I would prefer if the default value of 'armor_ccache' in >> kinit_password() was None. >> > Fixed. >> >> Patch 16: >> >> 1) The callback should not be named 'validate_kinit_attempts_option', >> but rather 'kinit_attempts_callback', as it doesn't just validate the >> value. >> > Fixed. >> >> 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A >> comment with explanation would be nice. >> > It actually doesn't make much sense to have such upper bound, so I have > removed it from the check and updated the error message accordingly. >> >> Patch 17: >> >> 1) Is there a reason for the ccache filename changes in DNSSEC code? >> > That was Petr Spacek's request since a sane naming of persistent Ccaches > makes debugging of Kerberos-related errors a bit easier for him. > > Attaching updated patches. > > > Jan had some further suggestions so I am attaching updated patches which should reflect them. He also recommended to split the naming changes of DNSSEC daemon credential caches to a separate patch, so I will submit them later when this patchset is pushed. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0015-8-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch Type: text/x-patch Size: 4613 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0016-7-ipa-client-install-try-to-get-host-TGT-several-times.patch Type: text/x-patch Size: 9218 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0017-6-Adopted-kinit_keytab-and-kinit_password-for-kerberos.patch Type: text/x-patch Size: 12309 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Apr 15 13:53:28 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Apr 2015 15:53:28 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <552D2322.5020002@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> Message-ID: <552E6D58.4090901@redhat.com> On 04/14/2015 04:24 PM, Martin Basti wrote: > On 14/04/15 16:12, Martin Basti wrote: >> On 14/04/15 14:25, Martin Babinsky wrote: >>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>> >>> The noise during rollback/uninstall is caused mainly by unsuccessful >>> attempts to remove files that do not exist anymore. These errors are >>> now logged at debug level and do not pop-up to stdout/stderr. >>> >>> >>> >> Hello, thank you for the patch. >> >> 1) >> The option add_warning is quite unclear to me. It does not show >> warning but error. I suggest something like, show_hint, >> show_user_action, or something show_additional_..., or >> promt_manual_removal >> >> Martin^2 >> >> > Continue... > > 2) > > if file_exists(preferences_fname): > try: > os.remove(preferences_fname) > except OSError as e: > log_file_removal_error(e, preferences_fname, True) > > In this case file not found error should never happen. > > Could you remove the 'if file_exists' part and handle just exception? > I just reverted this bit to original form in order to not fix something that isn't broken. Is that ok? > 3) > this is inconsistent with change above, choose one style please: > > if os.path.exists(ca_file): > try: > os.unlink(ca_file) > except OSError, e: > root_logger.error( > "Failed to remove '%s': %s", ca_file, e) > > -- > Martin Basti > Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0029-2-suppress-errors-arising-from-deleting-non-existent-f.patch Type: text/x-patch Size: 3511 bytes Desc: not available URL: From slaz at seznam.cz Wed Apr 15 14:07:39 2015 From: slaz at seznam.cz (=?UTF-8?B?U3RhbmlzbGF2IEzDoXpuacSNa2E=?=) Date: Wed, 15 Apr 2015 16:07:39 +0200 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal Message-ID: <552E70AB.8090802@seznam.cz> Hi, I have prepared a feature proposal for the wiki. I followed the Feature Proposal Template and the chapter "How to Test" is currently missing so it might rather be considered a draft. Please, see it, I hope it's alright. The text: Overview FreeIPA is currently missing any temporal settings in the HBAC rules. However, handling access to a host in repeating time periods might be a desirable feature. The administrator of a certain environment should be able to set the time a host should be accessed in either the host local time, a certain time zone time or in UTC. Host-local-time policies would allow to adapt the time a host can be accessed to the host's movement along different time zones. A time bound to a certain time zone is more transparent than local time as it doesn't change with the host traveling. Sometimes, it may also be important to set time in UTC. This is rather strict setting that does not reflect daylight saving time. Use Cases 1. A host is changing position on the globe quite often and needs to be accessed at certain times reflecting its current time zone. 2. A host should only be accessed at certain times given by a certain time zone. This access is repeated in a way, such as three times a week the same time except for once a year where there's regular maintenance. Design The time based account policies are an extension to the current (April 2015) HBAC plugin. It assumes the time through the system is well set on all host stations via the NTP. Time Scenarios This extension is designed so that it understands time in three different views. These are: host local time, time at a certain time zone, and UTC. Host Local Time Host local time approach is meant for those hosts that are most likely to move across different time zones and for some reason it's important that the time they can be accessed reflects their current position. This helps creating only a single HBAC rule instead of multiple when only time zone or UTC rules would apply. The time of a host is counted using the /etc/timezone information of the certain host. Testing of such rule requires the tester to specify a certain time zone the rule would be tested against. It's important to note that this type of policy may bring some unexpected behavior as hosts move across the globe, or even in a single hostgroup, when there're hosts from multiple timezones, and administrator should be very sure they want to use this. Time Zones In this approach, the time is thought of as of a time at a certain time zone. This might be interesting when the time settings should reflect a certain time zone, eg. the host or the users connecting to it are to be found in that certain time zone. The time zone offset to count the time of access is taken from the Olson database. Therefore, even daylight saving time is taken into account. UTC Sometimes the rules should apply for a certain time that is the same for the whole globe throughout the year. That's why UTC should also be supported. Time Policies Storage The time policies should be stored with each the HBAC rule that applies such a policy. This extension is designed so that the LDAP schema does not have to be changed. The time policies are stored in the accessTime attribute of the HBAC rule object. The policy is a string in a form of tuple: (anchor, time). In this tuple, the anchor is one of "host", "utc" or Olson database time zone name, such as "Europe/Prague". The meaning of the anchor follows the time scenarios from this design. The time part of the policy tuple is the time range of the policy. The language of the time half of the time policy tuple is inspired by the time part of Bind Rules of 389 Directory Server. Aside from the Bind Rules keywords timeofday and dayofweek, it adds keywords dayofmonth, weekofmonth, monthofyear and year. There are three operators: assignment ("="), range ("-") and union(","). Assignment operator is used after each of the keywords above to specify the value of the certain keyword. Range operator may be used for setting ranges of hours, days, months etc. The final range includes both boundaries of the range set. A union operator is used when the keyword should contain a union of values rather than a range. Also, it can be used to make a union of ranges. Possible values of each keyword: timeofday 0000-2359 dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun dayofmonth 1-31 weekofmonth 1-5 monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec year a year Example: (host, timeofday="0800-1200, 1230-1600" dayofweek="Mon-Thu, Sat") Similarly to Bind Rules, it is possible to write an time policy as a longer expression using the "and" and "or" logical operators. In this case, each of separate block of the policy should appear in parentheses. It is also possible to add time exceptions for the policy. That's performed using the except() block that should appear only once in the time policy and should enclose all possible time exceptions for the policy. Example: ((timeofday="0800-1600" dayofweek="Mon-Wed") or (timeofday="1600-2400" dayofweek="Wed-Thu")) except (dayofmonth="4" monthofyear="July") Feature Management UI The UI of HBAC rules should now include new bar for adding time policies, similar to the user, host and service bars. Rather than "Any time" and time specified, there should be options "Any time", "UTC", "Host-local time" and "Specified timezone" with a timezone specification tool (similar to the one in GNOME/Date & Time Settings). User should be able to add more time policies for an HBAC rule to have similar behavior to the one with adding users, services and hosts. Between these multiple policies would be logical OR relation. A view of adding a policy should contain a text array for the time policy string. At the top of this array, there should be a hint explaining the policy syntax. The format of the time policy should be checked upon time policy submit button press. CLI Time policies at CLI would be set in a similar manner as in the UI. Administrator needs to specify how the time should be understood ("host", "utc", Olson's timezone name) and the time of access according to the syntax described above: ipa hbac-set-accesstime-anchor anchor ipa hbac-add-accesstime timeipa hbac-remove-accesstime num When using CLI for access time setting, the default anchor should probably be UTC, setting anchor with each new time policy might get confusing as the anchor should change with all the policies for that certain HBAC rule. When removing a time policy, it makes sense to rather remove it by the list position of the policy among other policies. From mbasti at redhat.com Wed Apr 15 14:17:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Apr 2015 16:17:13 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration Message-ID: <552E72E9.5000001@redhat.com> https://fedorahosted.org/freeipa/ticket/4981 These patches keep usage of IPA server address as NTP server in NTP configuration on clients, in case that no NTP servers were specified by user, and no NTP servers were resolved from SRV records. This will ensure backward compatibility, as IPA does not configure NTP SRV records for each domain automatically. Patches attached. Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0224-ipa-client-make-ntp-server-option-multivalued.patch Type: text/x-patch Size: 5111 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0225-ipa-client-use-NTP-servers-detected-from-SRV.patch Type: text/x-patch Size: 1904 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 15 14:18:50 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Apr 2015 16:18:50 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization Message-ID: <552E734A.5090005@redhat.com> https://fedorahosted.org/freeipa/ticket/4983 Patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0226-ipa-client-use-NTP-servers-specified-by-user.patch Type: text/x-patch Size: 2230 bytes Desc: not available URL: From mbasti at redhat.com Wed Apr 15 14:26:47 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Apr 2015 16:26:47 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command Message-ID: <552E7527.9020306@redhat.com> https://fedorahosted.org/freeipa/ticket/4904 Patches attached. Also ipa-upgradeconfig part is called as a subprocess. This will be removed after installer modifications. This patch may cause temporal upgrade issues (corner cases), until installer part will be finished. If somebody will be hit by them, please use --skip-version-check for ipactl and ipa-server-upgrade. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 10128 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 12612 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From tbordaz at redhat.com Wed Apr 15 17:03:05 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 15 Apr 2015 19:03:05 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <552CD233.2090805@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> <55252E30.7060301@redhat.com> <552657A3.7040503@redhat.com> <552AA27D.3060000@redhat.com> <552CD233.2090805@redhat.com> Message-ID: <552E99C9.6080703@redhat.com> On 04/14/2015 10:39 AM, Jan Cholasta wrote: > Dne 12.4.2015 v 18:51 thierry bordaz napsal(a): >> ... > > Please wrap long lines: > > new_dn = DN((self.obj.primary_key.name, > entry_attrs[self.obj.primary_key.name]), > *entry_attrs.dn[1:]) > self._exc_wrapper(keys, options, ldap.move_entry)( > entry_attrs.dn, new_dn) > > and: > > self.conn.rename_s(dn, new_rdn, newsuperior=new_superior, > delold=int(del_old)) > > > Also, you don't need to include your login in the author header (it's > part of your email address) or the reviewed by line in the commit > message (it's automatically added by ipatool when the commit is pushed). > Here is the updated patch. Thanks for the git tips :-) thanks theirry -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0004-5-User-life-cycle-allows-MODRDN-from-ldap2.patch Type: text/x-patch Size: 3681 bytes Desc: not available URL: From simo at redhat.com Thu Apr 16 05:17:15 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2015 01:17:15 -0400 Subject: [Freeipa-devel] [PATCH] Re: Fix password changes via kadmin In-Reply-To: <1428274413.19641.118.camel@willson.usersys.redhat.com> References: <1428274413.19641.118.camel@willson.usersys.redhat.com> Message-ID: <1429161435.31213.0.camel@willson.usersys.redhat.com> Bump On Sun, 2015-04-05 at 18:53 -0400, Simo Sorce wrote: > Fix for bug 4914. > > I've tested it locally and seem to do exactly what is needed. I couldn't > detect any side effects, except that if you use kadmin to get a > randomized password for a service then you'll get a key for all > supported types (currently aes256, aes128, des3, rc4, camellia128, > camellia256) instead of just the default ones (aes256, aes128, des3, > rc4) if you do not specify enctypes. I think that is fine, we use > ipa-getkeytab anyway in the normal course of business and that one uses > a different code path. > > Simo. > -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Thu Apr 16 06:04:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 08:04:45 +0200 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <552E70AB.8090802@seznam.cz> References: <552E70AB.8090802@seznam.cz> Message-ID: <552F50FD.3080300@redhat.com> Hi, Dne 15.4.2015 v 16:07 Stanislav L?zni?ka napsal(a): > Hi, > > I have prepared a feature proposal for the wiki. I followed the Feature > Proposal Template and the chapter "How to Test" is currently missing so > it might rather be considered a draft. Please, see it, I hope it's alright. > > The text: > > Overview > FreeIPA is currently missing any temporal settings in the HBAC rules. > However, handling access to a host in repeating time periods might be a > desirable feature. The administrator of a certain environment should be > able to set the time a host should be accessed in either the host local > time, a certain time zone time or in UTC. Host-local-time policies would > allow to adapt the time a host can be accessed to the host's movement > along different time zones. A time bound to a certain time zone is more > transparent than local time as it doesn't change with the host > traveling. Sometimes, it may also be important to set time in UTC. This > is rather strict setting that does not reflect daylight saving time. > > Use Cases > 1. A host is changing position on the globe quite often and needs to be > accessed at certain times reflecting its current time zone. > 2. A host should only be accessed at certain times given by a certain > time zone. This access is repeated in a way, such as three times a week > the same time except for once a year where there's regular maintenance. > > Design > The time based account policies are an extension to the current (April > 2015) HBAC plugin. It assumes the time through the system is well set on > all host stations via the NTP. > > Time Scenarios > This extension is designed so that it understands time in three > different views. These are: host local time, time at a certain time > zone, and UTC. > > Host Local Time > Host local time approach is meant for those hosts that are most likely > to move across different time zones and for some reason it's important > that the time they can be accessed reflects their current position. This > helps creating only a single HBAC rule instead of multiple when only > time zone or UTC rules would apply. The time of a host is counted using > the /etc/timezone information of the certain host. Testing of such rule > requires the tester to specify a certain time zone the rule would be > tested against. > It's important to note that this type of policy may bring some > unexpected behavior as hosts move across the globe, or even in a single > hostgroup, when there're hosts from multiple timezones, and > administrator should be very sure they want to use this. > > Time Zones > In this approach, the time is thought of as of a time at a certain time > zone. This might be interesting when the time settings should reflect a > certain time zone, eg. the host or the users connecting to it are to be > found in that certain time zone. The time zone offset to count the time > of access is taken from the Olson database. Therefore, even daylight > saving time is taken into account. > > UTC > Sometimes the rules should apply for a certain time that is the same for > the whole globe throughout the year. That's why UTC should also be > supported. > > Time Policies Storage > The time policies should be stored with each the HBAC rule that applies > such a policy. This extension is designed so that the LDAP schema does > not have to be changed. > > The time policies are stored in the accessTime attribute of the HBAC > rule object. The policy is a string in a form of tuple: (anchor, time). > In this tuple, the anchor is one of "host", "utc" or Olson database time > zone name, such as "Europe/Prague". The meaning of the anchor follows > the time scenarios from this design. The time part of the policy tuple > is the time range of the policy. It should be called "timezone", not "anchor". Anchor was something different (and I really regret calling it that, seeing how it got stuck). Is there any real benefit in storing time zone with each access time? I think it should be good enough to have one time zone per HBAC rule, which would also reduce complexity of the whole thing. > > The language of the time half of the time policy tuple is inspired by > the time part of Bind Rules of 389 Directory Server. Aside from the Bind > Rules keywords timeofday and dayofweek, it adds keywords dayofmonth, > weekofmonth, monthofyear and year. There are three operators: assignment > ("="), range ("-") and union(","). Assignment operator is used after > each of the keywords above to specify the value of the certain keyword. > Range operator may be used for setting ranges of hours, days, months > etc. The final range includes both boundaries of the range set. A union > operator is used when the keyword should contain a union of values > rather than a range. Also, it can be used to make a union of ranges. > > Possible values of each keyword: > timeofday 0000-2359 > dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun > dayofmonth 1-31 > weekofmonth 1-5 > monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec > year a year IMO dayofweek and monthofyear should use number as well. Numbers are easier to process. > > Example: > (host, timeofday="0800-1200, 1230-1600" dayofweek="Mon-Thu, Sat") > > Similarly to Bind Rules, it is possible to write an time policy as a > longer expression using the "and" and "or" logical operators. In this > case, each of separate block of the policy should appear in parentheses. > It is also possible to add time exceptions for the policy. That's > performed using the except() block that should appear only once in the > time policy and should enclose all possible time exceptions for the policy. > > Example: > > ((timeofday="0800-1600" dayofweek="Mon-Wed") or (timeofday="1600-2400" > dayofweek="Wed-Thu")) except (dayofmonth="4" monthofyear="July") I thought we agreed on using multiple attribute values rather than one long attribute value: accessTimeInclude: timeofday="0800-1600" dayofweek="Mon-Wed" accessTimeInclude: timeofday="1600-2400" > dayofweek="Wed-Thu" accessTimeExclude: dayofmonth="4" monthofyear="July" Yes, we would loose "and" operator, but do we really need it? (IMHO we don't.) > > Feature Management > UI > The UI of HBAC rules should now include new bar for adding time > policies, similar to the user, host and service bars. Rather than "Any > time" and time specified, there should be options "Any time", "UTC", > "Host-local time" and "Specified timezone" with a timezone specification > tool (similar to the one in GNOME/Date & Time Settings). User should be > able to add more time policies for an HBAC rule to have similar behavior > to the one with adding users, services and hosts. Between these multiple > policies would be logical OR relation. > > A view of adding a policy should contain a text array for the time > policy string. At the top of this array, there should be a hint > explaining the policy syntax. The format of the time policy should be > checked upon time policy submit button press. > > CLI > Time policies at CLI would be set in a similar manner as in the UI. > Administrator needs to specify how the time should be understood > ("host", "utc", Olson's timezone name) and the time of access according > to the syntax described above: > > ipa hbac-set-accesstime-anchor anchor > ipa hbac-add-accesstime timeipa hbac-remove-accesstime num Again, s/anchor/timezone/. > > When using CLI for access time setting, the default anchor should > probably be UTC, setting anchor with each new time policy might get > confusing as the anchor should change with all the policies for that > certain HBAC rule. When removing a time policy, it makes sense to rather > remove it by the list position of the policy among other policies. > Honza -- Jan Cholasta From jcholast at redhat.com Thu Apr 16 06:51:32 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 08:51:32 +0200 Subject: [Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior In-Reply-To: <552E99C9.6080703@redhat.com> References: <551C1169.9060906@redhat.com> <5524CC06.1020602@redhat.com> <55252656.6020900@redhat.com> <55252E30.7060301@redhat.com> <552657A3.7040503@redhat.com> <552AA27D.3060000@redhat.com> <552CD233.2090805@redhat.com> <552E99C9.6080703@redhat.com> Message-ID: <552F5BF4.7050102@redhat.com> Dne 15.4.2015 v 19:03 thierry bordaz napsal(a): > On 04/14/2015 10:39 AM, Jan Cholasta wrote: >> Dne 12.4.2015 v 18:51 thierry bordaz napsal(a): >>> ... >> >> Please wrap long lines: >> >> new_dn = DN((self.obj.primary_key.name, >> entry_attrs[self.obj.primary_key.name]), >> *entry_attrs.dn[1:]) >> self._exc_wrapper(keys, options, ldap.move_entry)( >> entry_attrs.dn, new_dn) >> >> and: >> >> self.conn.rename_s(dn, new_rdn, newsuperior=new_superior, >> delold=int(del_old)) >> >> >> Also, you don't need to include your login in the author header (it's >> part of your email address) or the reviewed by line in the commit >> message (it's automatically added by ipatool when the commit is pushed). >> > Here is the updated patch. Thanks for the git tips :-) Thanks, ACK. Pushed to master: c20009123f3e4456bdf63b9d406543cb0e50ffce -- Jan Cholasta From jcholast at redhat.com Thu Apr 16 06:58:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 08:58:54 +0200 Subject: [Freeipa-devel] [PATCH 408-423] ldap: Remove IPASimpleLDAPObject In-Reply-To: <552BBD3C.5060609@redhat.com> References: <55252ABF.5010608@redhat.com> <55269A80.1020309@redhat.com> <552B5E42.2070604@redhat.com> <552BBD3C.5060609@redhat.com> Message-ID: <552F5DAE.9090304@redhat.com> Dne 13.4.2015 v 14:57 Petr Viktorin napsal(a): > On 04/13/2015 08:12 AM, Jan Cholasta wrote: >> Dne 9.4.2015 v 17:28 Petr Viktorin napsal(a): >>> On 04/08/2015 03:18 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patches remove IPASimpleLDAPObject from ipaldap. >>>> >>>> As a result, the one and only IPA LDAP API is the LDAPClient API. >>> >>> This is definitely an improvement :) >>> >>> 0408: ACK (woohoo!) >>> 0409: ACK >>> 0410: >>> I quite like the new __init__ signature, and the context manager >>> functionality. >>> Can you add a comment for the `object.__setattr__(self, '_conn', None)` >>> in _disconnect? It's a real eyesore. >> >> Added. >> >>> 0411: ACK >>> 0412: Can _force_schema_updates be set already in __init__? >> >> Unfortunately not. ldap2 is now used with different API instances, and >> the current API instance is not available in __init__. >> >> I'm working on an additional patch for >> to pass the API object to >> plugins in their __init__ (because why do it somewhere else), which will >> fix this. >> >>> 0413: ACK >>> 0414: ACK >>> 0415: ACK >>> 0416: I think you should show off the `with` statement support here. >> >> Fixed. >> >>> 0417: ... and here >> >> Fixed. >> >>> 0418: ACK >>> 0419: ACK >>> 0420: ACK >>> 0421: ACK >> >> Added a comment about ldap2's locking here as well. >> >> Also moved LDAPClient.schema back to its original location to save some >> lines in the patch. >> >>> 0422: ACK, and good riddance >> >> You missed 423 :-) > > Ah, that comment was meant for 423 :) > > > > ACK for all Rebased and pushed to master: b48cfe05e9e6d9fa0d55c9c61f4ac23d8f5ee743 -- Jan Cholasta From jcholast at redhat.com Thu Apr 16 07:04:18 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 09:04:18 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <5527D71D.5020209@redhat.com> References: <5527D71D.5020209@redhat.com> Message-ID: <552F5EF2.9060308@redhat.com> Hi, Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): > The attached patches remove EditableDN, EditableRDN and EditableAVA. > They depend on Petr Voborn?k's patch 811 (performance: faster DN > implementation). > > > Mutable DNs are not very useful. When creating them it is easier to work > with lists or generators, and needing to change DNs aside from > operations like `DN(new_rdn, original[1:])` is very rare -- I'd even say > theoretical. > Mutable DNs are not hashable, so they can't be used as dist keys. > Storing them as "keys" in other structures (e.g. in a LDAPEntry) is > dangerous -- it's hard to reason about outside modifications. > > The first patch removes the last use of EditableDN. I could be convinced > it's not an improvement in elegance/readability, but I believe this is > the strongest case for EditableDN in IPA, and it doesn't justify keeping > it. LGTM, but patch 688 needs to be rebased. Honza -- Jan Cholasta From jcholast at redhat.com Thu Apr 16 07:12:34 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 09:12:34 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55267A8F.3030203@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> <55267065.4090900@redhat.com> <55267A8F.3030203@redhat.com> Message-ID: <552F60E2.9050902@redhat.com> Dne 9.4.2015 v 15:11 Luc de Louw napsal(a): > > On 04/09/2015 02:28 PM, Jan Cholasta wrote: >>>>> Let's say you now introduce --no-cr flag. What if we decide to change >>>>> the default to False? How would you then change the option/API? >>>> >>>> You would have to add --cr flag. >>> >>> That was the point - some clients would send "ct" flag, some "no_cr" >>> and there >>> would have to be special handling. >>> >>>>> It is more flexible IMO to just use something like >>>>> >>>>> --cr=TRUE|FALSE with TRUE being the default >>>> >>>> I would say --append-cr=TRUE|FALSE with no default, meaning do not >>>> add the flag >>>> to the config at all. >>> >>> I though the idea was to append the CR by default, i.e. >>> --append-cr=TRUE|FALSE >>> with TRUE being the default. >>> >> >> If you want to hardcode the default into the plugin, there is no benefit >> in using Bool over Flag, because Flag is actually a Bool with hardcoded >> default value. >> > > I actually started with a bool, default=True. I had the problem that the > Default value was ignored, the value was None. > > Changing the default behavior is IMHO bad anyway does not matter if Bool > or Flag. +1 > > Please advise what is you wish to be implemented :-) That depends. Is there a difference between "do not set APPEND_CR ticket flag" and "set APPEND_CR ticket flag to false"? > > Thanks, > > Luc -- Jan Cholasta From pviktori at redhat.com Thu Apr 16 07:18:36 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 16 Apr 2015 09:18:36 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552E0599.3040506@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> <552D3DEE.1070005@redhat.com> <552D4C95.1080706@redhat.com> <552E0599.3040506@redhat.com> Message-ID: <552F624C.5050600@redhat.com> On 04/15/2015 08:30 AM, Jan Cholasta wrote: > Dne 14.4.2015 v 19:21 Petr Viktorin napsal(a): >> On 04/14/2015 06:18 PM, Jan Cholasta wrote: >>> Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): >>>> On 04/14/2015 05:22 PM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>>>>> Hello! >>>>>> >>>>>> As some of you know, I'm looking to help porting FreeIPA to Python 3. >>>>>> One of the major dependencies holding this back is python-ldap, which >>>>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>>>> Barrois [0] are ready and have been sent to the python-ldap list. The >>>>>> python-ldap upstream has been very quiet about reviewing them so far, >>>>>> but they're something for me to test against, and maybe improve. >>>>>> >>>>>> To make the testing easier, I'd like to split out "ipaldap" to a >>>>>> stand-alone package, and port it to Python 3 first. >>>>>> This split will make it easier to test (since I don't have to port >>>>>> all >>>>>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>>>>> projects could maybe also invite some community participation. Also, >>>>>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>>>>> Packaging-wise, I want "ipaldap" to be on the same level as >>>>>> "ipapython" >>>>>> or "ipaserver"; additionally I want to release it on PyPI [1]. >>>>> >>>>> Note that I don't consider ipaldap API stable and don't want to put >>>>> any >>>>> effort in maintaining backward compatibility when something needs >>>>> to be >>>>> changed, so you might want to hold the PyPI release, or at least put a >>>>> big fat warning in some visible place. >>>> >>>> If it's released early & often, it'll at least be visible to interested >>>> people. >>>> It would be nice to include a roadmap file saying what needs to change >>>> before we start claiming API stability. >>> >>> From the top of my head, in no particular order: >>> >>> * High-level class for attribute values >> >> +1 >> >>> * High-level classes for schema elements >>> * Support different schema styles (LDAPv3, AD), or at least make it >>> possible >> >> Here I'm inclined to just say the schema API isn't done. > > It will affect how syntax mapping is done, so it depends on whether > syntax mapping is exposed or not. There are also some schema-related > LDAPClient methods (like get_allowed_attributes) which will be (re)moved > when the schema API is done. I think putting warnings around the unfinished parts would work. >>> * Some better way of doing "extended" operations (paged search, deref >>> search, etc.) >>> * Support different transports (LDAP, local LDIF file), or at least >>> make it possible >> >> Those two should be possible to add while keeping compatibility. > > I don't think I want the paged_search argument of find_entries to be > supported. Then I'll document it as unsupported. >>>>>> My general plan is: >>>>>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable >>>>>> for >>>>>> old scripts/plugins) >>>>> >>>>> DNs are not strictly LDAP specific, so I would rather move >>>>> ipapython.dn >>>>> to a new ipautil package. >>>> >>>> I'd rather not, at least until there's something that needs it (and >>>> doesn't also depend on ipaldap). The scope of "ipautil" is far too >>>> badly >>>> defined for such a package to be useful. >>> >>> IMO generic stuff should be in a package for generic stuff. I guess it >>> should originally have been ipapython, but it's too fused with ipalib >>> ATM, hence my proposal to use a new package. >> >> No. Any vaguely defined collection of generic utilities needed in a >> project is really a single-purpose package. Nobody likes pulling in a >> bunch of unrelated stuff because of one particular thing they need, and >> without a scope the amount of unnecessary stuff grows without bound. >> I'd be OK with an "ipadn", if you can manage the overhead of a package. > > IMO "ipadn" is just too specific. I guess we can use X.500 as scope, > since the basic types like DN or OID are defined in X.500, and put it in > "ipax500". Does that sound OK? It might make sense conceptually, but do you have a use case? Some software that would want to depend on python-ldap (since that's what DNs depend on), but couldn't also bring in ipaldap? I don't see the benefit, so I don't really want to do this myself. >>>>>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>>>>> replace this with something based on collections.MutableMapping, >>>>>> since >>>>>> the semantics of subclassing "dict" aren't very well defined. >>>>> >>>>> I have WIP which does just that. >>>> >>>> Could you send it? >>> >>> Not yet unfortunately, CIDict removal is actually just a side effect of >>> other changes, and it still needs a lot of work before it is sendable. >> >> I was thinking the Python 3 boundary is a good point to switch, since >> stuff will be breaking anyway. I can import the new one under py3, and >> keep the old one for py2. >> > > I'm a bit lost here, what do you mean by "new one" and "old one"? Use the existing (old) CIDict under Python 2, and a new one based on MutableMapping for all Python 3 code. -- Petr Viktorin From ftweedal at redhat.com Thu Apr 16 08:03:38 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 16 Apr 2015 18:03:38 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles Message-ID: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> Hi everyone, Please review my Certificate Profiles design proposal: http://www.freeipa.org/page/V4/Certificate_Profiles Let me know what is unclear, what needs expansion, and what is plain wrong :) The schema for storing multiple certificates for a principal is still being discussed but I expect it will be agreed soon, and I will add it to the document. I am revising the sub-CAs design proposal and it will soon be published for review as well. Cheers, Fraser From slaz at seznam.cz Thu Apr 16 08:04:31 2015 From: slaz at seznam.cz (=?UTF-8?B?U3RhbmlzbGF2IEzDoXpuacSNa2E=?=) Date: Thu, 16 Apr 2015 10:04:31 +0200 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <552F50FD.3080300@redhat.com> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> Message-ID: <552F6D0F.2090309@seznam.cz> On 04/16/2015 08:04 AM, Jan Cholasta wrote: > Hi, > > Dne 15.4.2015 v 16:07 Stanislav L?zni?ka napsal(a): >> Hi, >> >> I have prepared a feature proposal for the wiki. I followed the Feature >> Proposal Template and the chapter "How to Test" is currently missing so >> it might rather be considered a draft. Please, see it, I hope it's >> alright. >> >> The text: >> >> Overview >> FreeIPA is currently missing any temporal settings in the HBAC rules. >> However, handling access to a host in repeating time periods might be a >> desirable feature. The administrator of a certain environment should be >> able to set the time a host should be accessed in either the host local >> time, a certain time zone time or in UTC. Host-local-time policies would >> allow to adapt the time a host can be accessed to the host's movement >> along different time zones. A time bound to a certain time zone is more >> transparent than local time as it doesn't change with the host >> traveling. Sometimes, it may also be important to set time in UTC. This >> is rather strict setting that does not reflect daylight saving time. >> >> Use Cases >> 1. A host is changing position on the globe quite often and needs to be >> accessed at certain times reflecting its current time zone. >> 2. A host should only be accessed at certain times given by a certain >> time zone. This access is repeated in a way, such as three times a week >> the same time except for once a year where there's regular maintenance. >> >> Design >> The time based account policies are an extension to the current (April >> 2015) HBAC plugin. It assumes the time through the system is well set on >> all host stations via the NTP. >> >> Time Scenarios >> This extension is designed so that it understands time in three >> different views. These are: host local time, time at a certain time >> zone, and UTC. >> >> Host Local Time >> Host local time approach is meant for those hosts that are most likely >> to move across different time zones and for some reason it's important >> that the time they can be accessed reflects their current position. This >> helps creating only a single HBAC rule instead of multiple when only >> time zone or UTC rules would apply. The time of a host is counted using >> the /etc/timezone information of the certain host. Testing of such rule >> requires the tester to specify a certain time zone the rule would be >> tested against. >> It's important to note that this type of policy may bring some >> unexpected behavior as hosts move across the globe, or even in a single >> hostgroup, when there're hosts from multiple timezones, and >> administrator should be very sure they want to use this. >> >> Time Zones >> In this approach, the time is thought of as of a time at a certain time >> zone. This might be interesting when the time settings should reflect a >> certain time zone, eg. the host or the users connecting to it are to be >> found in that certain time zone. The time zone offset to count the time >> of access is taken from the Olson database. Therefore, even daylight >> saving time is taken into account. >> >> UTC >> Sometimes the rules should apply for a certain time that is the same for >> the whole globe throughout the year. That's why UTC should also be >> supported. >> >> Time Policies Storage >> The time policies should be stored with each the HBAC rule that applies >> such a policy. This extension is designed so that the LDAP schema does >> not have to be changed. >> >> The time policies are stored in the accessTime attribute of the HBAC >> rule object. The policy is a string in a form of tuple: (anchor, time). >> In this tuple, the anchor is one of "host", "utc" or Olson database time >> zone name, such as "Europe/Prague". The meaning of the anchor follows >> the time scenarios from this design. The time part of the policy tuple >> is the time range of the policy. > > It should be called "timezone", not "anchor". Anchor was something > different (and I really regret calling it that, seeing how it got stuck). > > Is there any real benefit in storing time zone with each access time? > I think it should be good enough to have one time zone per HBAC rule, > which would also reduce complexity of the whole thing. > I was thinking "host", "utc" - these are not timezones. Maybe it would be more accurate to call it an anchor or a handle. The timezone should probably be stored just once in the rule, you're right. In the design, I was aiming for not changing the schema, but it probably makes no sense to keep it as it is. >> >> The language of the time half of the time policy tuple is inspired by >> the time part of Bind Rules of 389 Directory Server. Aside from the Bind >> Rules keywords timeofday and dayofweek, it adds keywords dayofmonth, >> weekofmonth, monthofyear and year. There are three operators: assignment >> ("="), range ("-") and union(","). Assignment operator is used after >> each of the keywords above to specify the value of the certain keyword. >> Range operator may be used for setting ranges of hours, days, months >> etc. The final range includes both boundaries of the range set. A union >> operator is used when the keyword should contain a union of values >> rather than a range. Also, it can be used to make a union of ranges. >> >> Possible values of each keyword: >> timeofday 0000-2359 >> dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun >> dayofmonth 1-31 >> weekofmonth 1-5 >> monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, >> Nov, Dec >> year a year > > IMO dayofweek and monthofyear should use number as well. Numbers are > easier to process. > On the other hand, names of days and months keep the rule more readable, which I think might be better when checking for mistakes in those rules. >> >> Example: >> (host, timeofday="0800-1200, 1230-1600" dayofweek="Mon-Thu, Sat") >> >> Similarly to Bind Rules, it is possible to write an time policy as a >> longer expression using the "and" and "or" logical operators. In this >> case, each of separate block of the policy should appear in parentheses. >> It is also possible to add time exceptions for the policy. That's >> performed using the except() block that should appear only once in the >> time policy and should enclose all possible time exceptions for the >> policy. >> >> Example: >> >> ((timeofday="0800-1600" dayofweek="Mon-Wed") or (timeofday="1600-2400" >> dayofweek="Wed-Thu")) except (dayofmonth="4" monthofyear="July") > > I thought we agreed on using multiple attribute values rather than one > long attribute value: > > accessTimeInclude: timeofday="0800-1600" dayofweek="Mon-Wed" > accessTimeInclude: timeofday="1600-2400" > > dayofweek="Wed-Thu" > accessTimeExclude: dayofmonth="4" monthofyear="July" > > Yes, we would loose "and" operator, but do we really need it? (IMHO we > don't.) > Guilty there. It should really be multi-valued attribute. Although I think I would stick with just accessTime rather than accessTimeInclude. >> >> Feature Management >> UI >> The UI of HBAC rules should now include new bar for adding time >> policies, similar to the user, host and service bars. Rather than "Any >> time" and time specified, there should be options "Any time", "UTC", >> "Host-local time" and "Specified timezone" with a timezone specification >> tool (similar to the one in GNOME/Date & Time Settings). User should be >> able to add more time policies for an HBAC rule to have similar behavior >> to the one with adding users, services and hosts. Between these multiple >> policies would be logical OR relation. >> >> A view of adding a policy should contain a text array for the time >> policy string. At the top of this array, there should be a hint >> explaining the policy syntax. The format of the time policy should be >> checked upon time policy submit button press. >> >> CLI >> Time policies at CLI would be set in a similar manner as in the UI. >> Administrator needs to specify how the time should be understood >> ("host", "utc", Olson's timezone name) and the time of access according >> to the syntax described above: >> >> ipa hbac-set-accesstime-anchor anchor >> ipa hbac-add-accesstime timeipa hbac-remove-accesstime num > > Again, s/anchor/timezone/. > >> >> When using CLI for access time setting, the default anchor should >> probably be UTC, setting anchor with each new time policy might get >> confusing as the anchor should change with all the policies for that >> certain HBAC rule. When removing a time policy, it makes sense to rather >> remove it by the list position of the policy among other policies. >> > > Honza > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Apr 16 08:13:50 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 10:13:50 +0200 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <552F6D0F.2090309@seznam.cz> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> <552F6D0F.2090309@seznam.cz> Message-ID: <552F6F3E.1060400@redhat.com> Dne 16.4.2015 v 10:04 Stanislav L?zni?ka napsal(a): > On 04/16/2015 08:04 AM, Jan Cholasta wrote: >> Hi, >> >> Dne 15.4.2015 v 16:07 Stanislav L?zni?ka napsal(a): >>> Hi, >>> >>> I have prepared a feature proposal for the wiki. I followed the Feature >>> Proposal Template and the chapter "How to Test" is currently missing so >>> it might rather be considered a draft. Please, see it, I hope it's >>> alright. >>> >>> The text: >>> >>> Overview >>> FreeIPA is currently missing any temporal settings in the HBAC rules. >>> However, handling access to a host in repeating time periods might be a >>> desirable feature. The administrator of a certain environment should be >>> able to set the time a host should be accessed in either the host local >>> time, a certain time zone time or in UTC. Host-local-time policies would >>> allow to adapt the time a host can be accessed to the host's movement >>> along different time zones. A time bound to a certain time zone is more >>> transparent than local time as it doesn't change with the host >>> traveling. Sometimes, it may also be important to set time in UTC. This >>> is rather strict setting that does not reflect daylight saving time. >>> >>> Use Cases >>> 1. A host is changing position on the globe quite often and needs to be >>> accessed at certain times reflecting its current time zone. >>> 2. A host should only be accessed at certain times given by a certain >>> time zone. This access is repeated in a way, such as three times a week >>> the same time except for once a year where there's regular maintenance. >>> >>> Design >>> The time based account policies are an extension to the current (April >>> 2015) HBAC plugin. It assumes the time through the system is well set on >>> all host stations via the NTP. >>> >>> Time Scenarios >>> This extension is designed so that it understands time in three >>> different views. These are: host local time, time at a certain time >>> zone, and UTC. >>> >>> Host Local Time >>> Host local time approach is meant for those hosts that are most likely >>> to move across different time zones and for some reason it's important >>> that the time they can be accessed reflects their current position. This >>> helps creating only a single HBAC rule instead of multiple when only >>> time zone or UTC rules would apply. The time of a host is counted using >>> the /etc/timezone information of the certain host. Testing of such rule >>> requires the tester to specify a certain time zone the rule would be >>> tested against. >>> It's important to note that this type of policy may bring some >>> unexpected behavior as hosts move across the globe, or even in a single >>> hostgroup, when there're hosts from multiple timezones, and >>> administrator should be very sure they want to use this. >>> >>> Time Zones >>> In this approach, the time is thought of as of a time at a certain time >>> zone. This might be interesting when the time settings should reflect a >>> certain time zone, eg. the host or the users connecting to it are to be >>> found in that certain time zone. The time zone offset to count the time >>> of access is taken from the Olson database. Therefore, even daylight >>> saving time is taken into account. >>> >>> UTC >>> Sometimes the rules should apply for a certain time that is the same for >>> the whole globe throughout the year. That's why UTC should also be >>> supported. >>> >>> Time Policies Storage >>> The time policies should be stored with each the HBAC rule that applies >>> such a policy. This extension is designed so that the LDAP schema does >>> not have to be changed. >>> >>> The time policies are stored in the accessTime attribute of the HBAC >>> rule object. The policy is a string in a form of tuple: (anchor, time). >>> In this tuple, the anchor is one of "host", "utc" or Olson database time >>> zone name, such as "Europe/Prague". The meaning of the anchor follows >>> the time scenarios from this design. The time part of the policy tuple >>> is the time range of the policy. >> >> It should be called "timezone", not "anchor". Anchor was something >> different (and I really regret calling it that, seeing how it got stuck). >> >> Is there any real benefit in storing time zone with each access time? >> I think it should be good enough to have one time zone per HBAC rule, >> which would also reduce complexity of the whole thing. >> > I was thinking "host", "utc" - these are not timezones. Maybe it would > be more accurate to call it an anchor or a handle. "UTC" is a timezone according to . The value usually is a valid timezone, I don't think we need to call it differently because of *one* value which is not. > > The timezone should probably be stored just once in the rule, you're > right. In the design, I was aiming for not changing the schema, but it > probably makes no sense to keep it as it is. >>> >>> The language of the time half of the time policy tuple is inspired by >>> the time part of Bind Rules of 389 Directory Server. Aside from the Bind >>> Rules keywords timeofday and dayofweek, it adds keywords dayofmonth, >>> weekofmonth, monthofyear and year. There are three operators: assignment >>> ("="), range ("-") and union(","). Assignment operator is used after >>> each of the keywords above to specify the value of the certain keyword. >>> Range operator may be used for setting ranges of hours, days, months >>> etc. The final range includes both boundaries of the range set. A union >>> operator is used when the keyword should contain a union of values >>> rather than a range. Also, it can be used to make a union of ranges. >>> >>> Possible values of each keyword: >>> timeofday 0000-2359 >>> dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun >>> dayofmonth 1-31 >>> weekofmonth 1-5 >>> monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, >>> Nov, Dec >>> year a year >> >> IMO dayofweek and monthofyear should use number as well. Numbers are >> easier to process. >> > On the other hand, names of days and months keep the rule more readable, > which I think might be better when checking for mistakes in those rules. >>> >>> Example: >>> (host, timeofday="0800-1200, 1230-1600" dayofweek="Mon-Thu, Sat") >>> >>> Similarly to Bind Rules, it is possible to write an time policy as a >>> longer expression using the "and" and "or" logical operators. In this >>> case, each of separate block of the policy should appear in parentheses. >>> It is also possible to add time exceptions for the policy. That's >>> performed using the except() block that should appear only once in the >>> time policy and should enclose all possible time exceptions for the >>> policy. >>> >>> Example: >>> >>> ((timeofday="0800-1600" dayofweek="Mon-Wed") or (timeofday="1600-2400" >>> dayofweek="Wed-Thu")) except (dayofmonth="4" monthofyear="July") >> >> I thought we agreed on using multiple attribute values rather than one >> long attribute value: >> >> accessTimeInclude: timeofday="0800-1600" dayofweek="Mon-Wed" >> accessTimeInclude: timeofday="1600-2400" >> > dayofweek="Wed-Thu" >> accessTimeExclude: dayofmonth="4" monthofyear="July" >> >> Yes, we would loose "and" operator, but do we really need it? (IMHO we >> don't.) >> > Guilty there. It should really be multi-valued attribute. Although I > think I would stick with just accessTime rather than accessTimeInclude. Whatever suits you, but keep in mind that the exceptions need their own attribute. >>> >>> Feature Management >>> UI >>> The UI of HBAC rules should now include new bar for adding time >>> policies, similar to the user, host and service bars. Rather than "Any >>> time" and time specified, there should be options "Any time", "UTC", >>> "Host-local time" and "Specified timezone" with a timezone specification >>> tool (similar to the one in GNOME/Date & Time Settings). User should be >>> able to add more time policies for an HBAC rule to have similar behavior >>> to the one with adding users, services and hosts. Between these multiple >>> policies would be logical OR relation. >>> >>> A view of adding a policy should contain a text array for the time >>> policy string. At the top of this array, there should be a hint >>> explaining the policy syntax. The format of the time policy should be >>> checked upon time policy submit button press. >>> >>> CLI >>> Time policies at CLI would be set in a similar manner as in the UI. >>> Administrator needs to specify how the time should be understood >>> ("host", "utc", Olson's timezone name) and the time of access according >>> to the syntax described above: >>> >>> ipa hbac-set-accesstime-anchor anchor >>> ipa hbac-add-accesstime timeipa hbac-remove-accesstime num >> >> Again, s/anchor/timezone/. >> >>> >>> When using CLI for access time setting, the default anchor should >>> probably be UTC, setting anchor with each new time policy might get >>> confusing as the anchor should change with all the policies for that >>> certain HBAC rule. When removing a time policy, it makes sense to rather >>> remove it by the list position of the policy among other policies. >>> >> >> Honza >> > -- Jan Cholasta From abokovoy at redhat.com Thu Apr 16 08:26:48 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Apr 2015 11:26:48 +0300 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <552F6D0F.2090309@seznam.cz> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> <552F6D0F.2090309@seznam.cz> Message-ID: <20150416082648.GJ4797@redhat.com> On Thu, 16 Apr 2015, Stanislav L?zni?ka wrote: >On 04/16/2015 08:04 AM, Jan Cholasta wrote: >>Hi, >> >>Dne 15.4.2015 v 16:07 Stanislav L?zni?ka napsal(a): >>>Hi, >>> >>>I have prepared a feature proposal for the wiki. I followed the Feature >>>Proposal Template and the chapter "How to Test" is currently missing so >>>it might rather be considered a draft. Please, see it, I hope it's >>>alright. >>> >>>The text: >>> >>>Overview >>>FreeIPA is currently missing any temporal settings in the HBAC rules. >>>However, handling access to a host in repeating time periods might be a >>>desirable feature. The administrator of a certain environment should be >>>able to set the time a host should be accessed in either the host local >>>time, a certain time zone time or in UTC. Host-local-time policies would >>>allow to adapt the time a host can be accessed to the host's movement >>>along different time zones. A time bound to a certain time zone is more >>>transparent than local time as it doesn't change with the host >>>traveling. Sometimes, it may also be important to set time in UTC. This >>>is rather strict setting that does not reflect daylight saving time. >>> >>>Use Cases >>>1. A host is changing position on the globe quite often and needs to be >>>accessed at certain times reflecting its current time zone. >>>2. A host should only be accessed at certain times given by a certain >>>time zone. This access is repeated in a way, such as three times a week >>>the same time except for once a year where there's regular maintenance. >>> >>>Design >>>The time based account policies are an extension to the current (April >>>2015) HBAC plugin. It assumes the time through the system is well set on >>>all host stations via the NTP. >>> >>>Time Scenarios >>>This extension is designed so that it understands time in three >>>different views. These are: host local time, time at a certain time >>>zone, and UTC. >>> >>>Host Local Time >>>Host local time approach is meant for those hosts that are most likely >>>to move across different time zones and for some reason it's important >>>that the time they can be accessed reflects their current position. This >>>helps creating only a single HBAC rule instead of multiple when only >>>time zone or UTC rules would apply. The time of a host is counted using >>>the /etc/timezone information of the certain host. Testing of such rule >>>requires the tester to specify a certain time zone the rule would be >>>tested against. >>>It's important to note that this type of policy may bring some >>>unexpected behavior as hosts move across the globe, or even in a single >>>hostgroup, when there're hosts from multiple timezones, and >>>administrator should be very sure they want to use this. >>> >>>Time Zones >>>In this approach, the time is thought of as of a time at a certain time >>>zone. This might be interesting when the time settings should reflect a >>>certain time zone, eg. the host or the users connecting to it are to be >>>found in that certain time zone. The time zone offset to count the time >>>of access is taken from the Olson database. Therefore, even daylight >>>saving time is taken into account. >>> >>>UTC >>>Sometimes the rules should apply for a certain time that is the same for >>>the whole globe throughout the year. That's why UTC should also be >>>supported. >>> >>>Time Policies Storage >>>The time policies should be stored with each the HBAC rule that applies >>>such a policy. This extension is designed so that the LDAP schema does >>>not have to be changed. >>> >>>The time policies are stored in the accessTime attribute of the HBAC >>>rule object. The policy is a string in a form of tuple: (anchor, time). >>>In this tuple, the anchor is one of "host", "utc" or Olson database time >>>zone name, such as "Europe/Prague". The meaning of the anchor follows >>>the time scenarios from this design. The time part of the policy tuple >>>is the time range of the policy. >> >>It should be called "timezone", not "anchor". Anchor was something >>different (and I really regret calling it that, seeing how it got >>stuck). >> >>Is there any real benefit in storing time zone with each access >>time? I think it should be good enough to have one time zone per >>HBAC rule, which would also reduce complexity of the whole thing. >> >I was thinking "host", "utc" - these are not timezones. Maybe it would >be more accurate to call it an anchor or a handle. And you are wrong here. Olson database does have UTC as a timezone designator. I said previously that this field should have just a value of Olson database and that's fine. Simo was also talking about using an empty string to indicate 'use timezone of the server' and I think with this we'd get a simple logic: - if timezone value is empty (''), timezone of the target server is used, based on /etc/localtime value. - if timezone value is not empty, it designates a timezone from Olson database. No need to invent anything else here, in my opinion. -- / Alexander Bokovoy From pvoborni at redhat.com Thu Apr 16 08:51:15 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 16 Apr 2015 10:51:15 +0200 Subject: [Freeipa-devel] New installer PoC In-Reply-To: <550FC8E9.4020502@redhat.com> References: <550FC8E9.4020502@redhat.com> Message-ID: <552F7803.9020107@redhat.com> On 03/23/2015 09:03 AM, Jan Cholasta wrote: > Hi, > > the attached patch contains a new PoC installer for httpd. > > Design goals: > > 1) Make code related to any particular configuration change co-located, > be it install/uninstall/upgrade. > > 2) Get rid of code duplicates. > > 3) Use the same code path for install and upgrade. > > 4) Provide metadata for parameters from which option parsers etc. can be > generated. > > 5) Make installers plugable. This is not really apparent from the patch, > since it only implements installer for a single component, but I plan to > make the whole thing extensible by plugins. > > Honza > 1. In -def install_http(config, auto_redirect): +def install_http(config, http): to me, it was not obvious whether `http` is an http instance or an http installer. I would prefer `installer` or `http_installer`. Distinguishing these two could be a good convention. 2. What is the reason for hard coding step numbers in output messages, e.g.: + if self.is_installer: + self.service.print_msg(" [6/16] configuring httpd") Is it temporary for the POC? I look forward to the plugin support. Do you plan to allow adding a step in the plugin to an arbitrary place? It could invalidate these hardcoded strings. -- Petr Vobornik From jcholast at redhat.com Thu Apr 16 08:58:38 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 10:58:38 +0200 Subject: [Freeipa-devel] New installer PoC In-Reply-To: <552F7803.9020107@redhat.com> References: <550FC8E9.4020502@redhat.com> <552F7803.9020107@redhat.com> Message-ID: <552F79BE.9020406@redhat.com> Dne 16.4.2015 v 10:51 Petr Vobornik napsal(a): > On 03/23/2015 09:03 AM, Jan Cholasta wrote: >> Hi, >> >> the attached patch contains a new PoC installer for httpd. >> >> Design goals: >> >> 1) Make code related to any particular configuration change co-located, >> be it install/uninstall/upgrade. >> >> 2) Get rid of code duplicates. >> >> 3) Use the same code path for install and upgrade. >> >> 4) Provide metadata for parameters from which option parsers etc. can be >> generated. >> >> 5) Make installers plugable. This is not really apparent from the patch, >> since it only implements installer for a single component, but I plan to >> make the whole thing extensible by plugins. >> >> Honza >> > > 1. In > > -def install_http(config, auto_redirect): > +def install_http(config, http): > > to me, it was not obvious whether `http` is an http instance or an http > installer. I would prefer `installer` or `http_installer`. > Distinguishing these two could be a good convention. OK. Note that this particular piece of code is temporary though. > > 2. What is the reason for hard coding step numbers in output messages, > e.g.: > > + if self.is_installer: > + self.service.print_msg(" [6/16] configuring httpd") > > Is it temporary for the POC? Yes. > I look forward to the plugin support. Do > you plan to allow adding a step in the plugin to an arbitrary place? Yes, sort of. > It > could invalidate these hardcoded strings. -- Jan Cholasta From slaz at seznam.cz Thu Apr 16 09:24:08 2015 From: slaz at seznam.cz (=?UTF-8?B?U3RhbmRhIEzDoXpuacSNa2E=?=) Date: Thu, 16 Apr 2015 11:24:08 +0200 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <20150416082648.GJ4797@redhat.com> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> <552F6D0F.2090309@seznam.cz> <20150416082648.GJ4797@redhat.com> Message-ID: <552F7FB8.3000000@seznam.cz> On 4/16/2015 10:26 AM, Alexander Bokovoy wrote: > On Thu, 16 Apr 2015, Stanislav L?zni?ka wrote: >> On 04/16/2015 08:04 AM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 15.4.2015 v 16:07 Stanislav L?zni?ka napsal(a): >>>> Hi, >>>> >>>> I have prepared a feature proposal for the wiki. I followed the >>>> Feature >>>> Proposal Template and the chapter "How to Test" is currently >>>> missing so >>>> it might rather be considered a draft. Please, see it, I hope it's >>>> alright. >>>> >>>> The text: >>>> >>>> Overview >>>> FreeIPA is currently missing any temporal settings in the HBAC rules. >>>> However, handling access to a host in repeating time periods might >>>> be a >>>> desirable feature. The administrator of a certain environment >>>> should be >>>> able to set the time a host should be accessed in either the host >>>> local >>>> time, a certain time zone time or in UTC. Host-local-time policies >>>> would >>>> allow to adapt the time a host can be accessed to the host's movement >>>> along different time zones. A time bound to a certain time zone is >>>> more >>>> transparent than local time as it doesn't change with the host >>>> traveling. Sometimes, it may also be important to set time in UTC. >>>> This >>>> is rather strict setting that does not reflect daylight saving time. >>>> >>>> Use Cases >>>> 1. A host is changing position on the globe quite often and needs >>>> to be >>>> accessed at certain times reflecting its current time zone. >>>> 2. A host should only be accessed at certain times given by a certain >>>> time zone. This access is repeated in a way, such as three times a >>>> week >>>> the same time except for once a year where there's regular >>>> maintenance. >>>> >>>> Design >>>> The time based account policies are an extension to the current (April >>>> 2015) HBAC plugin. It assumes the time through the system is well >>>> set on >>>> all host stations via the NTP. >>>> >>>> Time Scenarios >>>> This extension is designed so that it understands time in three >>>> different views. These are: host local time, time at a certain time >>>> zone, and UTC. >>>> >>>> Host Local Time >>>> Host local time approach is meant for those hosts that are most likely >>>> to move across different time zones and for some reason it's important >>>> that the time they can be accessed reflects their current position. >>>> This >>>> helps creating only a single HBAC rule instead of multiple when only >>>> time zone or UTC rules would apply. The time of a host is counted >>>> using >>>> the /etc/timezone information of the certain host. Testing of such >>>> rule >>>> requires the tester to specify a certain time zone the rule would be >>>> tested against. >>>> It's important to note that this type of policy may bring some >>>> unexpected behavior as hosts move across the globe, or even in a >>>> single >>>> hostgroup, when there're hosts from multiple timezones, and >>>> administrator should be very sure they want to use this. >>>> >>>> Time Zones >>>> In this approach, the time is thought of as of a time at a certain >>>> time >>>> zone. This might be interesting when the time settings should >>>> reflect a >>>> certain time zone, eg. the host or the users connecting to it are >>>> to be >>>> found in that certain time zone. The time zone offset to count the >>>> time >>>> of access is taken from the Olson database. Therefore, even daylight >>>> saving time is taken into account. >>>> >>>> UTC >>>> Sometimes the rules should apply for a certain time that is the >>>> same for >>>> the whole globe throughout the year. That's why UTC should also be >>>> supported. >>>> >>>> Time Policies Storage >>>> The time policies should be stored with each the HBAC rule that >>>> applies >>>> such a policy. This extension is designed so that the LDAP schema does >>>> not have to be changed. >>>> >>>> The time policies are stored in the accessTime attribute of the HBAC >>>> rule object. The policy is a string in a form of tuple: (anchor, >>>> time). >>>> In this tuple, the anchor is one of "host", "utc" or Olson database >>>> time >>>> zone name, such as "Europe/Prague". The meaning of the anchor follows >>>> the time scenarios from this design. The time part of the policy tuple >>>> is the time range of the policy. >>> >>> It should be called "timezone", not "anchor". Anchor was something >>> different (and I really regret calling it that, seeing how it got >>> stuck). >>> >>> Is there any real benefit in storing time zone with each access >>> time? I think it should be good enough to have one time zone per >>> HBAC rule, which would also reduce complexity of the whole thing. >>> >> I was thinking "host", "utc" - these are not timezones. Maybe it >> would be more accurate to call it an anchor or a handle. > And you are wrong here. > Olson database does have UTC as a timezone designator. I said previously > that this field should have just a value of Olson database and that's > fine. Simo was also talking about using an empty string to indicate 'use > timezone of the server' and I think with this we'd get a simple logic: > > - if timezone value is empty (''), timezone of the target server is > used, based > on /etc/localtime value. > - if timezone value is not empty, it designates a timezone from Olson > database. > > No need to invent anything else here, in my opinion. > > Oh, I see. No problem calling it a timezone, then, as such description is accurate. From tbordaz at redhat.com Thu Apr 16 11:00:30 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Apr 2015 13:00:30 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands Message-ID: <552F964E.2060304@redhat.com> Hello, Here is the next patch for User life cycle that introduces del/mod/find and show stageuser plugin commands. * 0000-User Life Cycle (create containers and scoping DS plugins): *pushed* * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: *pushed* * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under review *(this one)** * 0004-User-life-cycle-new-stageuser-commands-activate.patch * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch * 0006-User-life-cycle-user-del-supports-permanently-preser.patch * 0008-User-life-cycle-user-find-support-finding-delete-use.patch * 0009-User-life-cycle-support-of-user-undel.patch * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch Thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0005-User-life-cycle-new-stageuser-commands-del-mod-find-.patch Type: text/x-patch Size: 22051 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Apr 16 11:34:52 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 16 Apr 2015 13:34:52 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration In-Reply-To: <552E72E9.5000001@redhat.com> References: <552E72E9.5000001@redhat.com> Message-ID: <552F9E5C.2070704@redhat.com> On 04/15/2015 04:17 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4981 > > These patches keep usage of IPA server address as NTP server in NTP > configuration on clients, in case that no NTP servers were specified by > user, and no NTP servers were resolved from SRV records. This will > ensure backward compatibility, as IPA does not configure NTP SRV records > for each domain automatically. > > Patches attached. > > Martin^2 > > PATCH 224 NACK PATCH 225 ACK Patch 224 you keep the original destination (dest="ntp_server") for --ntp-server option, but in patch 226 the code attempts to get the server names from options.ntpservers resulting in: Traceback (most recent call last): File "/sbin/ipa-client-install", line 2932, in sys.exit(main()) File "/sbin/ipa-client-install", line 2913, in main rval = install(options, env, fstore, statestore) File "/sbin/ipa-client-install", line 2342, in install if options.ntp_servers: AttributeError: Values instance has no attribute 'ntp_servers' So please fix this. Naming the destination 'ntp_servers' (plural form) seems best because we now store multiple values. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Apr 16 11:36:06 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 16 Apr 2015 13:36:06 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization In-Reply-To: <552E734A.5090005@redhat.com> References: <552E734A.5090005@redhat.com> Message-ID: <552F9EA6.10806@redhat.com> On 04/15/2015 04:18 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4983 > > Patch attached. > > > NACK until you fix PATCH 224. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Apr 16 11:53:48 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 16 Apr 2015 13:53:48 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration In-Reply-To: <552F9E5C.2070704@redhat.com> References: <552E72E9.5000001@redhat.com> <552F9E5C.2070704@redhat.com> Message-ID: <552FA2CC.1020002@redhat.com> On 04/16/2015 01:34 PM, Martin Babinsky wrote: > On 04/15/2015 04:17 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4981 >> >> These patches keep usage of IPA server address as NTP server in NTP >> configuration on clients, in case that no NTP servers were specified by >> user, and no NTP servers were resolved from SRV records. This will >> ensure backward compatibility, as IPA does not configure NTP SRV records >> for each domain automatically. >> >> Patches attached. >> >> Martin^2 >> >> > PATCH 224 NACK > PATCH 225 ACK > > Patch 224 you keep the original destination (dest="ntp_server") > for --ntp-server option, but in patch 226 the code attempts to get the > server names from options.ntpservers resulting in: > > Traceback (most recent call last): > File "/sbin/ipa-client-install", line 2932, in > sys.exit(main()) > File "/sbin/ipa-client-install", line 2913, in main > rval = install(options, env, fstore, statestore) > File "/sbin/ipa-client-install", line 2342, in install > if options.ntp_servers: > AttributeError: Values instance has no attribute 'ntp_servers' > > So please fix this. > > Naming the destination 'ntp_servers' (plural form) seems best because we > now store multiple values. > Also, if renaming "option.ntp_server" to "option.ntp_servers", do not forget to change also these lines in "ipa-client-install": 2852 if options.ntp_server: 2853 ntp_servers = options.ntp_server (line numbers after applying patches 224-226) -- Martin^3 Babinsky From pviktori at redhat.com Thu Apr 16 12:35:31 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 16 Apr 2015 14:35:31 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <552F5EF2.9060308@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> Message-ID: <552FAC93.2060401@redhat.com> On 04/16/2015 09:04 AM, Jan Cholasta wrote: > Hi, > > Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >> The attached patches remove EditableDN, EditableRDN and EditableAVA. >> They depend on Petr Voborn?k's patch 811 (performance: faster DN >> implementation). >> >> >> Mutable DNs are not very useful. When creating them it is easier to work >> with lists or generators, and needing to change DNs aside from >> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even say >> theoretical. >> Mutable DNs are not hashable, so they can't be used as dist keys. >> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >> dangerous -- it's hard to reason about outside modifications. >> >> The first patch removes the last use of EditableDN. I could be convinced >> it's not an improvement in elegance/readability, but I believe this is >> the strongest case for EditableDN in IPA, and it doesn't justify keeping >> it. > > LGTM, but patch 688 needs to be rebased. Here you go. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0688.2-rename_managed-Remove-use-of-EditableDN.patch Type: text/x-patch Size: 4627 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0689.2-Remove-Editable-DN-and-DN-component-classes.patch Type: text/x-patch Size: 135634 bytes Desc: not available URL: From simo at redhat.com Thu Apr 16 13:06:33 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Apr 2015 09:06:33 -0400 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <552F6D0F.2090309@seznam.cz> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> <552F6D0F.2090309@seznam.cz> Message-ID: <1429189593.31213.12.camel@willson.usersys.redhat.com> On Thu, 2015-04-16 at 10:04 +0200, Stanislav L?zni?ka wrote: > >> Possible values of each keyword: > >> timeofday 0000-2359 > >> dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun > >> dayofmonth 1-31 > >> weekofmonth 1-5 > >> monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, > >> Nov, Dec > >> year a year > > > > IMO dayofweek and monthofyear should use number as well. Numbers > are > > easier to process. > > > On the other hand, names of days and months keep the rule more > readable, ... for English speakers ... > which I think might be better when checking for mistakes in those > rules. In most cases people will read these rules after they have been through a parser that can translate numbers in whatever locale names the user uses. Using numbers is preferable. Please let's not mix schema and presentation here. The LDAP schema should be tilted toward coding convenience first and readability second (with exceptions as always). Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Thu Apr 16 13:14:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Apr 2015 16:14:23 +0300 Subject: [Freeipa-devel] Time-Based Account Policies - Feature Proposal In-Reply-To: <1429189593.31213.12.camel@willson.usersys.redhat.com> References: <552E70AB.8090802@seznam.cz> <552F50FD.3080300@redhat.com> <552F6D0F.2090309@seznam.cz> <1429189593.31213.12.camel@willson.usersys.redhat.com> Message-ID: <20150416131423.GL4797@redhat.com> On Thu, 16 Apr 2015, Simo Sorce wrote: >On Thu, 2015-04-16 at 10:04 +0200, Stanislav L?zni?ka wrote: >> >> Possible values of each keyword: >> >> timeofday 0000-2359 >> >> dayofweek Mon, Tue, Wed, Thu, Fri, Sat, Sun >> >> dayofmonth 1-31 >> >> weekofmonth 1-5 >> >> monthofyear Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, >> >> Nov, Dec >> >> year a year >> > >> > IMO dayofweek and monthofyear should use number as well. Numbers >> > are easier to process. >> > >> On the other hand, names of days and months keep the rule more >> readable, > >... for English speakers ... I agree. We can always provide readable interface in the UI or CLI but I don't think having names as LDAP values would be good. >> which I think might be better when checking for mistakes in those >> rules. > >In most cases people will read these rules after they have been through >a parser that can translate numbers in whatever locale names the user >uses. Using numbers is preferable. > >Please let's not mix schema and presentation here. The LDAP schema >should be tilted toward coding convenience first and readability second >(with exceptions as always). Yep. -- / Alexander Bokovoy From jcholast at redhat.com Thu Apr 16 14:46:38 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 16 Apr 2015 16:46:38 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install Message-ID: <552FCB4E.4050402@redhat.com> Hi, the attached patch adds the basics of the new installer framework. As a next step, I plan to convert the install scripts to use the framework with their old code (the old code will be gradually ported to the framework later). (Note I didn't manage to write docstrings today, expect update tomorrow.) Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 11771 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 16 15:14:08 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Apr 2015 17:14:08 +0200 Subject: [Freeipa-devel] [PATCHES 0231-0232] Server Upgrade: support base64 encoded values in update files + remove CSV Message-ID: <552FD1C0.2040104@redhat.com> https://fedorahosted.org/freeipa/ticket/4984 I had to remove CSV (which is evil) to be able fix this ticket. Patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0231-Server-Upgrade-remove-CSV-from-upgrade-files.patch Type: text/x-patch Size: 129488 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0232-Server-Upgrade-Allow-base64-encoded-values.patch Type: text/x-patch Size: 6280 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 16 15:14:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Apr 2015 17:14:16 +0200 Subject: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater Message-ID: <552FD1C8.8030403@redhat.com> https://fedorahosted.org/freeipa/ticket/4904 Patch attached -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0230-Server-Upgrade-fix-a-comment-in-ldapupdater.patch Type: text/x-patch Size: 1011 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 16 15:14:19 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Apr 2015 17:14:19 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration In-Reply-To: <552FA2CC.1020002@redhat.com> References: <552E72E9.5000001@redhat.com> <552F9E5C.2070704@redhat.com> <552FA2CC.1020002@redhat.com> Message-ID: <552FD1CB.3080005@redhat.com> On 16/04/15 13:53, Martin Babinsky wrote: > On 04/16/2015 01:34 PM, Martin Babinsky wrote: >> On 04/15/2015 04:17 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4981 >>> >>> These patches keep usage of IPA server address as NTP server in NTP >>> configuration on clients, in case that no NTP servers were >>> specified by >>> user, and no NTP servers were resolved from SRV records. This will >>> ensure backward compatibility, as IPA does not configure NTP SRV >>> records >>> for each domain automatically. >>> >>> Patches attached. >>> >>> Martin^2 >>> >>> >> PATCH 224 NACK >> PATCH 225 ACK >> >> Patch 224 you keep the original destination (dest="ntp_server") >> for --ntp-server option, but in patch 226 the code attempts to get the >> server names from options.ntpservers resulting in: >> >> Traceback (most recent call last): >> File "/sbin/ipa-client-install", line 2932, in >> sys.exit(main()) >> File "/sbin/ipa-client-install", line 2913, in main >> rval = install(options, env, fstore, statestore) >> File "/sbin/ipa-client-install", line 2342, in install >> if options.ntp_servers: >> AttributeError: Values instance has no attribute 'ntp_servers' >> >> So please fix this. >> >> Naming the destination 'ntp_servers' (plural form) seems best because we >> now store multiple values. >> > Also, if renaming "option.ntp_server" to "option.ntp_servers", do not > forget to change also these lines in "ipa-client-install": > > 2852 if options.ntp_server: > 2853 ntp_servers = options.ntp_server > > (line numbers after applying patches 224-226) > Stupid me, thank you Updated patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0224.2-ipa-client-make-ntp-server-option-multivalued.patch Type: text/x-patch Size: 5198 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0225.2-ipa-client-use-NTP-servers-detected-from-SRV.patch Type: text/x-patch Size: 1875 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 16 15:14:25 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Apr 2015 17:14:25 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <552E7527.9020306@redhat.com> References: <552E7527.9020306@redhat.com> Message-ID: <552FD1D1.2030206@redhat.com> On 15/04/15 16:26, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4904 > > Patches attached. > > Also ipa-upgradeconfig part is called as a subprocess. This will be > removed after installer modifications. > > This patch may cause temporal upgrade issues (corner cases), until > installer part will be finished. > > If somebody will be hit by them, please use --skip-version-check for > ipactl and ipa-server-upgrade. > > > Updated patches attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227.2-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 10170 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228.2-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 12508 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229.2-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 16 15:14:29 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Apr 2015 17:14:29 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization In-Reply-To: <552F9EA6.10806@redhat.com> References: <552E734A.5090005@redhat.com> <552F9EA6.10806@redhat.com> Message-ID: <552FD1D5.9060107@redhat.com> On 16/04/15 13:36, Martin Babinsky wrote: > On 04/15/2015 04:18 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4983 >> >> Patch attached. >> >> >> > > NACK until you fix PATCH 224. > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0226.2-ipa-client-use-NTP-servers-specified-by-user.patch Type: text/x-patch Size: 2575 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Apr 16 16:20:58 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 16 Apr 2015 18:20:58 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration In-Reply-To: <552FD1CB.3080005@redhat.com> References: <552E72E9.5000001@redhat.com> <552F9E5C.2070704@redhat.com> <552FA2CC.1020002@redhat.com> <552FD1CB.3080005@redhat.com> Message-ID: <552FE16A.10008@redhat.com> On 04/16/2015 05:14 PM, Martin Basti wrote: > On 16/04/15 13:53, Martin Babinsky wrote: >> On 04/16/2015 01:34 PM, Martin Babinsky wrote: >>> On 04/15/2015 04:17 PM, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/4981 >>>> >>>> These patches keep usage of IPA server address as NTP server in NTP >>>> configuration on clients, in case that no NTP servers were >>>> specified by >>>> user, and no NTP servers were resolved from SRV records. This will >>>> ensure backward compatibility, as IPA does not configure NTP SRV >>>> records >>>> for each domain automatically. >>>> >>>> Patches attached. >>>> >>>> Martin^2 >>>> >>>> >>> PATCH 224 NACK >>> PATCH 225 ACK >>> >>> Patch 224 you keep the original destination (dest="ntp_server") >>> for --ntp-server option, but in patch 226 the code attempts to get the >>> server names from options.ntpservers resulting in: >>> >>> Traceback (most recent call last): >>> File "/sbin/ipa-client-install", line 2932, in >>> sys.exit(main()) >>> File "/sbin/ipa-client-install", line 2913, in main >>> rval = install(options, env, fstore, statestore) >>> File "/sbin/ipa-client-install", line 2342, in install >>> if options.ntp_servers: >>> AttributeError: Values instance has no attribute 'ntp_servers' >>> >>> So please fix this. >>> >>> Naming the destination 'ntp_servers' (plural form) seems best because we >>> now store multiple values. >>> >> Also, if renaming "option.ntp_server" to "option.ntp_servers", do not >> forget to change also these lines in "ipa-client-install": >> >> 2852 if options.ntp_server: >> 2853 ntp_servers = options.ntp_server >> >> (line numbers after applying patches 224-226) >> > Stupid me, thank you > > Updated patches attached. > ACK -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Apr 16 16:21:22 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 16 Apr 2015 18:21:22 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization In-Reply-To: <552FD1D5.9060107@redhat.com> References: <552E734A.5090005@redhat.com> <552F9EA6.10806@redhat.com> <552FD1D5.9060107@redhat.com> Message-ID: <552FE182.9080409@redhat.com> On 04/16/2015 05:14 PM, Martin Basti wrote: > On 16/04/15 13:36, Martin Babinsky wrote: >> On 04/15/2015 04:18 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4983 >>> >>> Patch attached. >>> >>> >>> >> >> NACK until you fix PATCH 224. >> > Updated patch attached. > ACK -- Martin^3 Babinsky From dkupka at redhat.com Fri Apr 17 05:26:55 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 17 Apr 2015 07:26:55 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> Message-ID: <5530999F.9090807@redhat.com> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > Hi everyone, > > Please review my Certificate Profiles design proposal: > http://www.freeipa.org/page/V4/Certificate_Profiles > > Let me know what is unclear, what needs expansion, and what is plain > wrong :) > > The schema for storing multiple certificates for a principal is > still being discussed but I expect it will be agreed soon, and I > will add it to the document. > > I am revising the sub-CAs design proposal and it will soon be > published for review as well. > > Cheers, > Fraser > Hi Fraser, I've read the design page and even though I know only a little about Dogtag it makes sense to me. Just a few notes: 3.4 Retrieve profile - There was XML format twice (probably copy-paste-forget to modify :-) I changed it, feel free to revert the change if it was intentional. 3.5 Delete profile - IMO the profile should be deleted when user requests that. If the profile must be disabled before deleted do it as a part of deletion. 3.6 Enable/disable profile - When user request enabling/disabling of already enabled/disabled profile there is no need to return an error. User wants it to be enabled/disabled and it is, job done. 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay consistent with rest of FreeIPA commands. -- David Kupka From ftweedal at redhat.com Fri Apr 17 07:45:41 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Apr 2015 17:45:41 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530999F.9090807@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530999F.9090807@redhat.com> Message-ID: <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > > >Cheers, > >Fraser > > > Hi Fraser, > I've read the design page and even though I know only a little about Dogtag > it makes sense to me. > > Just a few notes: > > 3.4 Retrieve profile - There was XML format twice (probably > copy-paste-forget to modify :-) I changed it, feel free to revert the change > if it was intentional. > > 3.5 Delete profile - IMO the profile should be deleted when user requests > that. If the profile must be disabled before deleted do it as a part of > deletion. > > 3.6 Enable/disable profile - When user request enabling/disabling of already > enabled/disabled profile there is no need to return an error. User wants it > to be enabled/disabled and it is, job done. > > 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay > consistent with rest of FreeIPA commands. > David, thanks for your input. 'certprofile-import' was chosen after discussion with Honza, based on the fact the profile already exists (as a file) and is being imported into the system. Jan, do you still agree with '-import'? What do other people think? Cheers, Fraser From jcholast at redhat.com Fri Apr 17 08:03:45 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Apr 2015 10:03:45 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530999F.9090807@redhat.com> <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> Message-ID: <5530BE61.5080207@redhat.com> Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): > On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: >> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: >>> Hi everyone, >>> >>> Please review my Certificate Profiles design proposal: >>> http://www.freeipa.org/page/V4/Certificate_Profiles >>> >>> Let me know what is unclear, what needs expansion, and what is plain >>> wrong :) >>> >>> The schema for storing multiple certificates for a principal is >>> still being discussed but I expect it will be agreed soon, and I >>> will add it to the document. >>> >>> I am revising the sub-CAs design proposal and it will soon be >>> published for review as well. >>> >>> Cheers, >>> Fraser >>> >> Hi Fraser, >> I've read the design page and even though I know only a little about Dogtag >> it makes sense to me. >> >> Just a few notes: >> >> 3.4 Retrieve profile - There was XML format twice (probably >> copy-paste-forget to modify :-) I changed it, feel free to revert the change >> if it was intentional. >> >> 3.5 Delete profile - IMO the profile should be deleted when user requests >> that. If the profile must be disabled before deleted do it as a part of >> deletion. >> >> 3.6 Enable/disable profile - When user request enabling/disabling of already >> enabled/disabled profile there is no need to return an error. User wants it >> to be enabled/disabled and it is, job done. Actually not, we raise AlreadyActive/AlreadyInactive in this case (see e.g. selinuxusermap-enable). >> >> 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay >> consistent with rest of FreeIPA commands. >> > David, thanks for your input. 'certprofile-import' was chosen after > discussion with Honza, based on the fact the profile already exists > (as a file) and is being imported into the system. Jan, do you > still agree with '-import'? What do other people think? Yes, it should be -import. -add is reserved for the case when the properties of the profile are specified directly in command arguments, but in -import they are read from the supplied file. > > Cheers, > Fraser > -- Jan Cholasta From ftweedal at redhat.com Fri Apr 17 08:12:40 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Apr 2015 18:12:40 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530BE61.5080207@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530999F.9090807@redhat.com> <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> <5530BE61.5080207@redhat.com> Message-ID: <20150417081240.GZ26212@dhcp-40-8.bne.redhat.com> On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote: > Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): > >On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: > >>On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >>>Hi everyone, > >>> > >>>Please review my Certificate Profiles design proposal: > >>>http://www.freeipa.org/page/V4/Certificate_Profiles > >>> > >>>Let me know what is unclear, what needs expansion, and what is plain > >>>wrong :) > >>> > >>>The schema for storing multiple certificates for a principal is > >>>still being discussed but I expect it will be agreed soon, and I > >>>will add it to the document. > >>> > >>>I am revising the sub-CAs design proposal and it will soon be > >>>published for review as well. > >>> > >>>Cheers, > >>>Fraser > >>> > >>Hi Fraser, > >>I've read the design page and even though I know only a little about Dogtag > >>it makes sense to me. > >> > >>Just a few notes: > >> > >>3.4 Retrieve profile - There was XML format twice (probably > >>copy-paste-forget to modify :-) I changed it, feel free to revert the change > >>if it was intentional. > >> > >>3.5 Delete profile - IMO the profile should be deleted when user requests > >>that. If the profile must be disabled before deleted do it as a part of > >>deletion. > >> > >>3.6 Enable/disable profile - When user request enabling/disabling of already > >>enabled/disabled profile there is no need to return an error. User wants it > >>to be enabled/disabled and it is, job done. > > Actually not, we raise AlreadyActive/AlreadyInactive in this case (see e.g. > selinuxusermap-enable). > Good to know - I haven't learned about the SELinux bits yet and probably wouldn't have found this. > >> > >>5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay > >>consistent with rest of FreeIPA commands. > >> > >David, thanks for your input. 'certprofile-import' was chosen after > >discussion with Honza, based on the fact the profile already exists > >(as a file) and is being imported into the system. Jan, do you > >still agree with '-import'? What do other people think? > > Yes, it should be -import. -add is reserved for the case when the properties > of the profile are specified directly in command arguments, but in -import > they are read from the supplied file. > OK, -import it stays; thanks! > > > >Cheers, > >Fraser > > > > > -- > Jan Cholasta From pvoborni at redhat.com Fri Apr 17 08:58:59 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Apr 2015 10:58:59 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150417081240.GZ26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530999F.9090807@redhat.com> <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> <5530BE61.5080207@redhat.com> <20150417081240.GZ26212@dhcp-40-8.bne.redhat.com> Message-ID: <5530CB53.8070902@redhat.com> On 04/17/2015 10:12 AM, Fraser Tweedale wrote: > On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote: >> Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): >>> On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: >>>> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: >>>>> Hi everyone, >>>>> >>>>> Please review my Certificate Profiles design proposal: >>>>> http://www.freeipa.org/page/V4/Certificate_Profiles >>>>> > >>>> >>>> 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay >>>> consistent with rest of FreeIPA commands. >>>> >>> David, thanks for your input. 'certprofile-import' was chosen after >>> discussion with Honza, based on the fact the profile already exists >>> (as a file) and is being imported into the system. Jan, do you >>> still agree with '-import'? What do other people think? >> >> Yes, it should be -import. -add is reserved for the case when the properties >> of the profile are specified directly in command arguments, but in -import >> they are read from the supplied file. >> > OK, -import it stays; thanks! > Wrt terminology. You might be interested in this PatternFly effort: https://www.redhat.com/archives/patternfly/2015-March/msg00005.html Interesting part related to topic is: Add: Add an existing item to an existing list, group, view, or other container element Create: Create something new Import is mentioned later in the thread. What does it mean for us? There is an effort to unify terminology among various applications. Some terminology is different from the one in IPA. We should be aware of that and probably take some steps to standardize it in a future. E.g. we could start with Web UI. Changing api is a bit more difficult and I'm not sure if it's even the right thing to do. -- Petr Vobornik From jcholast at redhat.com Fri Apr 17 09:02:35 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Apr 2015 11:02:35 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530CB53.8070902@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530999F.9090807@redhat.com> <20150417074541.GY26212@dhcp-40-8.bne.redhat.com> <5530BE61.5080207@redhat.com> <20150417081240.GZ26212@dhcp-40-8.bne.redhat.com> <5530CB53.8070902@redhat.com> Message-ID: <5530CC2B.8090805@redhat.com> Dne 17.4.2015 v 10:58 Petr Vobornik napsal(a): > On 04/17/2015 10:12 AM, Fraser Tweedale wrote: >> On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote: >>> Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): >>>> On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: >>>>> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: >>>>>> Hi everyone, >>>>>> >>>>>> Please review my Certificate Profiles design proposal: >>>>>> http://www.freeipa.org/page/V4/Certificate_Profiles >>>>>> >> >>>>> >>>>> 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to >>>>> stay >>>>> consistent with rest of FreeIPA commands. >>>>> >>>> David, thanks for your input. 'certprofile-import' was chosen after >>>> discussion with Honza, based on the fact the profile already exists >>>> (as a file) and is being imported into the system. Jan, do you >>>> still agree with '-import'? What do other people think? >>> >>> Yes, it should be -import. -add is reserved for the case when the >>> properties >>> of the profile are specified directly in command arguments, but in >>> -import >>> they are read from the supplied file. >>> >> OK, -import it stays; thanks! >> > > Wrt terminology. You might be interested in this PatternFly effort: > > https://www.redhat.com/archives/patternfly/2015-March/msg00005.html > > Interesting part related to topic is: > > Add: Add an existing item to an existing list, group, view, or other > container element > > Create: Create something new > > Import is mentioned later in the thread. > > What does it mean for us? There is an effort to unify terminology among > various applications. Some terminology is different from the one in IPA. > We should be aware of that and probably take some steps to standardize > it in a future. E.g. we could start with Web UI. Changing api is a bit > more difficult and I'm not sure if it's even the right thing to do. It definitely is not the right thing to do. PatternFly has nothing to do with the API. -- Jan Cholasta From mbasti at redhat.com Fri Apr 17 10:04:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Apr 2015 12:04:35 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <552E6D58.4090901@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> Message-ID: <5530DAB3.6040208@redhat.com> On 15/04/15 15:53, Martin Babinsky wrote: > On 04/14/2015 04:24 PM, Martin Basti wrote: >> On 14/04/15 16:12, Martin Basti wrote: >>> On 14/04/15 14:25, Martin Babinsky wrote: >>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>> >>>> The noise during rollback/uninstall is caused mainly by unsuccessful >>>> attempts to remove files that do not exist anymore. These errors are >>>> now logged at debug level and do not pop-up to stdout/stderr. >>>> >>>> >>>> >>> Hello, thank you for the patch. >>> >>> 1) >>> The option add_warning is quite unclear to me. It does not show >>> warning but error. I suggest something like, show_hint, >>> show_user_action, or something show_additional_..., or >>> promt_manual_removal >>> >>> Martin^2 >>> >>> >> Continue... >> >> 2) >> >> if file_exists(preferences_fname): >> try: >> os.remove(preferences_fname) >> except OSError as e: >> log_file_removal_error(e, preferences_fname, True) >> >> In this case file not found error should never happen. >> >> Could you remove the 'if file_exists' part and handle just exception? >> > I just reverted this bit to original form in order to not fix > something that isn't broken. Is that ok? >> 3) >> this is inconsistent with change above, choose one style please: >> >> if os.path.exists(ca_file): >> try: >> os.unlink(ca_file) >> except OSError, e: >> root_logger.error( >> "Failed to remove '%s': %s", ca_file, e) >> >> -- >> Martin Basti >> > > Attaching updated patch. > thanks, just one nitpick, can you move the new function into installutils, it can be used in different scripts not just in ipaclient. -- Martin Basti From mbabinsk at redhat.com Fri Apr 17 10:33:04 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Apr 2015 12:33:04 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5530DAB3.6040208@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> Message-ID: <5530E160.9090201@redhat.com> On 04/17/2015 12:04 PM, Martin Basti wrote: > On 15/04/15 15:53, Martin Babinsky wrote: >> On 04/14/2015 04:24 PM, Martin Basti wrote: >>> On 14/04/15 16:12, Martin Basti wrote: >>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>> >>>>> The noise during rollback/uninstall is caused mainly by unsuccessful >>>>> attempts to remove files that do not exist anymore. These errors are >>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>> >>>>> >>>>> >>>> Hello, thank you for the patch. >>>> >>>> 1) >>>> The option add_warning is quite unclear to me. It does not show >>>> warning but error. I suggest something like, show_hint, >>>> show_user_action, or something show_additional_..., or >>>> promt_manual_removal >>>> >>>> Martin^2 >>>> >>>> >>> Continue... >>> >>> 2) >>> >>> if file_exists(preferences_fname): >>> try: >>> os.remove(preferences_fname) >>> except OSError as e: >>> log_file_removal_error(e, preferences_fname, True) >>> >>> In this case file not found error should never happen. >>> >>> Could you remove the 'if file_exists' part and handle just exception? >>> >> I just reverted this bit to original form in order to not fix >> something that isn't broken. Is that ok? >>> 3) >>> this is inconsistent with change above, choose one style please: >>> >>> if os.path.exists(ca_file): >>> try: >>> os.unlink(ca_file) >>> except OSError, e: >>> root_logger.error( >>> "Failed to remove '%s': %s", ca_file, e) >>> >>> -- >>> Martin Basti >>> >> >> Attaching updated patch. >> > thanks, > > just one nitpick, can you move the new function into installutils, it > can be used in different scripts not just in ipaclient. > I'm not sure if it is a good idea as installutils is a part for freeipa-server package. Placing it there would create an unnecessary dependency of freeipa-client on freeipa-server because of a single function. -- Martin^3 Babinsky From mbasti at redhat.com Fri Apr 17 10:36:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Apr 2015 12:36:56 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5530E160.9090201@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> Message-ID: <5530E248.6000200@redhat.com> On 17/04/15 12:33, Martin Babinsky wrote: > On 04/17/2015 12:04 PM, Martin Basti wrote: >> On 15/04/15 15:53, Martin Babinsky wrote: >>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>> On 14/04/15 16:12, Martin Basti wrote: >>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>>> >>>>>> The noise during rollback/uninstall is caused mainly by unsuccessful >>>>>> attempts to remove files that do not exist anymore. These errors are >>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>> >>>>>> >>>>>> >>>>> Hello, thank you for the patch. >>>>> >>>>> 1) >>>>> The option add_warning is quite unclear to me. It does not show >>>>> warning but error. I suggest something like, show_hint, >>>>> show_user_action, or something show_additional_..., or >>>>> promt_manual_removal >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> Continue... >>>> >>>> 2) >>>> >>>> if file_exists(preferences_fname): >>>> try: >>>> os.remove(preferences_fname) >>>> except OSError as e: >>>> log_file_removal_error(e, preferences_fname, >>>> True) >>>> >>>> In this case file not found error should never happen. >>>> >>>> Could you remove the 'if file_exists' part and handle just exception? >>>> >>> I just reverted this bit to original form in order to not fix >>> something that isn't broken. Is that ok? >>>> 3) >>>> this is inconsistent with change above, choose one style please: >>>> >>>> if os.path.exists(ca_file): >>>> try: >>>> os.unlink(ca_file) >>>> except OSError, e: >>>> root_logger.error( >>>> "Failed to remove '%s': %s", ca_file, e) >>>> >>>> -- >>>> Martin Basti >>>> >>> >>> Attaching updated patch. >>> >> thanks, >> >> just one nitpick, can you move the new function into installutils, it >> can be used in different scripts not just in ipaclient. >> > > I'm not sure if it is a good idea as installutils is a part for > freeipa-server package. > > Placing it there would create an unnecessary dependency of > freeipa-client on freeipa-server because of a single function. > you are right, I do not why I thought that ipa-client-install uses installutils. ACK -- Martin Basti From mbabinsk at redhat.com Fri Apr 17 10:41:11 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Apr 2015 12:41:11 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5530E248.6000200@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> Message-ID: <5530E347.8080709@redhat.com> On 04/17/2015 12:36 PM, Martin Basti wrote: > On 17/04/15 12:33, Martin Babinsky wrote: >> On 04/17/2015 12:04 PM, Martin Basti wrote: >>> On 15/04/15 15:53, Martin Babinsky wrote: >>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>>>> >>>>>>> The noise during rollback/uninstall is caused mainly by unsuccessful >>>>>>> attempts to remove files that do not exist anymore. These errors are >>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, thank you for the patch. >>>>>> >>>>>> 1) >>>>>> The option add_warning is quite unclear to me. It does not show >>>>>> warning but error. I suggest something like, show_hint, >>>>>> show_user_action, or something show_additional_..., or >>>>>> promt_manual_removal >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>> Continue... >>>>> >>>>> 2) >>>>> >>>>> if file_exists(preferences_fname): >>>>> try: >>>>> os.remove(preferences_fname) >>>>> except OSError as e: >>>>> log_file_removal_error(e, preferences_fname, >>>>> True) >>>>> >>>>> In this case file not found error should never happen. >>>>> >>>>> Could you remove the 'if file_exists' part and handle just exception? >>>>> >>>> I just reverted this bit to original form in order to not fix >>>> something that isn't broken. Is that ok? >>>>> 3) >>>>> this is inconsistent with change above, choose one style please: >>>>> >>>>> if os.path.exists(ca_file): >>>>> try: >>>>> os.unlink(ca_file) >>>>> except OSError, e: >>>>> root_logger.error( >>>>> "Failed to remove '%s': %s", ca_file, e) >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>> >>>> Attaching updated patch. >>>> >>> thanks, >>> >>> just one nitpick, can you move the new function into installutils, it >>> can be used in different scripts not just in ipaclient. >>> >> >> I'm not sure if it is a good idea as installutils is a part for >> freeipa-server package. >> >> Placing it there would create an unnecessary dependency of >> freeipa-client on freeipa-server because of a single function. >> > you are right, I do not why I thought that ipa-client-install uses > installutils. > > ACK > self-NACK, I will try to rewrite the patch in a slightly less dumb way. Sorry for the confusion. -- Martin^3 Babinsky From npmccallum at redhat.com Fri Apr 17 11:58:06 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Fri, 17 Apr 2015 07:58:06 -0400 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <552F60E2.9050902@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> <55267065.4090900@redhat.com> <55267A8F.3030203@redhat.com> <552F60E2.9050902@redhat.com> Message-ID: <1429271886.3164.5.camel@redhat.com> On Thu, 2015-04-16 at 09:12 +0200, Jan Cholasta wrote: > Dne 9.4.2015 v 15:11 Luc de Louw napsal(a): > > > > On 04/09/2015 02:28 PM, Jan Cholasta wrote: > > > > > > Let's say you now introduce --no-cr flag. What if we > > > > > > decide to change > > > > > > the default to False? How would you then change the > > > > > > option/API? > > > > > > > > > > You would have to add --cr flag. > > > > > > > > That was the point - some clients would send "ct" flag, some > > > > "no_cr" > > > > and there > > > > would have to be special handling. > > > > > > > > > > It is more flexible IMO to just use something like > > > > > > > > > > > > --cr=TRUE|FALSE with TRUE being the default > > > > > > > > > > I would say --append-cr=TRUE|FALSE with no default, meaning > > > > > do not > > > > > add the flag > > > > > to the config at all. > > > > > > > > I though the idea was to append the CR by default, i.e. > > > > --append-cr=TRUE|FALSE > > > > with TRUE being the default. > > > > > > > > > > If you want to hardcode the default into the plugin, there is no > > > benefit > > > in using Bool over Flag, because Flag is actually a Bool with > > > hardcoded > > > default value. > > > > > > > I actually started with a bool, default=True. I had the problem > > that the > > Default value was ignored, the value was None. > > > > Changing the default behavior is IMHO bad anyway does not matter > > if Bool > > or Flag. > > +1 > > > > > Please advise what is you wish to be implemented :-) > > That depends. Is there a difference between "do not set APPEND_CR > ticket > flag" and "set APPEND_CR ticket flag to false"? For YubiKey hardware the flag is either present (true) or absent (false). This flag controls whether or not the carriage return is sent (present) or not (absent). Nathaniel From mkosek at redhat.com Fri Apr 17 12:08:29 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Apr 2015 14:08:29 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> Message-ID: <5530F7BD.2070609@redhat.com> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > Hi everyone, > > Please review my Certificate Profiles design proposal: > http://www.freeipa.org/page/V4/Certificate_Profiles > > Let me know what is unclear, what needs expansion, and what is plain > wrong :) > > The schema for storing multiple certificates for a principal is > still being discussed but I expect it will be agreed soon, and I > will add it to the document. > > I am revising the sub-CAs design proposal and it will soon be > published for review as well. 1) here did you get this feature template? It is the one that is obsolete (header levels, document structure, missing author in the box)... This is the right template: http://www.freeipa.org/page/Feature_template 2) I miss certprofile-find command - to enable Web UI and/or CLI to search through existing profiles. 3) Permissions So your plan is to allow different groups use different profiles? So there would be for example profiles allowed to all users (something like userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with authorization? Will be on a FreeIPA framework level or for example by DS ACIs that would simply not show the profiles? 4) Searching for certificates by profile - FEEDBACK REQUIRED It would be nice to incorporate this filter to current cert-find command. 5) Default set of profiles Should we also propose a basic set of canned profiles so that I can picture what will be the possibilities? Would it be something like * Server profile * Client profile 6) Upgrades It may happen that FreeIPA needs to upgrade defaults of a canned profile. It would be nice to have a section how it would do it. This is all I could think of so far. From mbabinsk at redhat.com Fri Apr 17 12:11:24 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Apr 2015 14:11:24 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5530E347.8080709@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> Message-ID: <5530F86C.6000707@redhat.com> On 04/17/2015 12:41 PM, Martin Babinsky wrote: > On 04/17/2015 12:36 PM, Martin Basti wrote: >> On 17/04/15 12:33, Martin Babinsky wrote: >>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>> >>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>> unsuccessful >>>>>>>> attempts to remove files that do not exist anymore. These errors >>>>>>>> are >>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Hello, thank you for the patch. >>>>>>> >>>>>>> 1) >>>>>>> The option add_warning is quite unclear to me. It does not show >>>>>>> warning but error. I suggest something like, show_hint, >>>>>>> show_user_action, or something show_additional_..., or >>>>>>> promt_manual_removal >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>>> >>>>>> Continue... >>>>>> >>>>>> 2) >>>>>> >>>>>> if file_exists(preferences_fname): >>>>>> try: >>>>>> os.remove(preferences_fname) >>>>>> except OSError as e: >>>>>> log_file_removal_error(e, preferences_fname, >>>>>> True) >>>>>> >>>>>> In this case file not found error should never happen. >>>>>> >>>>>> Could you remove the 'if file_exists' part and handle just exception? >>>>>> >>>>> I just reverted this bit to original form in order to not fix >>>>> something that isn't broken. Is that ok? >>>>>> 3) >>>>>> this is inconsistent with change above, choose one style please: >>>>>> >>>>>> if os.path.exists(ca_file): >>>>>> try: >>>>>> os.unlink(ca_file) >>>>>> except OSError, e: >>>>>> root_logger.error( >>>>>> "Failed to remove '%s': %s", ca_file, e) >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>>>> >>>>> Attaching updated patch. >>>>> >>>> thanks, >>>> >>>> just one nitpick, can you move the new function into installutils, it >>>> can be used in different scripts not just in ipaclient. >>>> >>> >>> I'm not sure if it is a good idea as installutils is a part for >>> freeipa-server package. >>> >>> Placing it there would create an unnecessary dependency of >>> freeipa-client on freeipa-server because of a single function. >>> >> you are right, I do not why I thought that ipa-client-install uses >> installutils. >> >> ACK >> > self-NACK, I will try to rewrite the patch in a slightly less dumb way. > > Sorry for the confusion. > Attaching updated patch which does the same but using a wrapper around os.remove(). Jan suggested to keep the new function in 'ipa-client-install' and move it around when we do installer re#$%@^ing. Is that ok? -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0029.3-suppress-errors-arising-from-deleting-non-existent-f.patch Type: text/x-patch Size: 3650 bytes Desc: not available URL: From mkubik at redhat.com Fri Apr 17 12:21:16 2015 From: mkubik at redhat.com (Milan Kubik) Date: Fri, 17 Apr 2015 14:21:16 +0200 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> Message-ID: <5530FABC.9070302@redhat.com> On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > Hi everyone, > > Please review my Certificate Profiles design proposal: > http://www.freeipa.org/page/V4/Certificate_Profiles > > Let me know what is unclear, what needs expansion, and what is plain > wrong :) > > The schema for storing multiple certificates for a principal is > still being discussed but I expect it will be agreed soon, and I > will add it to the document. > > I am revising the sub-CAs design proposal and it will soon be > published for review as well. > > Cheers, > Fraser > Hello Fraser, I will reiterate one of my concernes from our private mails here for the wider audience :) I'd really like to have a way how to list the profiles managed by IPA other than using the dogtag REST API directly. Simple wrapper around the api call for /ca/rest/profiles[/$id[/raw]] endpoints returning a list of IDs [and dumping the profile to file] for the sake of consistency, since other endpoints are wrapped by ipa commands, would be sufficient for me. This can be also used to query the information (at least the list of IDs) when used in the web UI. I don't know how exactly dogtag is wired into IPA (I've seen that there is separate suffix on the DS instance) and I don't really need to duplicate any data into the defaultNamingContext and its subtree. Cheers, Milan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Apr 17 13:56:01 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Apr 2015 15:56:01 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <54F847EF.2080608@redhat.com> References: <54F847EF.2080608@redhat.com> Message-ID: <553110F1.2030008@redhat.com> On 03/05/2015 01:11 PM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/4900 > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Nobody to review this? -- Martin^3 Babinsky From jcholast at redhat.com Fri Apr 17 14:15:27 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Apr 2015 16:15:27 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <552FCB4E.4050402@redhat.com> References: <552FCB4E.4050402@redhat.com> Message-ID: <5531157F.80106@redhat.com> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): > Hi, > > the attached patch adds the basics of the new installer framework. > > As a next step, I plan to convert the install scripts to use the > framework with their old code (the old code will be gradually ported to > the framework later). > > (Note I didn't manage to write docstrings today, expect update tomorrow.) Added some docstrings. Also updated the patch to reflect little brainstorming David and I had this morning. > > Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424.1-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 13696 bytes Desc: not available URL: From pvoborni at redhat.com Fri Apr 17 14:31:56 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Apr 2015 16:31:56 +0200 Subject: [Freeipa-devel] [PATCH] 819-820 jQuery.ordered_map: faster creation Message-ID: <5531195C.4020105@redhat.com> Improve performance of Web UI with very large user groups or any other usage which adds a lot of values into jQuery.ordered_map. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0820-jQuery.ordered_map-remove-map-attribute.patch Type: text/x-patch Size: 4124 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0819-jQuery.ordered_map-faster-creation.patch Type: text/x-patch Size: 2484 bytes Desc: not available URL: From tbordaz at redhat.com Fri Apr 17 15:16:03 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 17 Apr 2015 17:16:03 +0200 Subject: [Freeipa-devel] User life cycle: How to update 60basev3.ldif Message-ID: <553123B3.7040504@redhat.com> Hello, User life cycle uses a new DS aci right: moddn. This right comes with two new target keywords (target_to and target_from). permission plugins should support those new target keywords and so those attributes need to be defined in the schema 60basev3.ldif. When adding new attributes in that schema, I should pick new OIDs. Is it ok to pick the next ones available in ds-oids/08-FreeIPA.txt (rhanana) and what is review process for changes in 08-FreeIPA.txt ? thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Apr 17 15:58:06 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Apr 2015 17:58:06 +0200 Subject: [Freeipa-devel] [PATCH] 821 webui: add pwpolicy link to group details page if group has associated pwpolicy Message-ID: <55312D8E.8020400@redhat.com> https://fedorahosted.org/freeipa/ticket/4982 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0821-webui-add-pwpolicy-link-to-group-details-page-if-gro.patch Type: text/x-patch Size: 2804 bytes Desc: not available URL: From simo at redhat.com Fri Apr 17 18:56:28 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 17 Apr 2015 14:56:28 -0400 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530F7BD.2070609@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530F7BD.2070609@redhat.com> Message-ID: <1429296988.15907.33.camel@willson.usersys.redhat.com> On Fri, 2015-04-17 at 14:08 +0200, Martin Kosek wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > > Hi everyone, > > > > Please review my Certificate Profiles design proposal: > > http://www.freeipa.org/page/V4/Certificate_Profiles > > > > Let me know what is unclear, what needs expansion, and what is plain > > wrong :) > > > > The schema for storing multiple certificates for a principal is > > still being discussed but I expect it will be agreed soon, and I > > will add it to the document. > > > > I am revising the sub-CAs design proposal and it will soon be > > published for review as well. > > 1) here did you get this feature template? It is the one that is obsolete > (header levels, document structure, missing author in the box)... This is the > right template: > http://www.freeipa.org/page/Feature_template > > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > through existing profiles. > > 3) Permissions > So your plan is to allow different groups use different profiles? So there > would be for example profiles allowed to all users (something like > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > authorization? Will be on a FreeIPA framework level or for example by DS ACIs > that would simply not show the profiles? Keep in mind our design philosophy from the start was: the framework only have the privileges of the user accessing it and makes no ACI decisions. We broke that abstraction with the RA agent stuff, but I plan on fixing it some days by taking it away from the framework again, so I would not be favorable to see more Access control implemented in the framework unless there is no other sane way. Simo. > 4) Searching for certificates by profile - FEEDBACK REQUIRED > It would be nice to incorporate this filter to current cert-find command. > > 5) Default set of profiles > Should we also propose a basic set of canned profiles so that I can picture > what will be the possibilities? > > Would it be something like > * Server profile > * Client profile > > 6) Upgrades > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > would be nice to have a section how it would do it. > > This is all I could think of so far. > -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Sat Apr 18 07:39:26 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 18 Apr 2015 17:39:26 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <1429296988.15907.33.camel@willson.usersys.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530F7BD.2070609@redhat.com> <1429296988.15907.33.camel@willson.usersys.redhat.com> Message-ID: <20150418073921.GC26212@dhcp-40-8.bne.redhat.com> On Fri, Apr 17, 2015 at 02:56:28PM -0400, Simo Sorce wrote: > On Fri, 2015-04-17 at 14:08 +0200, Martin Kosek wrote: > > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > > > Hi everyone, > > > > > > Please review my Certificate Profiles design proposal: > > > http://www.freeipa.org/page/V4/Certificate_Profiles > > > > > > Let me know what is unclear, what needs expansion, and what is plain > > > wrong :) > > > > > > The schema for storing multiple certificates for a principal is > > > still being discussed but I expect it will be agreed soon, and I > > > will add it to the document. > > > > > > I am revising the sub-CAs design proposal and it will soon be > > > published for review as well. > > > > 1) here did you get this feature template? It is the one that is obsolete > > (header levels, document structure, missing author in the box)... This is the > > right template: > > http://www.freeipa.org/page/Feature_template > > > > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > > through existing profiles. > > > > 3) Permissions > > So your plan is to allow different groups use different profiles? So there > > would be for example profiles allowed to all users (something like > > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > > authorization? Will be on a FreeIPA framework level or for example by DS ACIs > > that would simply not show the profiles? > > Keep in mind our design philosophy from the start was: the framework > only have the privileges of the user accessing it and makes no ACI > decisions. > > We broke that abstraction with the RA agent stuff, but I plan on fixing > it some days by taking it away from the framework again, so I would not > be favorable to see more Access control implemented in the framework > unless there is no other sane way. > > Simo. > In regards to permissions, the plan is to have ACLs for declaring which principals/groups can use which profiles on which (sub-)CA. The `caacl' CLI commands[1] follow the form of hbacrule (although with a unified `caacl-add-member' that handles different principal types, rather than separate commands (similarly for removal). This approach came from discussions with Honza. [1] http://www.freeipa.org/page/V4/Sub-CAs#ipa_caacl-add_.3Cshortname.3E_.3Cacl.3E (These are in the sub-CAs design to kill two birds with one stone; target CA and profile are two dimensions of the rule.) So... under the current design these access decisions would be made by the IPA framework. There is another approach I can think of: an "ipa-auth" plugin for Dogtag that is used by *all* IPA cert profiles. The ACL rules themselves, the commands and the schema do not change at all, but somehow the principal's credential is conveyed by IPA to Dogtag, and Dogtag uses it to look back into the IPA directory and make the authorization decision. This is probably more work than there is time for, but it would be possible to move to it later. Can anyone think of other sane ways? Regards, Fraser > > 4) Searching for certificates by profile - FEEDBACK REQUIRED > > It would be nice to incorporate this filter to current cert-find command. > > > > 5) Default set of profiles > > Should we also propose a basic set of canned profiles so that I can picture > > what will be the possibilities? > > > > Would it be something like > > * Server profile > > * Client profile > > > > 6) Upgrades > > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > > would be nice to have a section how it would do it. > > > > This is all I could think of so far. > > > > > -- > Simo Sorce * Red Hat, Inc * New York > From ftweedal at redhat.com Sat Apr 18 07:42:35 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 18 Apr 2015 17:42:35 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530FABC.9070302@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530FABC.9070302@redhat.com> Message-ID: <20150418074234.GD26212@dhcp-40-8.bne.redhat.com> On Fri, Apr 17, 2015 at 02:21:16PM +0200, Milan Kubik wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > > >Cheers, > >Fraser > > > Hello Fraser, > > I will reiterate one of my concernes from our private mails here for the > wider audience :) > > I'd really like to have a way how to list the profiles managed by IPA other > than using > the dogtag REST API directly. Simple wrapper around the api call for > /ca/rest/profiles[/$id[/raw]] > endpoints returning a list of IDs [and dumping the profile to file] for the > sake of consistency, > since other endpoints are wrapped by ipa commands, would be sufficient for > me. > > This can be also used to query the information (at least the list of IDs) > when used in the web UI. > > I don't know how exactly dogtag is wired into IPA (I've seen that there is > separate suffix > on the DS instance) and I don't really need to duplicate any data into the > defaultNamingContext > and its subtree. > > > Cheers, > Milan > I thought some more about your suggestion and agree that it makes sense to keep a record of IPA-managed profiles in the IPA directory, and whatever attributes IPA needs on a regular basis to avoid calling out to Dogtag unnecessarily. I'll proposal the schema shortly. Cheers, Fraser From simo at redhat.com Sat Apr 18 17:32:17 2015 From: simo at redhat.com (Simo Sorce) Date: Sat, 18 Apr 2015 13:32:17 -0400 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <20150418073921.GC26212@dhcp-40-8.bne.redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530F7BD.2070609@redhat.com> <1429296988.15907.33.camel@willson.usersys.redhat.com> <20150418073921.GC26212@dhcp-40-8.bne.redhat.com> Message-ID: <1429378337.22202.26.camel@willson.usersys.redhat.com> On Sat, 2015-04-18 at 17:39 +1000, Fraser Tweedale wrote: > On Fri, Apr 17, 2015 at 02:56:28PM -0400, Simo Sorce wrote: > > On Fri, 2015-04-17 at 14:08 +0200, Martin Kosek wrote: > > > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > > > > Hi everyone, > > > > > > > > Please review my Certificate Profiles design proposal: > > > > http://www.freeipa.org/page/V4/Certificate_Profiles > > > > > > > > Let me know what is unclear, what needs expansion, and what is plain > > > > wrong :) > > > > > > > > The schema for storing multiple certificates for a principal is > > > > still being discussed but I expect it will be agreed soon, and I > > > > will add it to the document. > > > > > > > > I am revising the sub-CAs design proposal and it will soon be > > > > published for review as well. > > > > > > 1) here did you get this feature template? It is the one that is obsolete > > > (header levels, document structure, missing author in the box)... This is the > > > right template: > > > http://www.freeipa.org/page/Feature_template > > > > > > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > > > through existing profiles. > > > > > > 3) Permissions > > > So your plan is to allow different groups use different profiles? So there > > > would be for example profiles allowed to all users (something like > > > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > > > authorization? Will be on a FreeIPA framework level or for example by DS ACIs > > > that would simply not show the profiles? > > > > Keep in mind our design philosophy from the start was: the framework > > only have the privileges of the user accessing it and makes no ACI > > decisions. > > > > We broke that abstraction with the RA agent stuff, but I plan on fixing > > it some days by taking it away from the framework again, so I would not > > be favorable to see more Access control implemented in the framework > > unless there is no other sane way. > > > > Simo. > > > In regards to permissions, the plan is to have ACLs for declaring > which principals/groups can use which profiles on which (sub-)CA. > The `caacl' CLI commands[1] follow the form of hbacrule (although > with a unified `caacl-add-member' that handles different principal > types, rather than separate commands (similarly for removal). This > approach came from discussions with Honza. > > [1] http://www.freeipa.org/page/V4/Sub-CAs#ipa_caacl-add_.3Cshortname.3E_.3Cacl.3E > > (These are in the sub-CAs design to kill two birds with one stone; > target CA and profile are two dimensions of the rule.) > > So... under the current design these access decisions would be made > by the IPA framework. > > There is another approach I can think of: an "ipa-auth" plugin for > Dogtag that is used by *all* IPA cert profiles. The ACL rules > themselves, the commands and the schema do not change at all, but > somehow the principal's credential is conveyed by IPA to Dogtag, and > Dogtag uses it to look back into the IPA directory and make the > authorization decision. This is probably more work than there is > time for, but it would be possible to move to it later. > > Can anyone think of other sane ways? Either Dogtag directly or an agent is used in the middle, the framework performs the usual s4u2proxy and contact this agent/Dogtag on behalf of the user, this component applies Access control. This is what we do with LDAP, and we need to do that even more with the CA. Afaik currently Dogtag does not understand GSSAPI auth, but that is something we should probably add anyway eventually. If it is too much work to do it in dogtag, we can do it in a separate agent that the framework talk to. Privilege separation is important to keep, or a single fault in the framework will easily open the door to unlimited access to create certs, including subCAs, we need to be very careful there. Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Mon Apr 20 06:12:33 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 08:12:33 +0200 Subject: [Freeipa-devel] [PATCH] Password vault In-Reply-To: <551E0AE1.8040500@redhat.com> References: <54E1AF55.3060409@redhat.com> <54EBEB55.6010306@redhat.com> <54F96B22.9050507@redhat.com> <55004D5D.6060300@redhat.com> <550FE5EB.1070606@redhat.com> <551E0AE1.8040500@redhat.com> Message-ID: <553498D1.1020901@redhat.com> Dne 3.4.2015 v 05:37 Endi Sukma Dewata napsal(a): > Hi, > > Attached are new patches replacing all old ones. Please take a look at > them. They should applied in this order: 365, 353-8, 355-6, 357-3, > 359-2, 360-1, 364-1, 361-1. Thanks for squashing patches 362-364 into the original patches, it's much more digestible this way. > > I'm planning to merge the vault and vault container object and use the > vault type attribute to distinguish between the two. See more discussion > about that below. OK. >>>> 3) The container_vault config option should be renamed to >>>> container_vaultcontainer, as it is used in the vaultcontainer plugin, >>>> not the vault plugin. >>> >>> It was named container_vault because it defines the DN for of the >>> subtree that contains all vault-related entries. I moved the base_dn >>> variable from vaultcontainer object to the vault object for clarity. >> >> That does not make much sense to me. Vault objects are contained in >> their respective vaultcontainer objects, not directly in cn=vaults. > > The cn=vaults itself is actually a vault container (i.e. > ipaVaultContainer). Theoretically you could store a vault in any > container including cn=vaults, but we just don't want people to use it > that way. > > I think this is consistent with other plugins. For example, the > container_user points to cn=users, which is an nsContainer. There is no > concept of 'user container' other than the cn=users itself. But even if > there is one, the container_user will still be stored in the user class. In fact it is not consistent with other plugins. All entries managed by the user plugin are stored *directly* under cn=users. Entries managed by the vault plugin are not stored directly under cn=vaults, but rather anywhere in the cn=vaults subtree and their DN is derived from the DN of the parent vault container. For such objects, we don't set .container_dn and don't have container_ constant, but rather define them as child objects of their container objects. > > When the vault & vaultcontainer is merged, this will no longer be an issue. OK. > >>>> 4) The vault object should be child of the vaultcontainer object. >>>> >>>> Not only is this correct from the object model perspective, but it >>>> would >>>> also make all the container_id hacks go away. >>> >>> It's a bit difficult because it will affect how the container & vault >>> ID's are represented on the CLI. >> >> Yes, but the API should be done right (without hacks) first. You can >> tune the CLI after that if you want. > > I think the current framework is rather limiting. It's kind of hard to > build an interface that looks exactly what you want then add the > implementation later to match the interface because many things are > interrelated. In this particular case the object hierarchy on the server > side would affect how the vault ID will be represented on the client side. It indeed is limiting and that's a good thing. We don't want people to be able to create any crazy interfaces they can imagine, inconsistent with everything else in IPA. > >>> In the design the container ID would be a single value like this: >>> >>> $ ipa vault-add /services/server.example.com/HTTP >>> >>> And if the vault ID is relative (without initial slash), it will be >>> appended to the user's private container (i.e. /users//): >>> >>> $ ipa vault-add PrivateVault >>> >>> The implementation is not complete yet. Currently it accepts this >>> format: >>> >>> $ ipa vault-add [--container ] >>> >>> and I'm still planning to add this: >>> >>> $ ipa vault-add > > This is actually now done in the latest patch. Internally the ID is > still split into name & parent ID. > >>> If the vault must be a child of vaultcontainer, and the vaultcontainer >>> must be a child of a vaultcontainer, does it mean the vault ID would >>> have to be split into separate arguments like this? >>> >>> $ ipa vaultcontainer-add services server.example.com HTTP >>> >>> If that's the case we'd lose the ability to specify a relative vault ID. >> >> Yes, that's the case. >> >> But I don't think relative IDs should be a problem, we can do this: >> >> $ ipa vaultcontainer-add a b c # absolute >> $ ipa vaultcontainer-add . c # relative > > I think a "." will be confusing because there's no concept of "current > vaultcontainer" like "current directory". > >> or this: >> >> $ ipa vaultcontainer-add '' a b c # absolute >> $ ipa vaultcontainer-add c # relative > > An empty string is also confusing and can be problematic to distinguish > with missing argument. I didn't mean empty string specifically, it could have been any special value. > >> or this: >> >> $ ipa vaultcontainer-add a b c # absolute >> $ ipa vaultcontainer-add c --relative # relative >> >> or this: >> >> $ ipa vaultcontainer-add a b c --absolute # absolute >> $ ipa vaultcontainer-add c # relative > > Per discussion in the IPA-CS meeting, we'd rather keep the "/" for vault > ID delimiters because the spaces will be confusing to users, but we'll > not use absolute ID anymore. I'm sorry if I gave you the impression that this is up for discussion, but it is not. You either follow the convention without doing ugly hacks or your patch will not be accepted. It won't be confusing to users, because they are used to the convention. > > It's not implemented yet, but here is the plan. By default the vault > will be created in the user's private container: > > $ ipa vault-add PrivateVault > > For shared vaults, instead of specifying an absolute ID we can specify a > --shared option: > > $ ipa vault-add --shared projects/IPA > > Same thing with service vaults: > > $ ipa vault-add --service server.example.com/LDAP > > To access a vault in another user's private container: > > $ ipa vault-show --user testuser PrivateVault Fine by me, as long as you follow the convention. > >>>> 16) You do way too much stuff in vault_add.forward(). Only code that >>>> must be done on the client needs to be there, i.e. handling of the >>>> "data", "text" and "in" options. >>>> >>>> The vault_archive call must be in vault_add.execute(), otherwise a) we >>>> will be making 2 RPC calls from the client and b) it won't be called at >>>> all when api.env.in_server is True. >>> >>> This is done by design. The vault_add.forward() generates the salt and >>> the keys. The vault_archive.forward() will encrypt the data. These >>> operations have to be done on the client side to secure the transport of >>> the data from the client through the server and finally to KRA. This >>> mechanism prevents the server from looking at the unencrypted data. >> >> OK, but that does not justify that it's broken in server-side API. It >> can and should be done so that it works the same way on both client and >> server. >> >> I think the best solution would be to split the command into two >> commands, server-side vault_archive_raw to archive already encrypted >> data, and client-side vault_archive to encrypt data and archive them >> with vault_archive_raw in its .execute(). Same thing for vault_retrieve. > > Actually I think it's better to just merge the add and archive, reducing > the number of RPC calls. The vault_archive now will support two types of > operations: > > (a) Archive data into a new vault (it will create the vault just before > archiving the data): > > $ ipa vault-archive testvault --create --in data ... > > (b) Archive data into an existing vault: > > $ ipa vault-archive testvault --in data ... > > The vault_add is now just a wrapper for the vault_archive(a). If that's just an implementation detail, OK. If it's possible to modify existing vault objects using vault-add or create new objects using vault-archive, then NACK. > >> BTW, I also think it would be better if there were 2 separate sets of >> commands for binary and textual data >> (vault_{archive,retrieve}_{data,text}) rather than trying to handle >> everything in vault_{archive,retrieve}. > > I don't think we want to provide a separate command of every possible > data type & operation combination. Users would get confused. The archive > & retrieve commands should be able to handle all current & future data > types with options. A command with two sets of mutually exclusive options is really two commands in disguise, which is a good sign it should be divided into two actual commands. Who are you to say users would get confused? I say they would be more confused by a command with a plethora of mutually exclusive "options". What other possible data types are there? > >>> The add & archive combination was added for convenience, not for >>> optimization. This way you would be able to archive data into a new >>> vault using a single command. Without this, you'd have to execute two >>> separate commands: add & archive, which will result in 2 RPC calls >>> anyway. >> >> I think I would prefer if it was separate, as that would be consistent >> with other plugins (e.g. for objects with members, we don't allow adding >> members directly in -add, you have to use -add-member after -add). > > The vault data is similar to group description, not group members. When > creating a group we can supply the description. If not specified it will > be blank. Archiving vault data is similar to updating the group > description. It's similar to group members because there are separate commands to manipulate them. You have to choose one of: a) vault data is settable using vault-add and vault-mod and gettable using vault-mod, vault-show and vault-find b) vault data is settable using vault-archive and gettable using vault-retrieve Anything in between is not permitted. > > Vault secrets on the other hand is similar to group members. You will > see that in the other patch. > >>>> 18) Why are vaultcontainer objects automatically created in vault_find? >>>> >>>> This is just plain wrong and has to be removed, now. >>> >>> The code was supposed to create the user's private container like in >>> #17, but the behavior has been changed. If the container being searched >>> is the user's private container, it will ignore the container not found >>> error and return zero results as if the private container already >>> exists. For other containers the container must already exist. For this >>> to work I had to add a handle_not_found() into LDAPSearch so the plugins >>> can customize the proper search response for the missing private >>> container. >> >> No ad-hoc refactoring please. If you want to refactor anything, it >> should be first designed properly and put in a separate patch. >> >> Anyway, what should actually happen here is that if parent object is not >> found, its object plugin's handle_not_found is called, i.e. something >> like this: >> >> parent = self.obj.parent_object >> if parent: >> self.api.Object[parent].handle_not_found(*args[:-1]) >> else: >> raise errors.NotFound( >> reason=self.obj.container_not_found_msg % { >> 'container': self.obj.container_dn, >> } >> ) > > It will not work because vault doesn't have a parent object. I'm adding > handle_not_found() into LDAPCreate and LDAPSearch in the first patch. NACK, this change exists for the sole reason of supporting your hacks. Follow IPA convetions and this change won't be necessary. > >>>> 21) vault_archive is not a retrieve operation, it should be based on >>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it does >>>> not do anything with LDAP. The same applies to vault_retrieve. >>> >>> The vault_archive does not actually modify the LDAP entry because it >>> stores the data in KRA. It is actually an LDAPRetrieve operation because >>> it needs to get the vault info before it can perform the archival >>> operation. Same thing with vault_retrieve. >> >> It is not a LDAPRetrieve operation, because it has different semantics. >> Please use Command as base class and either use ldap2 for direct LDAP or >> call vault_show instead of hacking around LDAPRetrieve. > > It's been changed to inherit from LDAPQuery instead. NACK, it's not a LDAPQuery operation, because it has different semantics. There is more to a command than executing code, so you should use a correct base class. > >>>> 22) vault_archive will break with binary data that is not UTF-8 encoded >>>> text. >>>> >>>> This is where it occurs: >>>> >>>> + vault_data[u'data'] = unicode(data) >>>> >>>> Generally, don't use unicode() on str values and str() on unicode >>>> values >>>> directly, always use .decode() and .encode(). > > The unicode(s, encoding) is actually equivalent to s.decode(encoding), > so the following code will not solve the problem: > > vault_data[u'data'] = data.decode() > > As you said, decode() will only work if the data being decoded actually > follows the encoding rules (i.e. already UTF-8 encoded). > >>> It needs to be a Unicode because json.dumps() doesn't work with binary >>> data. Fixed by adding base-64 encoding. > > The base-64 encoding is necessary to convert random binaries into ASCII > so it can be decoded into Unicode. Here is the current code: > > vault_data[u'data'] = unicode(base64.b64encode(data)) > > which is equivalent to: > > vault_data[u'data'] = base64.b64encode(data).decode() If you read a little bit further, you would get to the point, which is certainly not calling .decode() without arguments, but *always explicitly specify the encoding*. > >> If something str needs to be unicode, you should use .decode() to >> explicitly specify the encoding, instead of relying on unicode() to pick >> the correct one. > > Since we know this is ASCII data we can now specify UTF-8 encoding. > > vault_data[u'data'] = base64.b64encode(data).decode('utf-8') > > But for anything that comes from user input (e.g. filenames, passwords), > it's better to use the default encoding because that can be configured > by the user. You are confusing user's configured encoding with Python's default encoding. Default encoding in Python isn't derived from user's localization settings. Anyway, anything that comes from user input is already decoded using user's configured encoding when it enters the framework so I don't know why are you even bringing it up here. > >> Anyway, I think a better solution than base64 would be to use the >> "raw_unicode_escape" encoding: > > As explained above, base-64 encoding is necessary because random > binaries don't follow any encoding rules. I'd rather not use > raw_unicode_escape because it's not really a text data. The result of decoding binary data using raw_unicode_escape is perfectly valid unicode data which doesn't eat 33% more space like base64 encoded binary does, hence my suggestion. Anyway, it turns out when encoded in JSON, raw_unicode_escape string generally takes more space than base64 encoded string because of JSON escaping, so base64 is indeed better. > Here's how it's > now implemented: > >> if data: >> data = data.decode('raw_unicode_escape') > > Input data is already in binaries, no conversion needed. > >> elif text: >> data = text > > Input text will be converted to binaries with default encoding: > > data = text.encode() See what the default encoding actually is and why you shouldn't rely on it above. > >> elif input_file: >> with open(input_file, 'rb') as f: >> data = f.read() >> data = data.decode('raw_unicode_escape') > > Input contains binary data, no conversion needed. > >> else: >> data = u'' > > If not specified, the data will be empty string: > > data = '' > > The data needs to be converted into binaries so it can be encrypted > before transport (depending on the vault type): > > data = self.obj.encrypt(data, ...) > >> vault_data[u'data'] = data > > Then for transport the data is base-64 encoded first, then converted > into Unicode: > > vault_data[u'data'] = base64.b64encode(data).decode('utf-8') > >>>> 26) Instead of the delete_entry refactoring in baseldap and >>>> vaultcontainer_add, you can put this in vaultcontainer_add's >>>> pre_callback: >>>> >>>> try: >>>> ldap.get_entries(dn, scope=ldap.SCOPE_ONELEVEL, attrs_list=[]) >>>> except errors.NotFound: >>>> pass >>>> else: >>>> if not options.get('force', False): >>>> raise errors.NotAllowedOnNonLeaf() >>> >>> I suppose you meant vaultcontainer_del. Fixed, but this will generate an >>> additional search for each delete. >>> >>> I'm leaving the changes baseldap because it may be useful later and it >>> doesn't change the behavior of the current code. >> >> Again, no ad-hoc refactoring please. > > The refactoring has also been moved into a separate patch. Just a note, > I still don't think a plugin should do a search and maybe generate a > NotAllowedOnLeaf exception on each delete operation. The exception > should have been generated automatically by the DS. But we can discuss > that separately. NACK, turns out there is a better (and preferable) solution I didn't remember before, you can use exception callback in vaultcontainer_del: def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): if call_func.func_name == 'delete_entry': if isinstance(exc, errors.NotAllowedOnLeaf): if not options.get('force', False): raise errors.DatabaseError(...) raise exc > >>>> 28) The vault and vaultcontainer plugins seem to be pretty similar, I >>>> think it would make sense to put common stuff in a base class and >>>> inherit vault and vaultcontainer from that. >>> >>> I plan to refactor the common code later. Right now the focus is to get >>> the functionality working correctly first. >> >> Please do it now, "later" usually means "never". It shouldn't be too >> hard and I can give you a hand with it if you want. > > As mentioned above, I'm considering merging the vault & vault container > classes, so no need to refactor the common code out of these classes. > This will be delivered as a separate patch later. OK. > > Thanks. > -- Jan Cholasta From jcholast at redhat.com Mon Apr 20 06:30:13 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 08:30:13 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <552F624C.5050600@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> <552D3DEE.1070005@redhat.com> <552D4C95.1080706@redhat.com> <552E0599.3040506@redhat.com> <552F624C.5050600@redhat.com> Message-ID: <55349CF5.8030307@redhat.com> Dne 16.4.2015 v 09:18 Petr Viktorin napsal(a): > On 04/15/2015 08:30 AM, Jan Cholasta wrote: >> Dne 14.4.2015 v 19:21 Petr Viktorin napsal(a): >>> On 04/14/2015 06:18 PM, Jan Cholasta wrote: >>>> Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): >>>>> On 04/14/2015 05:22 PM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>>>>>> Hello! >>>>>>> >>>>>>> As some of you know, I'm looking to help porting FreeIPA to >>>>>>> Python 3. >>>>>>> One of the major dependencies holding this back is python-ldap, >>>>>>> which >>>>>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>>>>> Barrois [0] are ready and have been sent to the python-ldap list. >>>>>>> The >>>>>>> python-ldap upstream has been very quiet about reviewing them so >>>>>>> far, >>>>>>> but they're something for me to test against, and maybe improve. >>>>>>> >>>>>>> To make the testing easier, I'd like to split out "ipaldap" to a >>>>>>> stand-alone package, and port it to Python 3 first. >>>>>>> This split will make it easier to test (since I don't have to port >>>>>>> all >>>>>>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>>>>>> projects could maybe also invite some community participation. Also, >>>>>>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>>>>>> Packaging-wise, I want "ipaldap" to be on the same level as >>>>>>> "ipapython" >>>>>>> or "ipaserver"; additionally I want to release it on PyPI [1]. >>>>>> >>>>>> Note that I don't consider ipaldap API stable and don't want to put >>>>>> any >>>>>> effort in maintaining backward compatibility when something needs >>>>>> to be >>>>>> changed, so you might want to hold the PyPI release, or at least >>>>>> put a >>>>>> big fat warning in some visible place. >>>>> >>>>> If it's released early & often, it'll at least be visible to >>>>> interested >>>>> people. >>>>> It would be nice to include a roadmap file saying what needs to change >>>>> before we start claiming API stability. >>>> >>>> From the top of my head, in no particular order: >>>> >>>> * High-level class for attribute values >>> >>> +1 >>> >>>> * High-level classes for schema elements >>>> * Support different schema styles (LDAPv3, AD), or at least make it >>>> possible >>> >>> Here I'm inclined to just say the schema API isn't done. >> >> It will affect how syntax mapping is done, so it depends on whether >> syntax mapping is exposed or not. There are also some schema-related >> LDAPClient methods (like get_allowed_attributes) which will be (re)moved >> when the schema API is done. > > I think putting warnings around the unfinished parts would work. OK. > >>>> * Some better way of doing "extended" operations (paged search, >>>> deref >>>> search, etc.) >>>> * Support different transports (LDAP, local LDIF file), or at least >>>> make it possible >>> >>> Those two should be possible to add while keeping compatibility. >> >> I don't think I want the paged_search argument of find_entries to be >> supported. > > Then I'll document it as unsupported. OK. > >>>>>>> My general plan is: >>>>>>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable >>>>>>> for >>>>>>> old scripts/plugins) >>>>>> >>>>>> DNs are not strictly LDAP specific, so I would rather move >>>>>> ipapython.dn >>>>>> to a new ipautil package. >>>>> >>>>> I'd rather not, at least until there's something that needs it (and >>>>> doesn't also depend on ipaldap). The scope of "ipautil" is far too >>>>> badly >>>>> defined for such a package to be useful. >>>> >>>> IMO generic stuff should be in a package for generic stuff. I guess it >>>> should originally have been ipapython, but it's too fused with ipalib >>>> ATM, hence my proposal to use a new package. >>> >>> No. Any vaguely defined collection of generic utilities needed in a >>> project is really a single-purpose package. Nobody likes pulling in a >>> bunch of unrelated stuff because of one particular thing they need, and >>> without a scope the amount of unnecessary stuff grows without bound. >>> I'd be OK with an "ipadn", if you can manage the overhead of a package. >> >> IMO "ipadn" is just too specific. I guess we can use X.500 as scope, >> since the basic types like DN or OID are defined in X.500, and put it in >> "ipax500". Does that sound OK? > > It might make sense conceptually, but do you have a use case? Some > software that would want to depend on python-ldap (since that's what DNs > depend on), but couldn't also bring in ipaldap? I would rather get rid of the python-ldap dependency. We talked about rewriting DN in C, because long-term we can't keep working around the performance issues caused by DN being implemented in Python. IMO we should do that for Python 3 and get rid of the python-ldap dependency at the same time. > > I don't see the benefit, so I don't really want to do this myself. > >>>>>>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>>>>>> replace this with something based on collections.MutableMapping, >>>>>>> since >>>>>>> the semantics of subclassing "dict" aren't very well defined. >>>>>> >>>>>> I have WIP which does just that. >>>>> >>>>> Could you send it? >>>> >>>> Not yet unfortunately, CIDict removal is actually just a side effect of >>>> other changes, and it still needs a lot of work before it is sendable. >>> >>> I was thinking the Python 3 boundary is a good point to switch, since >>> stuff will be breaking anyway. I can import the new one under py3, and >>> keep the old one for py2. >>> >> >> I'm a bit lost here, what do you mean by "new one" and "old one"? > > Use the existing (old) CIDict under Python 2, and a new one based on > MutableMapping for all Python 3 code. Wouldn't it be easier to use a custom MutableMapping for both? I can code it now if you want, and replace it with my currently WIP stuff later. -- Jan Cholasta From pspacek at redhat.com Mon Apr 20 07:10:13 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Apr 2015 09:10:13 +0200 Subject: [Freeipa-devel] User life cycle: How to update 60basev3.ldif In-Reply-To: <553123B3.7040504@redhat.com> References: <553123B3.7040504@redhat.com> Message-ID: <5534A655.8000008@redhat.com> On 17.4.2015 17:16, thierry bordaz wrote: > Hello, > > User life cycle uses a new DS aci right: moddn. This right comes > with two new target keywords (target_to and target_from). > permission plugins should support those new target keywords and so > those attributes need to be defined in the schema 60basev3.ldif. > > When adding new attributes in that schema, I should pick new OIDs. > Is it ok to pick the next ones available in ds-oids/08-FreeIPA.txt I would say that these ACI-related attributes should be assigned from DS-core OID arc (assuming that this ACI is not FreeIPA-specific and will be available in core 389 DS). > (rhanana) and what is review process for changes in 08-FreeIPA.txt ? Use your best judgment :-) Definitions will be reviewed later when LDIF with it is sent as a patch to freeipa-devel list. -- Petr^2 Spacek From jcholast at redhat.com Mon Apr 20 07:48:35 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 09:48:35 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <552E6504.7020408@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> <552BB3B8.9040103@redhat.com> <552E6504.7020408@redhat.com> Message-ID: <5534AF53.2050608@redhat.com> Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a): > On 04/13/2015 02:16 PM, Martin Babinsky wrote: >> On 04/09/2015 03:38 PM, Jan Cholasta wrote: >> >>> >>> Some comments: >>> >>> Patch 15: >>> >>> 1) The functions should be as similar as possible: >>> >>> a) kinit_password() should have a 'ccache_path' argument instead of >>> passing the path in KRB5CCNAME in the 'env' argument. >>> >>> b) I don't think kinit_password() should have the 'env' argument at >>> all. You can always call kinit with LC_ALL=C and set other variables in >>> os.environ if you want. >>> >>> c) The arguments should have the same ordering. >>> >>> d) Either set KRB5CCNAME in both kinit_keytab() and >>> kinit_password() or in none of them. >>> >>> e) Either rename armor_ccache to armor_ccache_path or ccache_path >>> to ccache. >>> >> I have done some reordering of parameters in both functions so they are >> very similar now and the parameter ordering should make more sense (at >> least to me). >> >> Neither of them sets KRB5CCNAME env. variable since I think that it is >> not a very good practice and the developer should be responsible for >> pointing to correct CCache path. Jan agrees with this and the other >> patches are updated accordingly. >>> >>> 2) Space before comma in docstring: >>> >>> + Given a ccache_path , keytab file and a principal kinit as that >>> user. >>> >>> >>> 3) I would prefer if the default value of 'armor_ccache' in >>> kinit_password() was None. >>> >> Fixed. >>> >>> Patch 16: >>> >>> 1) The callback should not be named 'validate_kinit_attempts_option', >>> but rather 'kinit_attempts_callback', as it doesn't just validate the >>> value. >>> >> Fixed. >>> >>> 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A >>> comment with explanation would be nice. >>> >> It actually doesn't make much sense to have such upper bound, so I have >> removed it from the check and updated the error message accordingly. >>> >>> Patch 17: >>> >>> 1) Is there a reason for the ccache filename changes in DNSSEC code? >>> >> That was Petr Spacek's request since a sane naming of persistent Ccaches >> makes debugging of Kerberos-related errors a bit easier for him. >> >> Attaching updated patches. >> >> >> > > Jan had some further suggestions so I am attaching updated patches which > should reflect them. > > He also recommended to split the naming changes of DNSSEC daemon > credential caches to a separate patch, so I will submit them later when > this patchset is pushed. > ACK. The patches need to be rebased on top of ipa-4-1 though. -- Jan Cholasta From jcholast at redhat.com Mon Apr 20 07:51:13 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 09:51:13 +0200 Subject: [Freeipa-devel] [PATCH] 810 speed up indirect member processing In-Reply-To: <552668FD.1080101@redhat.com> References: <551A72D4.9080002@redhat.com> <5524E517.9000704@redhat.com> <552668FD.1080101@redhat.com> Message-ID: <5534AFF1.9090206@redhat.com> Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a): > On 04/08/2015 10:21 AM, Jan Cholasta wrote: >> Hi, >> >> Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): >>> the old implementation tried to get all entries which are member of >>> group. That means also user. User can't have any members therefore this >>> costly processing was unnecessary. >>> >>> New implementation reduces the search only to entries which can have >>> entries. >>> >>> Also page size was removed to avoid paging by small pages(default size: >>> 100) which is very slow for many members. >>> >>> https://fedorahosted.org/freeipa/ticket/4947 >>> >>> Useful to test with #809 >> >> 1) To search for entries with members, you should search for entries >> with the member attribute set ('(member=*)'), not for entries with some >> arbitrary object class. > > Replaced, new presence index added > >> >> >> 2) I don't like how the search in get_memberindirect is limited to an >> arbitrary hard-coded subtree. You should go through the object's >> attribute_members to figure out which subtrees to search. >> > > The subtree search was removed. > >> >> 3) Since memberindirect and memberofindirect are not real attributes, >> you must define their syntax in ipaldap before you cat set them using >> .raw[], otherwise they will be decoded to wrong type. > > Added. > >> >> 4) The processing of memberof should be done even when memberofindirect >> is not requested, otherwise its value will depend on whether >> memberofindirect was requested or not. > > True, but it's the same behavior as before. Could be changed in other > patch. OK. Should we file a ticket? > >> >> >> 5) I would prefer if all membership processing >> (.convert_attribute_members() and .get_indirect_members()) was done in a >> single LDAPObject method. > > Now, as before, get_indirect_members is called before post callbacks and > convert_attribute_members after. If it should be combined, it should be > done separately. OK, but at least move get_indirect_members to LDAPObject. > >> >> >> Honza >> -- Jan Cholasta From jcholast at redhat.com Mon Apr 20 07:53:10 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 09:53:10 +0200 Subject: [Freeipa-devel] [PATCH] 809 speed up convert_attribute_members In-Reply-To: <552668F2.4000505@redhat.com> References: <551A72CE.2070403@redhat.com> <551CF415.3070100@redhat.com> <552668F2.4000505@redhat.com> Message-ID: <5534B066.2040301@redhat.com> Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a): > On 04/02/2015 09:47 AM, Jan Cholasta wrote: >> Hi, >> >> Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): >>> A workaround to avoid usage of slow LDAPEntry._sync_attr #4946. >>> >>> I originally wanted to avoid DN processing as well but we can't do that >>> because of DNs which are encoded - e.g. contains '+' or ','. Therefore >>> patch 811 - faster DN implementation is very useful. Also patch 809 is >>> useful to avoid high load of 389. >>> >>> https://fedorahosted.org/freeipa/ticket/4965 >> >> >> 1) >> >> + dn = container_dns.get(ldap_obj_name, None) >> + if not dn: >> + ldap_obj = self.api.Object[ldap_obj_name] >> + dn = DN(ldap_obj.container_dn, api.env.basedn) >> + container_dns[ldap_obj_name] = dn >> + return dn >> >> a) The second argument of .get() is None by default >> >> b) "not dn" matches None as well as empty DNs, use "dn is not None" >> (it's not that there could be empty DNs here, but let's not give a >> potential reader the wrong idea) >> >> c) It would be better to catch KeyError rather than call .get() and >> check the result: >> >> try: >> dn = container_dns[ldap_obj_name] >> except KeyError: >> dn = ... >> container_dns[ldap_obj_name] = dn > > Changed > >> >> >> 2) Does get_new_attr() actually provide any speed up? Unless I'm missing >> something, it just mirrors the virtual member attributes already readily >> available from entry_attrs in new_attrs. > > Yes, a bit. With 30K members and my vm get_new_attr takes ~ 0.114s. > setdefault takes ~ 0.686s which is about 7-10% of the entire > convert_attribute_members. Pure dict is faster. > >> >> >> 3) get_container_dn() and get_new_attr() do not need to be functions, >> since each is called just from a single spot. > > Changed > >> >> >> 4) "memberdn = DN(member)" could be one for loop up. >> > > Changed > >> >> Here's what I ended up with trying to fix the above (untested): >> >> for attr in self.attribute_members: >> try: >> value = entry_attrs.raw[attr] >> except KeyError: >> continue >> del entry_attrs[attr] >> >> ldap_objs = {} >> for ldap_obj_name in self.attribute_members[attr]: >> ldap_obj = self.api.Object[ldap_obj_name] >> container_dn = DN(ldap_obj.container_dn, api.env.basedn) >> ldap_objs[container_dn] = ldap_obj >> >> for member in value: >> memberdn = DN(member) >> try: >> ldap_obj = ldap_objs[DN(*memberdn[1:])] >> except KeyError: >> continue >> >> new_attr = '%s_%s' % (attr, ldap_obj.name) >> new_value = ldap_obj.get_primary_key_from_dn(memberdn) >> entry_attrs.setdefault(new_attr, []).append(new_value) > > Without any modifications the code is ~ 2.3x slower than mine. In patch > 811 DN's slice, __hash__ and __eq__ functions are optimized. Thanks, ACK. Pushed to master: e4930b3235e5d61d227a7e43d30a8feb7f35664d -- Jan Cholasta From mbabinsk at redhat.com Mon Apr 20 08:06:48 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Apr 2015 10:06:48 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <5534AF53.2050608@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> <552BB3B8.9040103@redhat.com> <552E6504.7020408@redhat.com> <5534AF53.2050608@redhat.com> Message-ID: <5534B398.4010400@redhat.com> On 04/20/2015 09:48 AM, Jan Cholasta wrote: > Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a): >> On 04/13/2015 02:16 PM, Martin Babinsky wrote: >>> On 04/09/2015 03:38 PM, Jan Cholasta wrote: >>> >>>> >>>> Some comments: >>>> >>>> Patch 15: >>>> >>>> 1) The functions should be as similar as possible: >>>> >>>> a) kinit_password() should have a 'ccache_path' argument >>>> instead of >>>> passing the path in KRB5CCNAME in the 'env' argument. >>>> >>>> b) I don't think kinit_password() should have the 'env' >>>> argument at >>>> all. You can always call kinit with LC_ALL=C and set other variables in >>>> os.environ if you want. >>>> >>>> c) The arguments should have the same ordering. >>>> >>>> d) Either set KRB5CCNAME in both kinit_keytab() and >>>> kinit_password() or in none of them. >>>> >>>> e) Either rename armor_ccache to armor_ccache_path or ccache_path >>>> to ccache. >>>> >>> I have done some reordering of parameters in both functions so they are >>> very similar now and the parameter ordering should make more sense (at >>> least to me). >>> >>> Neither of them sets KRB5CCNAME env. variable since I think that it is >>> not a very good practice and the developer should be responsible for >>> pointing to correct CCache path. Jan agrees with this and the other >>> patches are updated accordingly. >>>> >>>> 2) Space before comma in docstring: >>>> >>>> + Given a ccache_path , keytab file and a principal kinit as that >>>> user. >>>> >>>> >>>> 3) I would prefer if the default value of 'armor_ccache' in >>>> kinit_password() was None. >>>> >>> Fixed. >>>> >>>> Patch 16: >>>> >>>> 1) The callback should not be named 'validate_kinit_attempts_option', >>>> but rather 'kinit_attempts_callback', as it doesn't just validate the >>>> value. >>>> >>> Fixed. >>>> >>>> 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A >>>> comment with explanation would be nice. >>>> >>> It actually doesn't make much sense to have such upper bound, so I have >>> removed it from the check and updated the error message accordingly. >>>> >>>> Patch 17: >>>> >>>> 1) Is there a reason for the ccache filename changes in DNSSEC code? >>>> >>> That was Petr Spacek's request since a sane naming of persistent Ccaches >>> makes debugging of Kerberos-related errors a bit easier for him. >>> >>> Attaching updated patches. >>> >>> >>> >> >> Jan had some further suggestions so I am attaching updated patches which >> should reflect them. >> >> He also recommended to split the naming changes of DNSSEC daemon >> credential caches to a separate patch, so I will submit them later when >> this patchset is pushed. >> > > ACK. The patches need to be rebased on top of ipa-4-1 though. > Right, attaching rebased patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0015-8-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch Type: text/x-patch Size: 4612 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0016-7-ipa-client-install-try-to-get-host-TGT-several-times.patch Type: text/x-patch Size: 9218 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0017-6-Adopted-kinit_keytab-and-kinit_password-for-kerberos.patch Type: text/x-patch Size: 12113 bytes Desc: not available URL: From jcholast at redhat.com Mon Apr 20 08:24:58 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 10:24:58 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <552FAC93.2060401@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> <552FAC93.2060401@redhat.com> Message-ID: <5534B7DA.9040907@redhat.com> Dne 16.4.2015 v 14:35 Petr Viktorin napsal(a): > On 04/16/2015 09:04 AM, Jan Cholasta wrote: >> Hi, >> >> Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >>> The attached patches remove EditableDN, EditableRDN and EditableAVA. >>> They depend on Petr Voborn?k's patch 811 (performance: faster DN >>> implementation). >>> >>> >>> Mutable DNs are not very useful. When creating them it is easier to work >>> with lists or generators, and needing to change DNs aside from >>> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even say >>> theoretical. >>> Mutable DNs are not hashable, so they can't be used as dist keys. >>> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >>> dangerous -- it's hard to reason about outside modifications. >>> >>> The first patch removes the last use of EditableDN. I could be convinced >>> it's not an improvement in elegance/readability, but I believe this is >>> the strongest case for EditableDN in IPA, and it doesn't justify keeping >>> it. >> >> LGTM, but patch 688 needs to be rebased. > > Here you go. Regarding patch 688, it seems we are always replacing the suffix of the DN, so I think we can simplify _dn_replace to: if not dn.endswith(old): raise ValueError('no replacement made') return DN(*dn[:-len(old)]) + new -- Jan Cholasta From tbordaz at redhat.com Mon Apr 20 08:25:40 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 20 Apr 2015 10:25:40 +0200 Subject: [Freeipa-devel] User life cycle: How to update 60basev3.ldif In-Reply-To: <5534A655.8000008@redhat.com> References: <553123B3.7040504@redhat.com> <5534A655.8000008@redhat.com> Message-ID: <5534B804.6050907@redhat.com> On 04/20/2015 09:10 AM, Petr Spacek wrote: > On 17.4.2015 17:16, thierry bordaz wrote: >> Hello, >> >> User life cycle uses a new DS aci right: moddn. This right comes >> with two new target keywords (target_to and target_from). >> permission plugins should support those new target keywords and so >> those attributes need to be defined in the schema 60basev3.ldif. >> >> When adding new attributes in that schema, I should pick new OIDs. >> Is it ok to pick the next ones available in ds-oids/08-FreeIPA.txt > I would say that these ACI-related attributes should be assigned from DS-core > OID arc (assuming that this ACI is not FreeIPA-specific and will be available > in core 389 DS). Thanks Petr. I wanted to allow new FreeIPA specific attributes to the definition of 'ipaPermissionV2' objectclass. So it is Freeipa-core OIDs. My understanding is that when the patch on 60baseV3.ldif will be reviewed, I will consequently update/push 08-FreeIPA.txt changes. thanks thierry > >> (rhanana) and what is review process for changes in 08-FreeIPA.txt ? > Use your best judgment :-) Definitions will be reviewed later when LDIF with > it is sent as a patch to freeipa-devel list. > From jcholast at redhat.com Mon Apr 20 08:28:47 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 10:28:47 +0200 Subject: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code In-Reply-To: <5534B398.4010400@redhat.com> References: <54F997F7.2070400@redhat.com> <54FD8CAF.7030609@redhat.com> <55002A13.8010706@redhat.com> <55031230.70604@redhat.com> <5506BB6F.70406@redhat.com> <5506CCCB.3020003@redhat.com> <1426611638.2981.106.camel@willson.usersys.redhat.com> <550FFD72.1090301@redhat.com> <1427116098.8302.2.camel@willson.usersys.redhat.com> <551013A4.5000708@redhat.com> <1427119982.8302.3.camel@willson.usersys.redhat.com> <5512936A.2010007@redhat.com> <1428583286.19641.219.camel@willson.usersys.redhat.com> <552680F2.3050208@redhat.com> <552BB3B8.9040103@redhat.com> <552E6504.7020408@redhat.com> <5534AF53.2050608@redhat.com> <5534B398.4010400@redhat.com> Message-ID: <5534B8BF.6000807@redhat.com> Dne 20.4.2015 v 10:06 Martin Babinsky napsal(a): > On 04/20/2015 09:48 AM, Jan Cholasta wrote: >> Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a): >>> On 04/13/2015 02:16 PM, Martin Babinsky wrote: >>>> On 04/09/2015 03:38 PM, Jan Cholasta wrote: >>>> >>>>> >>>>> Some comments: >>>>> >>>>> Patch 15: >>>>> >>>>> 1) The functions should be as similar as possible: >>>>> >>>>> a) kinit_password() should have a 'ccache_path' argument >>>>> instead of >>>>> passing the path in KRB5CCNAME in the 'env' argument. >>>>> >>>>> b) I don't think kinit_password() should have the 'env' >>>>> argument at >>>>> all. You can always call kinit with LC_ALL=C and set other >>>>> variables in >>>>> os.environ if you want. >>>>> >>>>> c) The arguments should have the same ordering. >>>>> >>>>> d) Either set KRB5CCNAME in both kinit_keytab() and >>>>> kinit_password() or in none of them. >>>>> >>>>> e) Either rename armor_ccache to armor_ccache_path or ccache_path >>>>> to ccache. >>>>> >>>> I have done some reordering of parameters in both functions so they are >>>> very similar now and the parameter ordering should make more sense (at >>>> least to me). >>>> >>>> Neither of them sets KRB5CCNAME env. variable since I think that it is >>>> not a very good practice and the developer should be responsible for >>>> pointing to correct CCache path. Jan agrees with this and the other >>>> patches are updated accordingly. >>>>> >>>>> 2) Space before comma in docstring: >>>>> >>>>> + Given a ccache_path , keytab file and a principal kinit as that >>>>> user. >>>>> >>>>> >>>>> 3) I would prefer if the default value of 'armor_ccache' in >>>>> kinit_password() was None. >>>>> >>>> Fixed. >>>>> >>>>> Patch 16: >>>>> >>>>> 1) The callback should not be named 'validate_kinit_attempts_option', >>>>> but rather 'kinit_attempts_callback', as it doesn't just validate the >>>>> value. >>>>> >>>> Fixed. >>>>> >>>>> 2) Why is there the sys.maxint upper bound on --kinit-attempts >>>>> again? A >>>>> comment with explanation would be nice. >>>>> >>>> It actually doesn't make much sense to have such upper bound, so I have >>>> removed it from the check and updated the error message accordingly. >>>>> >>>>> Patch 17: >>>>> >>>>> 1) Is there a reason for the ccache filename changes in DNSSEC code? >>>>> >>>> That was Petr Spacek's request since a sane naming of persistent >>>> Ccaches >>>> makes debugging of Kerberos-related errors a bit easier for him. >>>> >>>> Attaching updated patches. >>>> >>>> >>>> >>> >>> Jan had some further suggestions so I am attaching updated patches which >>> should reflect them. >>> >>> He also recommended to split the naming changes of DNSSEC daemon >>> credential caches to a separate patch, so I will submit them later when >>> this patchset is pushed. >>> >> >> ACK. The patches need to be rebased on top of ipa-4-1 though. >> > > Right, attaching rebased patches. > Thanks. Pushed to: master: 3d2feac0e416c66ba37eee53ef5b3833c2c3e414 ipa-4-1: 0ca8254959f3566c322eb7b20c6d6522814d78d1 -- Jan Cholasta From mbasti at redhat.com Mon Apr 20 08:32:09 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Apr 2015 10:32:09 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5530F86C.6000707@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> Message-ID: <5534B989.3010005@redhat.com> On 17/04/15 14:11, Martin Babinsky wrote: > On 04/17/2015 12:41 PM, Martin Babinsky wrote: >> On 04/17/2015 12:36 PM, Martin Basti wrote: >>> On 17/04/15 12:33, Martin Babinsky wrote: >>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>> >>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>> unsuccessful >>>>>>>>> attempts to remove files that do not exist anymore. These errors >>>>>>>>> are >>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hello, thank you for the patch. >>>>>>>> >>>>>>>> 1) >>>>>>>> The option add_warning is quite unclear to me. It does not show >>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>> promt_manual_removal >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>>> >>>>>>> Continue... >>>>>>> >>>>>>> 2) >>>>>>> >>>>>>> if file_exists(preferences_fname): >>>>>>> try: >>>>>>> os.remove(preferences_fname) >>>>>>> except OSError as e: >>>>>>> log_file_removal_error(e, preferences_fname, >>>>>>> True) >>>>>>> >>>>>>> In this case file not found error should never happen. >>>>>>> >>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>> exception? >>>>>>> >>>>>> I just reverted this bit to original form in order to not fix >>>>>> something that isn't broken. Is that ok? >>>>>>> 3) >>>>>>> this is inconsistent with change above, choose one style please: >>>>>>> >>>>>>> if os.path.exists(ca_file): >>>>>>> try: >>>>>>> os.unlink(ca_file) >>>>>>> except OSError, e: >>>>>>> root_logger.error( >>>>>>> "Failed to remove '%s': %s", ca_file, e) >>>>>>> >>>>>>> -- >>>>>>> Martin Basti >>>>>>> >>>>>> >>>>>> Attaching updated patch. >>>>>> >>>>> thanks, >>>>> >>>>> just one nitpick, can you move the new function into installutils, it >>>>> can be used in different scripts not just in ipaclient. >>>>> >>>> >>>> I'm not sure if it is a good idea as installutils is a part for >>>> freeipa-server package. >>>> >>>> Placing it there would create an unnecessary dependency of >>>> freeipa-client on freeipa-server because of a single function. >>>> >>> you are right, I do not why I thought that ipa-client-install uses >>> installutils. >>> >>> ACK >>> >> self-NACK, I will try to rewrite the patch in a slightly less dumb way. >> >> Sorry for the confusion. >> > > Attaching updated patch which does the same but using a wrapper around > os.remove(). > > Jan suggested to keep the new function in 'ipa-client-install' and > move it around when we do installer re#$%@^ing. > > Is that ok? > It looks better, ACK. -- Martin Basti From mbabinsk at redhat.com Mon Apr 20 08:58:12 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Apr 2015 10:58:12 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5534B989.3010005@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> <5534B989.3010005@redhat.com> Message-ID: <5534BFA4.2080406@redhat.com> On 04/20/2015 10:32 AM, Martin Basti wrote: > On 17/04/15 14:11, Martin Babinsky wrote: >> On 04/17/2015 12:41 PM, Martin Babinsky wrote: >>> On 04/17/2015 12:36 PM, Martin Basti wrote: >>>> On 17/04/15 12:33, Martin Babinsky wrote: >>>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>>> >>>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>>> unsuccessful >>>>>>>>>> attempts to remove files that do not exist anymore. These errors >>>>>>>>>> are >>>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hello, thank you for the patch. >>>>>>>>> >>>>>>>>> 1) >>>>>>>>> The option add_warning is quite unclear to me. It does not show >>>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>>> promt_manual_removal >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>>> >>>>>>>> Continue... >>>>>>>> >>>>>>>> 2) >>>>>>>> >>>>>>>> if file_exists(preferences_fname): >>>>>>>> try: >>>>>>>> os.remove(preferences_fname) >>>>>>>> except OSError as e: >>>>>>>> log_file_removal_error(e, preferences_fname, >>>>>>>> True) >>>>>>>> >>>>>>>> In this case file not found error should never happen. >>>>>>>> >>>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>>> exception? >>>>>>>> >>>>>>> I just reverted this bit to original form in order to not fix >>>>>>> something that isn't broken. Is that ok? >>>>>>>> 3) >>>>>>>> this is inconsistent with change above, choose one style please: >>>>>>>> >>>>>>>> if os.path.exists(ca_file): >>>>>>>> try: >>>>>>>> os.unlink(ca_file) >>>>>>>> except OSError, e: >>>>>>>> root_logger.error( >>>>>>>> "Failed to remove '%s': %s", ca_file, e) >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Basti >>>>>>>> >>>>>>> >>>>>>> Attaching updated patch. >>>>>>> >>>>>> thanks, >>>>>> >>>>>> just one nitpick, can you move the new function into installutils, it >>>>>> can be used in different scripts not just in ipaclient. >>>>>> >>>>> >>>>> I'm not sure if it is a good idea as installutils is a part for >>>>> freeipa-server package. >>>>> >>>>> Placing it there would create an unnecessary dependency of >>>>> freeipa-client on freeipa-server because of a single function. >>>>> >>>> you are right, I do not why I thought that ipa-client-install uses >>>> installutils. >>>> >>>> ACK >>>> >>> self-NACK, I will try to rewrite the patch in a slightly less dumb way. >>> >>> Sorry for the confusion. >>> >> >> Attaching updated patch which does the same but using a wrapper around >> os.remove(). >> >> Jan suggested to keep the new function in 'ipa-client-install' and >> move it around when we do installer re#$%@^ing. >> >> Is that ok? >> > It looks better, ACK. > Jan NACKed your ACK. Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0029.4-suppress-errors-arising-from-deleting-non-existent-f.patch Type: text/x-patch Size: 3392 bytes Desc: not available URL: From pvoborni at redhat.com Mon Apr 20 09:59:33 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 20 Apr 2015 11:59:33 +0200 Subject: [Freeipa-devel] [PATCH] 810 speed up indirect member processing In-Reply-To: <5534AFF1.9090206@redhat.com> References: <551A72D4.9080002@redhat.com> <5524E517.9000704@redhat.com> <552668FD.1080101@redhat.com> <5534AFF1.9090206@redhat.com> Message-ID: <5534CE05.5010304@redhat.com> On 04/20/2015 09:51 AM, Jan Cholasta wrote: > Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a): >> On 04/08/2015 10:21 AM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a): >>>> the old implementation tried to get all entries which are member of >>>> group. That means also user. User can't have any members therefore this >>>> costly processing was unnecessary. >>>> >>>> New implementation reduces the search only to entries which can have >>>> entries. >>>> >>>> Also page size was removed to avoid paging by small pages(default size: >>>> 100) which is very slow for many members. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4947 >>>> >>>> Useful to test with #809 >>> >>> 1) To search for entries with members, you should search for entries >>> with the member attribute set ('(member=*)'), not for entries with some >>> arbitrary object class. >> >> Replaced, new presence index added >> >>> >>> >>> 2) I don't like how the search in get_memberindirect is limited to an >>> arbitrary hard-coded subtree. You should go through the object's >>> attribute_members to figure out which subtrees to search. >>> >> >> The subtree search was removed. >> >>> >>> 3) Since memberindirect and memberofindirect are not real attributes, >>> you must define their syntax in ipaldap before you cat set them using >>> .raw[], otherwise they will be decoded to wrong type. >> >> Added. >> >>> >>> 4) The processing of memberof should be done even when memberofindirect >>> is not requested, otherwise its value will depend on whether >>> memberofindirect was requested or not. >> >> True, but it's the same behavior as before. Could be changed in other >> patch. > > OK. Should we file a ticket? AFAIK, memberof and memberofindirect are requested always together atm. Do we have a use case for this change? In any case, I've opened a ticket about more finer control of fetching members (as was discussed previously in triage and dev mtgs), it might be part of it. https://fedorahosted.org/freeipa/ticket/4995 >> >>> >>> >>> 5) I would prefer if all membership processing >>> (.convert_attribute_members() and .get_indirect_members()) was done in a >>> single LDAPObject method. >> >> Now, as before, get_indirect_members is called before post callbacks and >> convert_attribute_members after. If it should be combined, it should be >> done separately. > > OK, but at least move get_indirect_members to LDAPObject. > Moved -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0810-2-speed-up-indirect-member-processing.patch Type: text/x-patch Size: 13011 bytes Desc: not available URL: From pviktori at redhat.com Mon Apr 20 10:33:00 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 20 Apr 2015 12:33:00 +0200 Subject: [Freeipa-devel] Splitting out ipaldap In-Reply-To: <55349CF5.8030307@redhat.com> References: <552D2660.9030600@redhat.com> <552D30A3.1020209@redhat.com> <552D3729.1090707@redhat.com> <552D3DEE.1070005@redhat.com> <552D4C95.1080706@redhat.com> <552E0599.3040506@redhat.com> <552F624C.5050600@redhat.com> <55349CF5.8030307@redhat.com> Message-ID: <5534D5DC.20102@redhat.com> On 04/20/2015 08:30 AM, Jan Cholasta wrote: > Dne 16.4.2015 v 09:18 Petr Viktorin napsal(a): >> On 04/15/2015 08:30 AM, Jan Cholasta wrote: >>> Dne 14.4.2015 v 19:21 Petr Viktorin napsal(a): >>>> On 04/14/2015 06:18 PM, Jan Cholasta wrote: >>>>> Dne 14.4.2015 v 17:50 Petr Viktorin napsal(a): >>>>>> On 04/14/2015 05:22 PM, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Dne 14.4.2015 v 16:38 Petr Viktorin napsal(a): >>>>>>>> Hello! >>>>>>>> >>>>>>>> As some of you know, I'm looking to help porting FreeIPA to >>>>>>>> Python 3. >>>>>>>> One of the major dependencies holding this back is python-ldap, >>>>>>>> which >>>>>>>> hasn't been ported yet. Some preliminary porting patches by Rapha?l >>>>>>>> Barrois [0] are ready and have been sent to the python-ldap list. >>>>>>>> The >>>>>>>> python-ldap upstream has been very quiet about reviewing them so >>>>>>>> far, >>>>>>>> but they're something for me to test against, and maybe improve. >>>>>>>> >>>>>>>> To make the testing easier, I'd like to split out "ipaldap" to a >>>>>>>> stand-alone package, and port it to Python 3 first. >>>>>>>> This split will make it easier to test (since I don't have to port >>>>>>>> all >>>>>>>> of IPA), and being able to use our generic LDAP wrappers in non-IPA >>>>>>>> projects could maybe also invite some community participation. >>>>>>>> Also, >>>>>>>> ipaldap unit tests are somewhat lacking, so I'll help with that. >>>>>>>> Packaging-wise, I want "ipaldap" to be on the same level as >>>>>>>> "ipapython" >>>>>>>> or "ipaserver"; additionally I want to release it on PyPI [1]. [...] >>>>>>>> - Move ipapython.dn -> ipaldap.dn (keeping ipapython.dn importable >>>>>>>> for >>>>>>>> old scripts/plugins) >>>>>>> >>>>>>> DNs are not strictly LDAP specific, so I would rather move >>>>>>> ipapython.dn >>>>>>> to a new ipautil package. >>>>>> >>>>>> I'd rather not, at least until there's something that needs it (and >>>>>> doesn't also depend on ipaldap). The scope of "ipautil" is far too >>>>>> badly >>>>>> defined for such a package to be useful. >>>>> >>>>> IMO generic stuff should be in a package for generic stuff. I guess it >>>>> should originally have been ipapython, but it's too fused with ipalib >>>>> ATM, hence my proposal to use a new package. >>>> >>>> No. Any vaguely defined collection of generic utilities needed in a >>>> project is really a single-purpose package. Nobody likes pulling in a >>>> bunch of unrelated stuff because of one particular thing they need, and >>>> without a scope the amount of unnecessary stuff grows without bound. >>>> I'd be OK with an "ipadn", if you can manage the overhead of a package. >>> >>> IMO "ipadn" is just too specific. I guess we can use X.500 as scope, >>> since the basic types like DN or OID are defined in X.500, and put it in >>> "ipax500". Does that sound OK? >> >> It might make sense conceptually, but do you have a use case? Some >> software that would want to depend on python-ldap (since that's what DNs >> depend on), but couldn't also bring in ipaldap? > > I would rather get rid of the python-ldap dependency. > > We talked about rewriting DN in C, because long-term we can't keep > working around the performance issues caused by DN being implemented in > Python. Well all the more reason to not create a DN/x.500 library from the current code. > IMO we should do that for Python 3 and get rid of the > python-ldap dependency at the same time. Removing the dependency, or rather making ipaldap depend on a new C-based DN/x.500 library instead, can be done at any time. I don't think it should hold back porting to Python 3. >>>>>>>> - Move CIDict to ipaldap.cidict. For Python 3, I'd really like to >>>>>>>> replace this with something based on collections.MutableMapping, >>>>>>>> since >>>>>>>> the semantics of subclassing "dict" aren't very well defined. >>>>>>> >>>>>>> I have WIP which does just that. >>>>>> >>>>>> Could you send it? >>>>> >>>>> Not yet unfortunately, CIDict removal is actually just a side >>>>> effect of >>>>> other changes, and it still needs a lot of work before it is sendable. >>>> >>>> I was thinking the Python 3 boundary is a good point to switch, since >>>> stuff will be breaking anyway. I can import the new one under py3, and >>>> keep the old one for py2. >>>> >>> >>> I'm a bit lost here, what do you mean by "new one" and "old one"? >> >> Use the existing (old) CIDict under Python 2, and a new one based on >> MutableMapping for all Python 3 code. > > Wouldn't it be easier to use a custom MutableMapping for both? I can > code it now if you want, and replace it with my currently WIP stuff later. I can also code it now. But I want to stay well away from breaking something on Python 2. A comment mentions isinstance(x, dict) being used, and I'd like to deal with cases like that as part of the porting. -- Petr Viktorin From mbabinsk at redhat.com Mon Apr 20 10:59:40 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Apr 2015 12:59:40 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <553110F1.2030008@redhat.com> References: <54F847EF.2080608@redhat.com> <553110F1.2030008@redhat.com> Message-ID: <5534DC1C.1040903@redhat.com> On 04/17/2015 03:56 PM, Martin Babinsky wrote: > On 03/05/2015 01:11 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/4900 >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > Nobody to review this? > Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one for master. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0014.2-point-the-users-to-PKI-related-logs-when-CA-configur.patch Type: text/x-patch Size: 3712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0014.2-point-the-users-to-PKI-related-logs-when-CA-configur.patch Type: text/x-patch Size: 4016 bytes Desc: not available URL: From redhatrises at gmail.com Mon Apr 20 12:47:01 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Mon, 20 Apr 2015 06:47:01 -0600 Subject: [Freeipa-devel] [PATCH 001] Remove recommendation from ipa-adtrust-install In-Reply-To: <20150410133550.GA14560@tscherf.redhat.com> References: <20150410133550.GA14560@tscherf.redhat.com> Message-ID: Ack from me. Thanks, Gabe On Fri, Apr 10, 2015 at 7:35 AM, Thorsten Scherf wrote: > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Apr 20 13:14:30 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Apr 2015 15:14:30 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <5531157F.80106@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> Message-ID: <5534FBB6.3050001@redhat.com> On 17/04/15 16:15, Jan Cholasta wrote: > Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >> Hi, >> >> the attached patch adds the basics of the new installer framework. >> >> As a next step, I plan to convert the install scripts to use the >> framework with their old code (the old code will be gradually ported to >> the framework later). >> >> (Note I didn't manage to write docstrings today, expect update >> tomorrow.) > > Added some docstrings. > > Also updated the patch to reflect little brainstorming David and I had > this morning. > >> >> Honza > > > Hello, see comments bellow: 1) We started using new shorter License header in files: # # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # 2) IMO this will not work, NoneType has no 'obj' attribute + else: + if isinstance(value, from_): + value = None + stack.append(value.obj) + continue 3) Multiple inheritance. I do not like it much. +class CompositeInstaller(Installer, CompositeConfigurator): Installer and CompositeConfigurator inherites from Configurator class, and all of them implements _generator method. If I understand correctly (https://www.python.org/download/releases/2.3/mro/) the Installer._generator method will be used in this case. However in case when CompositeConfigurator has more levels (respectively it is more specialized) of inheritance, it could take precedence and its _generator method may be used instead. I'm afraid this may suddenly stop working. Maybe I'm wrong, please fix me. And Multiple inheritance is not easily readable, this is even a diamond inheritance model. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Apr 20 14:56:39 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 16:56:39 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <5534FBB6.3050001@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> Message-ID: <553513A7.3070704@redhat.com> Dne 20.4.2015 v 15:14 Martin Basti napsal(a): > On 17/04/15 16:15, Jan Cholasta wrote: >> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>> Hi, >>> >>> the attached patch adds the basics of the new installer framework. >>> >>> As a next step, I plan to convert the install scripts to use the >>> framework with their old code (the old code will be gradually ported to >>> the framework later). >>> >>> (Note I didn't manage to write docstrings today, expect update >>> tomorrow.) >> >> Added some docstrings. >> >> Also updated the patch to reflect little brainstorming David and I had >> this morning. >> >>> >>> Honza >> >> >> > Hello, see comments bellow: > > 1) We started using new shorter License header in files: > # > # Copyright (C) 2015 FreeIPA Contributors see COPYING for license > # OK. > > 2) IMO this will not work, NoneType has no 'obj' attribute > + else: > + if isinstance(value, from_): > + value = None > + stack.append(value.obj) > + continue Right. > > 3) Multiple inheritance. I do not like it much. > +class CompositeInstaller(Installer, CompositeConfigurator): I guess you are antagonistic to multiple inheritance because of how other languages (like C++) do it. In Python it can be pretty elegant and is basis for e.g. the mixin design pattern. > > Installer and CompositeConfigurator inherites from Configurator class, > and all of them implements _generator method. Both of them call super()._generator(), so it's no problem (same for other methods). > > If I understand correctly > (https://www.python.org/download/releases/2.3/mro/) the > Installer._generator method will be used in this case. > However in case when CompositeConfigurator has more levels (respectively > it is more specialized) of inheritance, it could take precedence and its > _generator method may be used instead. The order of precedence is defined by the order of base classes in the class definition. > > I'm afraid this may suddenly stop working. > Maybe I'm wrong, please fix me. As long as you call the super class, it will work fine. > > And Multiple inheritance is not easily readable, this is even a diamond > inheritance model. Cooperative inheritance is used by design and IMHO is easily readable if you know how to read it. Every class defines a single bit of behavior. Without cooperative inheritance, it would have to be hardcoded and/or hacked around, which I wanted to avoid. This blog post explains it nicely: . > > -- > Martin Basti > -- Jan Cholasta From mbabinsk at redhat.com Mon Apr 20 15:02:38 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Apr 2015 17:02:38 +0200 Subject: [Freeipa-devel] [PATCH 0030] use separate ccache filename for each IPA DNSSEC daemon Message-ID: <5535150E.3000702@redhat.com> The attached patch implements a request by Petr^2 Spacek during the review of my PATCHES 0015-0017, which are prerequisites of the patch and were pushed today. Petr wanted each DNSSEC daemon (ipa-dnskeysync-replica, ipa-dnskeysyncd, and ipa-ods-exporter) to have its own CCache file to simplify his life during debugging DNSSEC-related issues. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0030-use-separate-ccache-filename-for-each-IPA-DNSSEC-daemon.patch Type: text/x-patch Size: 2772 bytes Desc: not available URL: From pviktori at redhat.com Mon Apr 20 15:13:14 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 20 Apr 2015 17:13:14 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <5534B7DA.9040907@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> <552FAC93.2060401@redhat.com> <5534B7DA.9040907@redhat.com> Message-ID: <5535178A.1020305@redhat.com> On 04/20/2015 10:24 AM, Jan Cholasta wrote: > Dne 16.4.2015 v 14:35 Petr Viktorin napsal(a): >> On 04/16/2015 09:04 AM, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >>>> The attached patches remove EditableDN, EditableRDN and EditableAVA. >>>> They depend on Petr Voborn?k's patch 811 (performance: faster DN >>>> implementation). >>>> >>>> >>>> Mutable DNs are not very useful. When creating them it is easier to >>>> work >>>> with lists or generators, and needing to change DNs aside from >>>> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even >>>> say >>>> theoretical. >>>> Mutable DNs are not hashable, so they can't be used as dist keys. >>>> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >>>> dangerous -- it's hard to reason about outside modifications. >>>> >>>> The first patch removes the last use of EditableDN. I could be >>>> convinced >>>> it's not an improvement in elegance/readability, but I believe this is >>>> the strongest case for EditableDN in IPA, and it doesn't justify >>>> keeping >>>> it. >>> >>> LGTM, but patch 688 needs to be rebased. >> >> Here you go. > > Regarding patch 688, it seems we are always replacing the suffix of the > DN, so I think we can simplify _dn_replace to: > > if not dn.endswith(old): > raise ValueError('no replacement made') > return DN(*dn[:-len(old)]) + new > Sure, here's a patches with this change. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0688.3-rename_managed-Remove-use-of-EditableDN.patch Type: text/x-patch Size: 4588 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0689.3-Remove-Editable-DN-and-DN-component-classes.patch Type: text/x-patch Size: 135634 bytes Desc: not available URL: From jcholast at redhat.com Mon Apr 20 15:19:00 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Apr 2015 17:19:00 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <5535178A.1020305@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> <552FAC93.2060401@redhat.com> <5534B7DA.9040907@redhat.com> <5535178A.1020305@redhat.com> Message-ID: <553518E4.4030202@redhat.com> Dne 20.4.2015 v 17:13 Petr Viktorin napsal(a): > On 04/20/2015 10:24 AM, Jan Cholasta wrote: >> Dne 16.4.2015 v 14:35 Petr Viktorin napsal(a): >>> On 04/16/2015 09:04 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >>>>> The attached patches remove EditableDN, EditableRDN and EditableAVA. >>>>> They depend on Petr Voborn?k's patch 811 (performance: faster DN >>>>> implementation). >>>>> >>>>> >>>>> Mutable DNs are not very useful. When creating them it is easier to >>>>> work >>>>> with lists or generators, and needing to change DNs aside from >>>>> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even >>>>> say >>>>> theoretical. >>>>> Mutable DNs are not hashable, so they can't be used as dist keys. >>>>> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >>>>> dangerous -- it's hard to reason about outside modifications. >>>>> >>>>> The first patch removes the last use of EditableDN. I could be >>>>> convinced >>>>> it's not an improvement in elegance/readability, but I believe this is >>>>> the strongest case for EditableDN in IPA, and it doesn't justify >>>>> keeping >>>>> it. >>>> >>>> LGTM, but patch 688 needs to be rebased. >>> >>> Here you go. >> >> Regarding patch 688, it seems we are always replacing the suffix of the >> DN, so I think we can simplify _dn_replace to: >> >> if not dn.endswith(old): >> raise ValueError('no replacement made') >> return DN(*dn[:-len(old)]) + new >> > > Sure, here's a patches with this change. > Thanks, but it looks like you forgot to raise the ValueError. -- Jan Cholasta From pspacek at redhat.com Mon Apr 20 15:26:57 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Apr 2015 17:26:57 +0200 Subject: [Freeipa-devel] [PATCH 0030] use separate ccache filename for each IPA DNSSEC daemon In-Reply-To: <5535150E.3000702@redhat.com> References: <5535150E.3000702@redhat.com> Message-ID: <55351AC1.5080906@redhat.com> On 20.4.2015 17:02, Martin Babinsky wrote: > The attached patch implements a request by Petr^2 Spacek during the review of > my PATCHES 0015-0017, which are prerequisites of the patch and were pushed today. > > Petr wanted each DNSSEC daemon (ipa-dnskeysync-replica, ipa-dnskeysyncd, and > ipa-ods-exporter) to have its own CCache file to simplify his life during > debugging DNSSEC-related issues. Obvious ACK. Thank you! -- Petr^2 Spacek From tbordaz at redhat.com Mon Apr 20 16:00:34 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 20 Apr 2015 18:00:34 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <552B84C5.80300@redhat.com> References: <552B84C5.80300@redhat.com> Message-ID: <553522A2.9090007@redhat.com> On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: > Hi, > > in the attachment you find the latest state of the "topology plugin", > it implements what is defined in the design page: > http://www.freeipa.org/page/V4/Manage_replication_topology (which is > also waiting for a reviewer) > > It contains the plugin itself and a core of ipa commands to manage a > topology. to be really applicable, some work outside is required, eg > the management of the domain level and a decision where the binddn > group should be maintained. > > Thanks, > Ludwig > > Hello Ludwig, Quite long review to do. So far I only looked at the startup phase and I have only few questions and comments. In ipa_topo_start, do you need to get argc/argv as you are not using plugin-argxx attributes ? topo_plugin_conf configuration parameters are not freed when the plugin is closed. Is it closed only at shutdown ? Also I would initiatlize it to {NULL}. In case the config does not contain any nsslapd-topo-plugin-shared-replica-root, I wonder if ipa_topo_apply_shared_config may crash as shared_replica_root will be NULL. or at least in ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf. Also if nsslapd-topo-plugin-shared-replica-root contains an invalid root suffix (typo), topoRepl remains NULL and ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash. In ipa_topo_util_segment_from_entry, if the config entry has no direction/left/right it will crash. Shouldn't it return an error if the config is invalid. The update of domainLevel may start the plugin. If two mods update the domainLevel they could be done in parallele. In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no segment it deletes the agreement. Is it possible there is a segment but no agmnt ? For example, if the server were stopped or crashed after the segment was created but before the local config was updated. Hosts are taken from shared config tree (cn=masters,), is it possible to have a replica agreement to a host that is not under 'cn=masters,' thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Mon Apr 20 16:16:46 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Mon, 20 Apr 2015 18:16:46 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <553518E4.4030202@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> <552FAC93.2060401@redhat.com> <5534B7DA.9040907@redhat.com> <5535178A.1020305@redhat.com> <553518E4.4030202@redhat.com> Message-ID: <5535266E.9020209@redhat.com> On 04/20/2015 05:19 PM, Jan Cholasta wrote: > Dne 20.4.2015 v 17:13 Petr Viktorin napsal(a): >> On 04/20/2015 10:24 AM, Jan Cholasta wrote: >>> Dne 16.4.2015 v 14:35 Petr Viktorin napsal(a): >>>> On 04/16/2015 09:04 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >>>>>> The attached patches remove EditableDN, EditableRDN and EditableAVA. >>>>>> They depend on Petr Voborn?k's patch 811 (performance: faster DN >>>>>> implementation). >>>>>> >>>>>> >>>>>> Mutable DNs are not very useful. When creating them it is easier to >>>>>> work >>>>>> with lists or generators, and needing to change DNs aside from >>>>>> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even >>>>>> say >>>>>> theoretical. >>>>>> Mutable DNs are not hashable, so they can't be used as dist keys. >>>>>> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >>>>>> dangerous -- it's hard to reason about outside modifications. >>>>>> >>>>>> The first patch removes the last use of EditableDN. I could be >>>>>> convinced >>>>>> it's not an improvement in elegance/readability, but I believe >>>>>> this is >>>>>> the strongest case for EditableDN in IPA, and it doesn't justify >>>>>> keeping >>>>>> it. >>>>> >>>>> LGTM, but patch 688 needs to be rebased. >>>> >>>> Here you go. >>> >>> Regarding patch 688, it seems we are always replacing the suffix of the >>> DN, so I think we can simplify _dn_replace to: >>> >>> if not dn.endswith(old): >>> raise ValueError('no replacement made') >>> return DN(*dn[:-len(old)]) + new >>> >> >> Sure, here's a patches with this change. >> > > Thanks, but it looks like you forgot to raise the ValueError. > Ah, sorry for that. Fixed. -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0688.4-rename_managed-Remove-use-of-EditableDN.patch Type: text/x-patch Size: 4641 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0689.4-Remove-Editable-DN-and-DN-component-classes.patch Type: text/x-patch Size: 135634 bytes Desc: not available URL: From dkupka at redhat.com Mon Apr 20 18:08:06 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 20 Apr 2015 20:08:06 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <552FD1D1.2030206@redhat.com> References: <552E7527.9020306@redhat.com> <552FD1D1.2030206@redhat.com> Message-ID: <55354086.1050303@redhat.com> On 04/16/2015 05:14 PM, Martin Basti wrote: > On 15/04/15 16:26, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4904 >> >> Patches attached. >> >> Also ipa-upgradeconfig part is called as a subprocess. This will be >> removed after installer modifications. >> >> This patch may cause temporal upgrade issues (corner cases), until >> installer part will be finished. >> >> If somebody will be hit by them, please use --skip-version-check for >> ipactl and ipa-server-upgrade. >> >> >> > Updated patches attached. > > -- > Martin Basti Hi, thanks for the patches. Could you please split them correctly? I mean patch 227 and 228. In patch 227 you add whole file ipa_server_upgrade.py and in patch 228 add forgotten import and change option description slightly. Otherwise it works for me. -- David Kupka From jcholast at redhat.com Tue Apr 21 06:12:41 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Apr 2015 08:12:41 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <552E7527.9020306@redhat.com> References: <552E7527.9020306@redhat.com> Message-ID: <5535EA59.3060408@redhat.com> Hi, Dne 15.4.2015 v 16:26 Martin Basti napsal(a): > https://fedorahosted.org/freeipa/ticket/4904 > > Patches attached. > > Also ipa-upgradeconfig part is called as a subprocess. This will be > removed after installer modifications. > > This patch may cause temporal upgrade issues (corner cases), until > installer part will be finished. > > If somebody will be hit by them, please use --skip-version-check for > ipactl and ipa-server-upgrade. Regarding that option vs. --force: I think the common assumption is that --force ignores *all* non-fatal errors, but you break that assumption in ipactl. IMO --force should both ignore errors in service startup *and* skip version check, and a new option should be added to just ignore errors in service startup (e.g. --ignore-service-failures). ipa-server-upgrade should probably also have --force, even if it does the same thing as --skip-version-check, again because --force is common. This is a weird API: + if data_upgrade.badsyntax: + raise admintool.ScriptError( + 'Bad syntax detected in upgrade file(s).', 1) + elif data_upgrade.upgradefailed: + raise admintool.ScriptError('IPA upgrade failed.', 1) + elif data_upgrade.modified: + self.log.info('Data update complete') + else: + self.log.info('Data update complete, no data were modified') Why does not IPAUpgrade raise errors instead? +class IPAVersionError(Exception): + pass + +class PlatformMismatchError(IPAVersionError): + pass + +class DataUpgradeRequiredError(IPAVersionError): + pass + +class DataInNewerVersionError(IPAVersionError): + pass I don't like the "IPA" in "IPAVersionError", it does not tell you much about what kind of version is that. Also data version errors should only tell you what is wrong, not how you fix it. IMO better names for these would be e.g. "UpgradeVersionError", "UpgradePlatformError", "UpgradeDataOlderVersionError", "UpgradeDataNewerVersionError". Similar for store_ipa_version and check_ipa_version. Why is it not an error if there is no version in check_ipa_version? IMO it should, even if you then ignore the exception most of the time. Honza -- Jan Cholasta From mbasti at redhat.com Tue Apr 21 08:31:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Apr 2015 10:31:16 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5535EA59.3060408@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> Message-ID: <55360AD4.1020703@redhat.com> On 21/04/15 08:12, Jan Cholasta wrote: > Hi, > > Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >> https://fedorahosted.org/freeipa/ticket/4904 >> >> Patches attached. >> >> Also ipa-upgradeconfig part is called as a subprocess. This will be >> removed after installer modifications. >> >> This patch may cause temporal upgrade issues (corner cases), until >> installer part will be finished. >> >> If somebody will be hit by them, please use --skip-version-check for >> ipactl and ipa-server-upgrade. > > Regarding that option vs. --force: I think the common assumption is > that --force ignores *all* non-fatal errors, but you break that > assumption in ipactl. IMO --force should both ignore errors in service > startup *and* skip version check, and a new option should be added to > just ignore errors in service startup (e.g. --ignore-service-failures). Originally I used --force option to skip detection, but there was objections against it on list. However, to have option --force, which set true for both --ignore-service-failures and --skip-version-check options, might be better. > > ipa-server-upgrade should probably also have --force, even if it does > the same thing as --skip-version-check, again because --force is common. > > > This is a weird API: > > + if data_upgrade.badsyntax: > + raise admintool.ScriptError( > + 'Bad syntax detected in upgrade file(s).', 1) > + elif data_upgrade.upgradefailed: > + raise admintool.ScriptError('IPA upgrade failed.', 1) > + elif data_upgrade.modified: > + self.log.info('Data update complete') > + else: > + self.log.info('Data update complete, no data were modified') > > Why does not IPAUpgrade raise errors instead? > For historical reasons, I can investigate what would break this change, I will send it in separate patch. > > +class IPAVersionError(Exception): > + pass > + > +class PlatformMismatchError(IPAVersionError): > + pass > + > +class DataUpgradeRequiredError(IPAVersionError): > + pass > + > +class DataInNewerVersionError(IPAVersionError): > + pass > > I don't like the "IPA" in "IPAVersionError", it does not tell you much > about what kind of version is that. Also data version errors should > only tell you what is wrong, not how you fix it. IMO better names for > these would be e.g. "UpgradeVersionError", "UpgradePlatformError", > "UpgradeDataOlderVersionError", "UpgradeDataNewerVersionError". > Similar for store_ipa_version and check_ipa_version. > Ok. > > Why is it not an error if there is no version in check_ipa_version? > IMO it should, even if you then ignore the exception most of the time. I can raise error in that case and ignore the exception. > > > Honza > Martin^2 -- Martin Basti From lkrispen at redhat.com Tue Apr 21 08:49:20 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 21 Apr 2015 10:49:20 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <553522A2.9090007@redhat.com> References: <552B84C5.80300@redhat.com> <553522A2.9090007@redhat.com> Message-ID: <55360F10.7010804@redhat.com> On 04/20/2015 06:00 PM, thierry bordaz wrote: > On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >> Hi, >> >> in the attachment you find the latest state of the "topology plugin", >> it implements what is defined in the design page: >> http://www.freeipa.org/page/V4/Manage_replication_topology (which is >> also waiting for a reviewer) >> >> It contains the plugin itself and a core of ipa commands to manage a >> topology. to be really applicable, some work outside is required, eg >> the management of the domain level and a decision where the binddn >> group should be maintained. >> >> Thanks, >> Ludwig >> >> > Hello Ludwig, > > Quite long review to do. So far I only looked at the startup phase and > I have only few questions and comments. Thanks for your time, and I'm looking forward to your review of the other parts, you raise some valid points. I'll try to answer some of them inline, but will integrate some into a next version of the patch > > In ipa_topo_start, do you need to get argc/argv as you are not using > plugin-argxx attributes ? no. It was a leftover from a "standard" plugin > > > topo_plugin_conf configuration parameters are not freed when the > plugin is closed. Is it closed only at shutdown ? > Also I would initiatlize it to {NULL}. So far it is not planned to be dynamic, but I will addres the memory management > > In case the config does not contain any > nsslapd-topo-plugin-shared-replica-root, I wonder if > ipa_topo_apply_shared_config may crash as shared_replica_root will be > NULL. > or at least in > ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf. > > Also if nsslapd-topo-plugin-shared-replica-root contains an invalid > root suffix (typo), topoRepl remains NULL and > ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash. for the two comments above, I was assuming that plugin conf and shared tree would be setup by ipa tools and server setup, so assuming only valid data, but you are right, checking for bad data doesn't hurt. > > In ipa_topo_util_segment_from_entry, if the config entry has no > direction/left/right it will crash. Shouldn't it return an error if > the config is invalid. adding a segment should be done with the ipa command 'ipa topologysegment-add ...' and this always provides a direction (param or default). If you try to add a segment directly, direction is a required attribute of teh segment objectclass, so it should be rejected- > > The update of domainLevel may start the plugin. If two mods update the > domainLevel they could be done in parallele. yes :-( > > > In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no > segment it deletes the agreement. > Is it possible there is a segment but no agmnt ? For example, if the > server were stopped or crashed after the segment was created but > before the local config was updated. then it should be created from the segment > > > Hosts are taken from shared config tree (cn=masters,), is it > possible to have a replica agreement to a host that is not under > 'cn=masters,' yes, it will be ignored by the plugin > > > thanks > thierry > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Apr 21 10:53:55 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Apr 2015 12:53:55 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <552B84C5.80300@redhat.com> References: <552B84C5.80300@redhat.com> Message-ID: <55362C43.4020406@redhat.com> On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: > Hi, > > in the attachment you find the latest state of the "topology plugin", it > implements what is defined in the design page: > http://www.freeipa.org/page/V4/Manage_replication_topology (which is > also waiting for a reviewer) > > It contains the plugin itself and a core of ipa commands to manage a > topology. to be really applicable, some work outside is required, eg the > management of the domain level and a decision where the binddn group > should be maintained. > > Thanks, > Ludwig > > I've looked at the python part, mostly because I want to start with POC of Web UI for topology. topology.py is clearly still a work in progress. I've reflected following comments into a patch to speed things up. What's in the patch: 1. git am complains about trailing whitespaces 2. pep8 check produces quite a lot of issues. New code should be almost with any (`E501 line too long` is not a hard rule) `git diff HEAD~1 -U0 | pep8 --diff` 3. some typos 4. A lot of unused imports 5. Option name --sname for 'Segment identifier' is not very friendly. I don't see any examples of command options in the design notes. 6. NO_UPG_MAGIC - leftover from other plugin? 7. suffix object has labels from segment 8. IPA framework has a support for nested object. Key is setting `parent_object = 'topologysuffix'` in topologysegment object. 9. repl_agmt_attrs could be in topologysegment takes_params. 10. missing various CRUD commands like topologysuffix-find and topologysuffix-show commands. Whats missing, not fixed: 1. last 2 lines of VERSION file are not updated 2. Mixed terminology. Somewhere is used suffix and somewhere replication area or just area. 3. Validation - suffix should check for dn - existence of both ends of a segment 4. print of segments in suffix-show needs to be improved or removed To discuss: a) Do params in topologysegment have to have a maxlength set? b) Terminology has to be united. Segments are nested in suffix but sometimes are called areas and suffix is 'the suffix'. User might be confused. E.g. shouldn't the object be named a topologyarea instead of topologysuffix? c) I've added all missing CRUD commands. Are there any which we don't want there, or want to restrict them. E.g. I can imagine that deleting a suffix should be prevented if it contains any segments (or it has to be forced (--force option)) d) Do we want to print segments in suffix-show? e) Mainly for Honza: I've added --show-segments option to suffix-show which defaults to True. I don't like the behavior of CLI, which asks to confirm the value all the time. My intention was to have it there by default, but also allow to disable it by --show-segments=False. I don't want to add it as Flag (--hide-segments) since it restricts versatility. I would like to see an optional flag which would be filled by default value if not explicitly defined and CLI would not ask for the option value. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: wip-freeipa-pvoborni-0741-topology-plugin-improvements.patch Type: text/x-patch Size: 18247 bytes Desc: not available URL: From jcholast at redhat.com Tue Apr 21 11:08:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Apr 2015 13:08:54 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <1429271886.3164.5.camel@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> <55267065.4090900@redhat.com> <55267A8F.3030203@redhat.com> <552F60E2.9050902@redhat.com> <1429271886.3164.5.camel@redhat.com> Message-ID: <55362FC6.6050304@redhat.com> Dne 17.4.2015 v 13:58 Nathaniel McCallum napsal(a): > On Thu, 2015-04-16 at 09:12 +0200, Jan Cholasta wrote: >> Dne 9.4.2015 v 15:11 Luc de Louw napsal(a): >>> >>> On 04/09/2015 02:28 PM, Jan Cholasta wrote: >>>>>>> Let's say you now introduce --no-cr flag. What if we >>>>>>> decide to change >>>>>>> the default to False? How would you then change the >>>>>>> option/API? >>>>>> >>>>>> You would have to add --cr flag. >>>>> >>>>> That was the point - some clients would send "ct" flag, some >>>>> "no_cr" >>>>> and there >>>>> would have to be special handling. >>>>> >>>>>>> It is more flexible IMO to just use something like >>>>>>> >>>>>>> --cr=TRUE|FALSE with TRUE being the default >>>>>> >>>>>> I would say --append-cr=TRUE|FALSE with no default, meaning >>>>>> do not >>>>>> add the flag >>>>>> to the config at all. >>>>> >>>>> I though the idea was to append the CR by default, i.e. >>>>> --append-cr=TRUE|FALSE >>>>> with TRUE being the default. >>>>> >>>> >>>> If you want to hardcode the default into the plugin, there is no >>>> benefit >>>> in using Bool over Flag, because Flag is actually a Bool with >>>> hardcoded >>>> default value. >>>> >>> >>> I actually started with a bool, default=True. I had the problem >>> that the >>> Default value was ignored, the value was None. >>> >>> Changing the default behavior is IMHO bad anyway does not matter >>> if Bool >>> or Flag. >> >> +1 >> >>> >>> Please advise what is you wish to be implemented :-) >> >> That depends. Is there a difference between "do not set APPEND_CR >> ticket >> flag" and "set APPEND_CR ticket flag to false"? > > For YubiKey hardware the flag is either present (true) or absent > (false). This flag controls whether or not the carriage return is sent > (present) or not (absent). The param should be a Flag then. -- Jan Cholasta From pvoborni at redhat.com Tue Apr 21 11:09:16 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Apr 2015 13:09:16 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <55362C43.4020406@redhat.com> References: <552B84C5.80300@redhat.com> <55362C43.4020406@redhat.com> Message-ID: <55362FDC.7090104@redhat.com> On 04/21/2015 12:53 PM, Petr Vobornik wrote: > On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >> Hi, >> >> in the attachment you find the latest state of the "topology plugin", it >> implements what is defined in the design page: >> http://www.freeipa.org/page/V4/Manage_replication_topology (which is >> also waiting for a reviewer) >> >> It contains the plugin itself and a core of ipa commands to manage a >> topology. to be really applicable, some work outside is required, eg the >> management of the domain level and a decision where the binddn group >> should be maintained. >> >> Thanks, >> Ludwig >> >> > > I've looked at the python part, mostly because I want to start with POC > of Web UI for topology. > > topology.py is clearly still a work in progress. I've reflected > following comments into a patch to speed things up. > > What's in the patch: > > 1. git am complains about trailing whitespaces > > 2. pep8 check produces quite a lot of issues. New code should be almost > with any (`E501 line too long` is not a hard rule) > `git diff HEAD~1 -U0 | pep8 --diff` > > 3. some typos > > 4. A lot of unused imports > > 5. Option name --sname for 'Segment identifier' is not very friendly. I > don't see any examples of command options in the design notes. > > 6. NO_UPG_MAGIC - leftover from other plugin? > > 7. suffix object has labels from segment > > 8. IPA framework has a support for nested object. Key is setting > `parent_object = 'topologysuffix'` in topologysegment object. > > 9. repl_agmt_attrs could be in topologysegment takes_params. > > 10. missing various CRUD commands like topologysuffix-find and > topologysuffix-show commands. > > Whats missing, not fixed: > 1. last 2 lines of VERSION file are not updated > > 2. Mixed terminology. Somewhere is used suffix and somewhere replication > area or just area. > > 3. Validation > - suffix should check for dn > - existence of both ends of a segment > > 4. print of segments in suffix-show needs to be improved or removed > > To discuss: > a) Do params in topologysegment have to have a maxlength set? > > b) Terminology has to be united. Segments are nested in suffix but > sometimes are called areas and suffix is 'the suffix'. User might be > confused. E.g. shouldn't the object be named a topologyarea instead of > topologysuffix? > > c) I've added all missing CRUD commands. Are there any which we don't > want there, or want to restrict them. E.g. I can imagine that deleting a > suffix should be prevented if it contains any segments (or it has to be > forced (--force option)) > > d) Do we want to print segments in suffix-show? > > e) Mainly for Honza: I've added --show-segments option to suffix-show > which defaults to True. I don't like the behavior of CLI, which asks to > confirm the value all the time. My intention was to have it there by > default, but also allow to disable it by --show-segments=False. I don't > want to add it as Flag (--hide-segments) since it restricts versatility. > I would like to see an optional flag which would be filled by default > value if not explicitly defined and CLI would not ask for the option value. > > Also it would be better to split the work into more patches. E.g. DS plugin, installation, python plugin. So ds plugin review could be separated from the python part. -- Petr Vobornik From ldelouw at redhat.com Tue Apr 21 11:12:18 2015 From: ldelouw at redhat.com (Luc de Louw) Date: Tue, 21 Apr 2015 13:12:18 +0200 Subject: [Freeipa-devel] [PATCH] otptoken_yubikey, append CR by default and add a option for not doing so In-Reply-To: <55362FC6.6050304@redhat.com> References: <5524FB72.6060005@redhat.com> <1428504907.2750.3.camel@redhat.com> <552543AE.4090900@redhat.com> <5525454E.30101@redhat.com> <552545DC.2000104@redhat.com> <55254D68.1020904@redhat.com> <55254F09.7040202@redhat.com> <1428508991.2750.12.camel@redhat.com> <55259523.9080900@redhat.com> <552654AB.4070408@redhat.com> <552657B2.8090706@redhat.com> <55267065.4090900@redhat.com> <55267A8F.3030203@redhat.com> <552F60E2.9050902@redhat.com> <1429271886.3164.5.camel@redhat.com> <55362FC6.6050304@redhat.com> Message-ID: <55363092.2010103@redhat.com> On 04/21/2015 01:08 PM, Jan Cholasta wrote: > The param should be a Flag then. Okay, will work on that on the week end then. Thanks, Luc > -- Luc de Louw Senior Linux Consultant Red Hat GmbH Am Treptower Park 75, 2nd floor D-12435 Berlin Email: ldelouw at redhat.com Cell Germany: +49 162 413 29 64 Red Hat GmbH, http://www.de.redhat.com/ Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Charles Peters From pvoborni at redhat.com Tue Apr 21 14:09:15 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Apr 2015 16:09:15 +0200 Subject: [Freeipa-devel] [PATCH] 822 webui: topology plugin Message-ID: <55365A0B.1030305@redhat.com> First iteration of Topology plugin Web UI. It reflects current state of topology plugin python part which is implemented in "[PATCH] manage replication topology in the shared tree" and my wip patch. I expect that the server API part will change a bit therefore this will as well. Graphical visualization/management (ticket 4286) will be implemented in separate patch. https://fedorahosted.org/freeipa/ticket/4997 http://www.freeipa.org/page/V4/Manage_replication_topology -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0822-webui-topology-plugin.patch Type: text/x-patch Size: 7910 bytes Desc: not available URL: From pvoborni at redhat.com Tue Apr 21 15:25:19 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Apr 2015 17:25:19 +0200 Subject: [Freeipa-devel] [PATCH 001] Remove recommendation from ipa-adtrust-install In-Reply-To: References: <20150410133550.GA14560@tscherf.redhat.com> Message-ID: <55366BDF.6060309@redhat.com> On 04/20/2015 02:47 PM, Gabe Alford wrote: > Ack from me. > > Thanks, > > Gabe> Pushed to: master: 22d3a93bbcf86a610c772added9103ffc188964e ipa-4-1: f838e80a7f665ed8084b5cb51eabab7afb811dcc -- Petr Vobornik From pspacek at redhat.com Wed Apr 22 07:05:14 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 22 Apr 2015 09:05:14 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message Message-ID: <5537482A.7030201@redhat.com> Hello, looking at freeipa-users list, following kind of conversation is quite common: user: 'IPA reports an internal error, what should I do?' dev: 'see HTTPd error log on the IPA server' user: 'what server?' dev: 'enable debugging on client and see which server was contacted' Can we make InternalError more useful and eliminate this kind of ping-pong? Looking at sources: $ git grep 'class .*InternalError' ipalib/errors.py:class InternalError(PublicError): ipalib/errors.py:class ServerInternalError(PublicError): $ git grep ServerInternalError ipalib/errors.py:class ServerInternalError(PublicError): ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') ipalib/errors.py: ServerInternalError: an internal error has occurred on server at 'https://localhost' Apparently somebody was thinking about it in the past but ServerInternalError is not used anywhere. How hard would it be to translate InternalError on client side to ServerInternalError with appropriate server name? Can we extend InternalError with text like this? 'See httpd error log on server %s for more details.' Does it make sense? Should I open a ticket about this? -- Petr^2 Spacek From jcholast at redhat.com Wed Apr 22 07:59:18 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 22 Apr 2015 09:59:18 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <5537482A.7030201@redhat.com> References: <5537482A.7030201@redhat.com> Message-ID: <553754D6.6050006@redhat.com> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): > Hello, > > looking at freeipa-users list, following kind of conversation is quite common: > > user: 'IPA reports an internal error, what should I do?' > dev: 'see HTTPd error log on the IPA server' > user: 'what server?' > dev: 'enable debugging on client and see which server was contacted' > > > Can we make InternalError more useful and eliminate this kind of ping-pong? > > Looking at sources: > $ git grep 'class .*InternalError' > ipalib/errors.py:class InternalError(PublicError): > ipalib/errors.py:class ServerInternalError(PublicError): > > $ git grep ServerInternalError > ipalib/errors.py:class ServerInternalError(PublicError): > ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') > ipalib/errors.py: ServerInternalError: an internal error has occurred on > server at 'https://localhost' > > Apparently somebody was thinking about it in the past but ServerInternalError > is not used anywhere. > > How hard would it be to translate InternalError on client side to > ServerInternalError with appropriate server name? > > Can we extend InternalError with text like this? > 'See httpd error log on server %s for more details.' > > Does it make sense? Should I open a ticket about this? > It's a good idea. On a related note, I would also like the server to send tracebacks to the client if debugging is enabled on the server. -- Jan Cholasta From pspacek at redhat.com Wed Apr 22 08:12:51 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 22 Apr 2015 10:12:51 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <553754D6.6050006@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> Message-ID: <55375803.8040702@redhat.com> On 22.4.2015 09:59, Jan Cholasta wrote: > Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >> Hello, >> >> looking at freeipa-users list, following kind of conversation is quite common: >> >> user: 'IPA reports an internal error, what should I do?' >> dev: 'see HTTPd error log on the IPA server' >> user: 'what server?' >> dev: 'enable debugging on client and see which server was contacted' >> >> >> Can we make InternalError more useful and eliminate this kind of ping-pong? >> >> Looking at sources: >> $ git grep 'class .*InternalError' >> ipalib/errors.py:class InternalError(PublicError): >> ipalib/errors.py:class ServerInternalError(PublicError): >> >> $ git grep ServerInternalError >> ipalib/errors.py:class ServerInternalError(PublicError): >> ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') >> ipalib/errors.py: ServerInternalError: an internal error has occurred on >> server at 'https://localhost' >> >> Apparently somebody was thinking about it in the past but ServerInternalError >> is not used anywhere. >> >> How hard would it be to translate InternalError on client side to >> ServerInternalError with appropriate server name? >> >> Can we extend InternalError with text like this? >> 'See httpd error log on server %s for more details.' >> >> Does it make sense? Should I open a ticket about this? >> > > It's a good idea. > > On a related note, I would also like the server to send tracebacks to the > client if debugging is enabled on the server. https://fedorahosted.org/freeipa/ticket/4998 -- Petr^2 Spacek From lryznaro at redhat.com Wed Apr 22 09:01:02 2015 From: lryznaro at redhat.com (Lenka Ryznarova) Date: Wed, 22 Apr 2015 11:01:02 +0200 Subject: [Freeipa-devel] New QA related Trac fields Message-ID: <1429693262.3301.8.camel@dhcp130-146.brq.redhat.com> Recently, new fields have been added to Trac related to QA. Follows description of the fields: Test case - link to a test plan/case in case it is already created Test by - QA contact responsible for the issue Test coverage - status of the test plan/case: - yes = the test is already done, "Test case" and "Test by" fields should be filled - no = the test is deemed unnecessary or unreasonably laborious - wanted = the test is deemed necessary but it's not done yet. In case the "Test by" field is filled, someone's already working on it. - empty = the issue needs review The fields were also already documented on freeipa wiki [1] and ticket field description page of Trac [2]. Lenka [1] http://www.freeipa.org/page/Contribute/Tests#Find_something_to_start_with [2] https://fedorahosted.org/freeipa/wiki/TicketFields From simo at redhat.com Wed Apr 22 13:32:22 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2015 09:32:22 -0400 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <553754D6.6050006@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> Message-ID: <1429709542.22399.124.camel@willson.usersys.redhat.com> On Wed, 2015-04-22 at 09:59 +0200, Jan Cholasta wrote: > Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): > > Hello, > > > > looking at freeipa-users list, following kind of conversation is quite common: > > > > user: 'IPA reports an internal error, what should I do?' > > dev: 'see HTTPd error log on the IPA server' > > user: 'what server?' > > dev: 'enable debugging on client and see which server was contacted' > > > > > > Can we make InternalError more useful and eliminate this kind of ping-pong? > > > > Looking at sources: > > $ git grep 'class .*InternalError' > > ipalib/errors.py:class InternalError(PublicError): > > ipalib/errors.py:class ServerInternalError(PublicError): > > > > $ git grep ServerInternalError > > ipalib/errors.py:class ServerInternalError(PublicError): > > ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') > > ipalib/errors.py: ServerInternalError: an internal error has occurred on > > server at 'https://localhost' > > > > Apparently somebody was thinking about it in the past but ServerInternalError > > is not used anywhere. > > > > How hard would it be to translate InternalError on client side to > > ServerInternalError with appropriate server name? > > > > Can we extend InternalError with text like this? > > 'See httpd error log on server %s for more details.' > > > > Does it make sense? Should I open a ticket about this? > > > > It's a good idea. > > On a related note, I would also like the server to send tracebacks to > the client if debugging is enabled on the server. I am not too hot on this idea, unless there is a specific switch to allow sending tracebacks (default to off). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Apr 22 14:08:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2015 10:08:28 -0400 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <553754D6.6050006@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> Message-ID: <5537AB5C.1010503@redhat.com> Jan Cholasta wrote: > Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >> Hello, >> >> looking at freeipa-users list, following kind of conversation is quite >> common: >> >> user: 'IPA reports an internal error, what should I do?' >> dev: 'see HTTPd error log on the IPA server' >> user: 'what server?' >> dev: 'enable debugging on client and see which server was contacted' >> >> >> Can we make InternalError more useful and eliminate this kind of >> ping-pong? >> >> Looking at sources: >> $ git grep 'class .*InternalError' >> ipalib/errors.py:class InternalError(PublicError): >> ipalib/errors.py:class ServerInternalError(PublicError): >> >> $ git grep ServerInternalError >> ipalib/errors.py:class ServerInternalError(PublicError): >> ipalib/errors.py: >>> raise >> ServerInternalError(server='https://localhost') >> ipalib/errors.py: ServerInternalError: an internal error has >> occurred on >> server at 'https://localhost' >> >> Apparently somebody was thinking about it in the past but >> ServerInternalError >> is not used anywhere. >> >> How hard would it be to translate InternalError on client side to >> ServerInternalError with appropriate server name? >> >> Can we extend InternalError with text like this? >> 'See httpd error log on server %s for more details.' >> >> Does it make sense? Should I open a ticket about this? >> > > It's a good idea. I don't know. How many people ask about CA install failures without looking into /var/log/*-install.log even though it states within just a few lines of output this is where all the logging goes? The terseness was done on purpose. > On a related note, I would also like the server to send tracebacks to > the client if debugging is enabled on the server. Call me conservative but this was a conscious choice originally as well. The traceback is in the logs. The admin has the logs. rob From abokovoy at redhat.com Wed Apr 22 14:16:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Apr 2015 17:16:01 +0300 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <5537AB5C.1010503@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> Message-ID: <20150422141601.GH26437@redhat.com> On Wed, 22 Apr 2015, Rob Crittenden wrote: >Jan Cholasta wrote: >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >>> Hello, >>> >>> looking at freeipa-users list, following kind of conversation is quite >>> common: >>> >>> user: 'IPA reports an internal error, what should I do?' >>> dev: 'see HTTPd error log on the IPA server' >>> user: 'what server?' >>> dev: 'enable debugging on client and see which server was contacted' >>> >>> >>> Can we make InternalError more useful and eliminate this kind of >>> ping-pong? >>> >>> Looking at sources: >>> $ git grep 'class .*InternalError' >>> ipalib/errors.py:class InternalError(PublicError): >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> >>> $ git grep ServerInternalError >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> ipalib/errors.py: >>> raise >>> ServerInternalError(server='https://localhost') >>> ipalib/errors.py: ServerInternalError: an internal error has >>> occurred on >>> server at 'https://localhost' >>> >>> Apparently somebody was thinking about it in the past but >>> ServerInternalError >>> is not used anywhere. >>> >>> How hard would it be to translate InternalError on client side to >>> ServerInternalError with appropriate server name? >>> >>> Can we extend InternalError with text like this? >>> 'See httpd error log on server %s for more details.' >>> >>> Does it make sense? Should I open a ticket about this? >>> >> >> It's a good idea. > >I don't know. How many people ask about CA install failures without >looking into /var/log/*-install.log even though it states within just a >few lines of output this is where all the logging goes? > >The terseness was done on purpose. > >> On a related note, I would also like the server to send tracebacks to >> the client if debugging is enabled on the server. > >Call me conservative but this was a conscious choice originally as well. >The traceback is in the logs. The admin has the logs. I agree with Rob. Literally every single case when people report 'CA install fails' ends up with people asking us instead of looking into logs. There seems to general unwillingness to invest into understanding of what is being done and why things might fail. -- / Alexander Bokovoy From pspacek at redhat.com Wed Apr 22 14:17:43 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 22 Apr 2015 16:17:43 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <5537AB5C.1010503@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> Message-ID: <5537AD87.5050208@redhat.com> On 22.4.2015 16:08, Rob Crittenden wrote: > Jan Cholasta wrote: >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >>> Hello, >>> >>> looking at freeipa-users list, following kind of conversation is quite >>> common: >>> >>> user: 'IPA reports an internal error, what should I do?' >>> dev: 'see HTTPd error log on the IPA server' >>> user: 'what server?' >>> dev: 'enable debugging on client and see which server was contacted' >>> >>> >>> Can we make InternalError more useful and eliminate this kind of >>> ping-pong? >>> >>> Looking at sources: >>> $ git grep 'class .*InternalError' >>> ipalib/errors.py:class InternalError(PublicError): >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> >>> $ git grep ServerInternalError >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> ipalib/errors.py: >>> raise >>> ServerInternalError(server='https://localhost') >>> ipalib/errors.py: ServerInternalError: an internal error has >>> occurred on >>> server at 'https://localhost' >>> >>> Apparently somebody was thinking about it in the past but >>> ServerInternalError >>> is not used anywhere. >>> >>> How hard would it be to translate InternalError on client side to >>> ServerInternalError with appropriate server name? >>> >>> Can we extend InternalError with text like this? >>> 'See httpd error log on server %s for more details.' >>> >>> Does it make sense? Should I open a ticket about this? >>> >> >> It's a good idea. > > I don't know. How many people ask about CA install failures without > looking into /var/log/*-install.log even though it states within just a > few lines of output this is where all the logging goes? Right, it is relatively simple if it happens during installation. The problem is that InternalError does not happen only during installation. It can happen at any client at any time. What specific information from the proposed text 'See httpd error log on server %s for more details.' can do some harm? Petr^2 Spacek > The terseness was done on purpose. > >> On a related note, I would also like the server to send tracebacks to >> the client if debugging is enabled on the server. > > Call me conservative but this was a conscious choice originally as well. > The traceback is in the logs. The admin has the logs. > > rob From simo at redhat.com Wed Apr 22 14:47:43 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2015 10:47:43 -0400 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <20150422141601.GH26437@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> <20150422141601.GH26437@redhat.com> Message-ID: <1429714063.22399.147.camel@willson.usersys.redhat.com> On Wed, 2015-04-22 at 17:16 +0300, Alexander Bokovoy wrote: > On Wed, 22 Apr 2015, Rob Crittenden wrote: > >Jan Cholasta wrote: > >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): > >>> Hello, > >>> > >>> looking at freeipa-users list, following kind of conversation is quite > >>> common: > >>> > >>> user: 'IPA reports an internal error, what should I do?' > >>> dev: 'see HTTPd error log on the IPA server' > >>> user: 'what server?' > >>> dev: 'enable debugging on client and see which server was contacted' > >>> > >>> > >>> Can we make InternalError more useful and eliminate this kind of > >>> ping-pong? > >>> > >>> Looking at sources: > >>> $ git grep 'class .*InternalError' > >>> ipalib/errors.py:class InternalError(PublicError): > >>> ipalib/errors.py:class ServerInternalError(PublicError): > >>> > >>> $ git grep ServerInternalError > >>> ipalib/errors.py:class ServerInternalError(PublicError): > >>> ipalib/errors.py: >>> raise > >>> ServerInternalError(server='https://localhost') > >>> ipalib/errors.py: ServerInternalError: an internal error has > >>> occurred on > >>> server at 'https://localhost' > >>> > >>> Apparently somebody was thinking about it in the past but > >>> ServerInternalError > >>> is not used anywhere. > >>> > >>> How hard would it be to translate InternalError on client side to > >>> ServerInternalError with appropriate server name? > >>> > >>> Can we extend InternalError with text like this? > >>> 'See httpd error log on server %s for more details.' > >>> > >>> Does it make sense? Should I open a ticket about this? > >>> > >> > >> It's a good idea. > > > >I don't know. How many people ask about CA install failures without > >looking into /var/log/*-install.log even though it states within just a > >few lines of output this is where all the logging goes? > > > >The terseness was done on purpose. > > > >> On a related note, I would also like the server to send tracebacks to > >> the client if debugging is enabled on the server. > > > >Call me conservative but this was a conscious choice originally as well. > >The traceback is in the logs. The admin has the logs. > I agree with Rob. Literally every single case when people report 'CA > install fails' ends up with people asking us instead of looking into > logs. There seems to general unwillingness to invest into understanding > of what is being done and why things might fail. I have to say this is a completely incorrect way of looking at it. People may be willing, but we are suffering of our own success. We've made an incredibly complex system, easy enough for people that do not fully understand it to use, and well *that* was the intention! So huzzah! But ... But it come with the pricetag that users do not understand it fully, and even knowing *where* logs are is not obvious, and it is not even obvious what component is to look at when something breaks. so I think it is unfair to say people are unwilling to look at logs, some may be, but I bet most simply do not know where to start even. Also keep in mind you only see the percentage of users that have trouble, those that *so* look at the logs and figure out themselves, or are good at searching and fin the solution reported by a previous user on their own do not show up. The long term solutions can only be: a) centralize logging of the various components so that there is a single place to go and look and correlate errors even for the untrained. b) develop troubleshooting documentation as cases come up and are solved, indexed by symptom c) keep helping our beloved users :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Apr 22 15:08:52 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Apr 2015 18:08:52 +0300 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <1429714063.22399.147.camel@willson.usersys.redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> <20150422141601.GH26437@redhat.com> <1429714063.22399.147.camel@willson.usersys.redhat.com> Message-ID: <20150422150852.GI26437@redhat.com> On Wed, 22 Apr 2015, Simo Sorce wrote: >On Wed, 2015-04-22 at 17:16 +0300, Alexander Bokovoy wrote: >> On Wed, 22 Apr 2015, Rob Crittenden wrote: >> >Jan Cholasta wrote: >> >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >> >>> Hello, >> >>> >> >>> looking at freeipa-users list, following kind of conversation is quite >> >>> common: >> >>> >> >>> user: 'IPA reports an internal error, what should I do?' >> >>> dev: 'see HTTPd error log on the IPA server' >> >>> user: 'what server?' >> >>> dev: 'enable debugging on client and see which server was contacted' >> >>> >> >>> >> >>> Can we make InternalError more useful and eliminate this kind of >> >>> ping-pong? >> >>> >> >>> Looking at sources: >> >>> $ git grep 'class .*InternalError' >> >>> ipalib/errors.py:class InternalError(PublicError): >> >>> ipalib/errors.py:class ServerInternalError(PublicError): >> >>> >> >>> $ git grep ServerInternalError >> >>> ipalib/errors.py:class ServerInternalError(PublicError): >> >>> ipalib/errors.py: >>> raise >> >>> ServerInternalError(server='https://localhost') >> >>> ipalib/errors.py: ServerInternalError: an internal error has >> >>> occurred on >> >>> server at 'https://localhost' >> >>> >> >>> Apparently somebody was thinking about it in the past but >> >>> ServerInternalError >> >>> is not used anywhere. >> >>> >> >>> How hard would it be to translate InternalError on client side to >> >>> ServerInternalError with appropriate server name? >> >>> >> >>> Can we extend InternalError with text like this? >> >>> 'See httpd error log on server %s for more details.' >> >>> >> >>> Does it make sense? Should I open a ticket about this? >> >>> >> >> >> >> It's a good idea. >> > >> >I don't know. How many people ask about CA install failures without >> >looking into /var/log/*-install.log even though it states within just a >> >few lines of output this is where all the logging goes? >> > >> >The terseness was done on purpose. >> > >> >> On a related note, I would also like the server to send tracebacks to >> >> the client if debugging is enabled on the server. >> > >> >Call me conservative but this was a conscious choice originally as well. >> >The traceback is in the logs. The admin has the logs. >> I agree with Rob. Literally every single case when people report 'CA >> install fails' ends up with people asking us instead of looking into >> logs. There seems to general unwillingness to invest into understanding >> of what is being done and why things might fail. > >I have to say this is a completely incorrect way of looking at it. > >People may be willing, but we are suffering of our own success. > >We've made an incredibly complex system, easy enough for people that do >not fully understand it to use, and well *that* was the intention! So >huzzah! But ... > >But it come with the pricetag that users do not understand it fully, and >even knowing *where* logs are is not obvious, and it is not even obvious >what component is to look at when something breaks. > >so I think it is unfair to say people are unwilling to look at logs, >some may be, but I bet most simply do not know where to start even. >Also keep in mind you only see the percentage of users that have >trouble, those that *so* look at the logs and figure out themselves, or >are good at searching and fin the solution reported by a previous user >on their own do not show up. > >The long term solutions can only be: >a) centralize logging of the various components so that there is a >single place to go and look and correlate errors even for the untrained. >b) develop troubleshooting documentation as cases come up and are >solved, indexed by symptom >c) keep helping our beloved users :-) A story is always multi-fold. We need to fix installer issues where crashes in a single component do not leave unprocessed results that cannot be interpreted properly by a higher level code to suggest where to look for details and what to do with them. However, majority of issues don't really require passing through tracebacks from server to client. For example, timeout issues with CA install due to lacking entropy wouldn't be solved by passing through a traceback. It requires understanding what happens -- and even when we print a message warning about lack of entropy, it is ignored, as we print a lot of text during install. We have https://www.freeipa.org/page/Troubleshooting page to help here. It is the first result in Google for 'freeipa troubleshooting', 'freeipa trouble', 'freeipa issue', 'freeipa problem', 'freeipa install problem'. It has a lot of content, indexed by symptom. Yet, amount of 'I have a problem' without looking into logs is substantial. Should we add an explicit link to the page above in every installer error output? -- / Alexander Bokovoy From simo at redhat.com Wed Apr 22 15:18:45 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Apr 2015 11:18:45 -0400 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <20150422150852.GI26437@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> <20150422141601.GH26437@redhat.com> <1429714063.22399.147.camel@willson.usersys.redhat.com> <20150422150852.GI26437@redhat.com> Message-ID: <1429715925.22399.159.camel@willson.usersys.redhat.com> On Wed, 2015-04-22 at 18:08 +0300, Alexander Bokovoy wrote: > On Wed, 22 Apr 2015, Simo Sorce wrote: > >On Wed, 2015-04-22 at 17:16 +0300, Alexander Bokovoy wrote: > >> On Wed, 22 Apr 2015, Rob Crittenden wrote: > >> >Jan Cholasta wrote: > >> >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): > >> >>> Hello, > >> >>> > >> >>> looking at freeipa-users list, following kind of conversation is quite > >> >>> common: > >> >>> > >> >>> user: 'IPA reports an internal error, what should I do?' > >> >>> dev: 'see HTTPd error log on the IPA server' > >> >>> user: 'what server?' > >> >>> dev: 'enable debugging on client and see which server was contacted' > >> >>> > >> >>> > >> >>> Can we make InternalError more useful and eliminate this kind of > >> >>> ping-pong? > >> >>> > >> >>> Looking at sources: > >> >>> $ git grep 'class .*InternalError' > >> >>> ipalib/errors.py:class InternalError(PublicError): > >> >>> ipalib/errors.py:class ServerInternalError(PublicError): > >> >>> > >> >>> $ git grep ServerInternalError > >> >>> ipalib/errors.py:class ServerInternalError(PublicError): > >> >>> ipalib/errors.py: >>> raise > >> >>> ServerInternalError(server='https://localhost') > >> >>> ipalib/errors.py: ServerInternalError: an internal error has > >> >>> occurred on > >> >>> server at 'https://localhost' > >> >>> > >> >>> Apparently somebody was thinking about it in the past but > >> >>> ServerInternalError > >> >>> is not used anywhere. > >> >>> > >> >>> How hard would it be to translate InternalError on client side to > >> >>> ServerInternalError with appropriate server name? > >> >>> > >> >>> Can we extend InternalError with text like this? > >> >>> 'See httpd error log on server %s for more details.' > >> >>> > >> >>> Does it make sense? Should I open a ticket about this? > >> >>> > >> >> > >> >> It's a good idea. > >> > > >> >I don't know. How many people ask about CA install failures without > >> >looking into /var/log/*-install.log even though it states within just a > >> >few lines of output this is where all the logging goes? > >> > > >> >The terseness was done on purpose. > >> > > >> >> On a related note, I would also like the server to send tracebacks to > >> >> the client if debugging is enabled on the server. > >> > > >> >Call me conservative but this was a conscious choice originally as well. > >> >The traceback is in the logs. The admin has the logs. > >> I agree with Rob. Literally every single case when people report 'CA > >> install fails' ends up with people asking us instead of looking into > >> logs. There seems to general unwillingness to invest into understanding > >> of what is being done and why things might fail. > > > >I have to say this is a completely incorrect way of looking at it. > > > >People may be willing, but we are suffering of our own success. > > > >We've made an incredibly complex system, easy enough for people that do > >not fully understand it to use, and well *that* was the intention! So > >huzzah! But ... > > > >But it come with the pricetag that users do not understand it fully, and > >even knowing *where* logs are is not obvious, and it is not even obvious > >what component is to look at when something breaks. > > > >so I think it is unfair to say people are unwilling to look at logs, > >some may be, but I bet most simply do not know where to start even. > >Also keep in mind you only see the percentage of users that have > >trouble, those that *so* look at the logs and figure out themselves, or > >are good at searching and fin the solution reported by a previous user > >on their own do not show up. > > > >The long term solutions can only be: > >a) centralize logging of the various components so that there is a > >single place to go and look and correlate errors even for the untrained. > >b) develop troubleshooting documentation as cases come up and are > >solved, indexed by symptom > >c) keep helping our beloved users :-) > A story is always multi-fold. > > We need to fix installer issues where crashes in a single > component do not leave unprocessed results that cannot be interpreted > properly by a higher level code to suggest where to look for details and > what to do with them. > > However, majority of issues don't really require passing through > tracebacks from server to client. For example, timeout issues with CA > install due to lacking entropy wouldn't be solved by passing through a > traceback. It requires understanding what happens -- and even when we > print a message warning about lack of entropy, it is ignored, as we > print a lot of text during install. > > We have https://www.freeipa.org/page/Troubleshooting page to help here. > It is the first result in Google for 'freeipa troubleshooting', 'freeipa > trouble', 'freeipa issue', 'freeipa problem', 'freeipa install problem'. > It has a lot of content, indexed by symptom. Yet, amount of 'I have a > problem' without looking into logs is substantial. Should we add an > explicit link to the page above in every installer error output? I think that may be a very good idea, giving pointers like that is usually a good help to novices. Simo. -- Simo Sorce * Red Hat, Inc * New York From npmccallum at redhat.com Wed Apr 22 19:45:31 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 22 Apr 2015 15:45:31 -0400 Subject: [Freeipa-devel] [PATCH 0082] Update python-yubico dependency version In-Reply-To: <1427811900.7498.1.camel@redhat.com> References: <1427811900.7498.1.camel@redhat.com> Message-ID: <1429731931.2795.44.camel@redhat.com> On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote: > This change enables support for all current YubiKey hardware. Can someone please review this patch? Nathaniel From redhatrises at gmail.com Thu Apr 23 02:55:06 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Wed, 22 Apr 2015 20:55:06 -0600 Subject: [Freeipa-devel] [PATCH 0082] Update python-yubico dependency version In-Reply-To: <1429731931.2795.44.camel@redhat.com> References: <1427811900.7498.1.camel@redhat.com> <1429731931.2795.44.camel@redhat.com> Message-ID: Ack. Thanks, Gabe On Wed, Apr 22, 2015 at 1:45 PM, Nathaniel McCallum wrote: > On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote: > > This change enables support for all current YubiKey hardware. > > Can someone please review this patch? > > Nathaniel > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Apr 23 05:28:05 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Apr 2015 07:28:05 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <1429709542.22399.124.camel@willson.usersys.redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <1429709542.22399.124.camel@willson.usersys.redhat.com> Message-ID: <553882E5.8040902@redhat.com> Dne 22.4.2015 v 15:32 Simo Sorce napsal(a): > On Wed, 2015-04-22 at 09:59 +0200, Jan Cholasta wrote: >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >>> Hello, >>> >>> looking at freeipa-users list, following kind of conversation is quite common: >>> >>> user: 'IPA reports an internal error, what should I do?' >>> dev: 'see HTTPd error log on the IPA server' >>> user: 'what server?' >>> dev: 'enable debugging on client and see which server was contacted' >>> >>> >>> Can we make InternalError more useful and eliminate this kind of ping-pong? >>> >>> Looking at sources: >>> $ git grep 'class .*InternalError' >>> ipalib/errors.py:class InternalError(PublicError): >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> >>> $ git grep ServerInternalError >>> ipalib/errors.py:class ServerInternalError(PublicError): >>> ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') >>> ipalib/errors.py: ServerInternalError: an internal error has occurred on >>> server at 'https://localhost' >>> >>> Apparently somebody was thinking about it in the past but ServerInternalError >>> is not used anywhere. >>> >>> How hard would it be to translate InternalError on client side to >>> ServerInternalError with appropriate server name? >>> >>> Can we extend InternalError with text like this? >>> 'See httpd error log on server %s for more details.' >>> >>> Does it make sense? Should I open a ticket about this? >>> >> >> It's a good idea. >> >> On a related note, I would also like the server to send tracebacks to >> the client if debugging is enabled on the server. > > I am not too hot on this idea, unless there is a specific switch to > allow sending tracebacks (default to off). Emphasis on "if debugging is enabled". -- Jan Cholasta From pvoborni at redhat.com Thu Apr 23 10:24:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Apr 2015 12:24:12 +0200 Subject: [Freeipa-devel] [PATCH] 823 ipaldap: raise DatabaseError on unbind if disconnected Message-ID: <5538C84C.9020407@redhat.com> If unbind was called when disconnected it raised: AttributeError: 'NoneType' object has no attribute 'unbind_s' AttributeError is not a public error and therefore it prevented ldap2.destroy_connection() to be called multiple times. fixes: https://fedorahosted.org/freeipa/ticket/4991 Note: this issue also prevented rpcserver.change_password from working. Therefore I think that there might have been an error in recent ipaldap refactoring and if #4991 was not run on master then there might have been other issue, which probably have been fixed by the refactoring. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0823-ipaldap-raise-DatabaseError-on-unbind-if-disconnecte.patch Type: text/x-patch Size: 1240 bytes Desc: not available URL: From mbasti at redhat.com Thu Apr 23 10:55:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Apr 2015 12:55:37 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <55360AD4.1020703@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> Message-ID: <5538CFA9.9080700@redhat.com> On 21/04/15 10:31, Martin Basti wrote: > On 21/04/15 08:12, Jan Cholasta wrote: >> Hi, >> >> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>> https://fedorahosted.org/freeipa/ticket/4904 >>> >>> Patches attached. >>> >>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>> removed after installer modifications. >>> >>> This patch may cause temporal upgrade issues (corner cases), until >>> installer part will be finished. >>> >>> If somebody will be hit by them, please use --skip-version-check for >>> ipactl and ipa-server-upgrade. >> >> Regarding that option vs. --force: I think the common assumption is >> that --force ignores *all* non-fatal errors, but you break that >> assumption in ipactl. IMO --force should both ignore errors in >> service startup *and* skip version check, and a new option should be >> added to just ignore errors in service startup (e.g. >> --ignore-service-failures). > Originally I used --force option to skip detection, but there was > objections against it on list. > > However, to have option --force, which set true for both > --ignore-service-failures and --skip-version-check options, might be > better. > >> >> ipa-server-upgrade should probably also have --force, even if it does >> the same thing as --skip-version-check, again because --force is common. >> >> >> This is a weird API: >> >> + if data_upgrade.badsyntax: >> + raise admintool.ScriptError( >> + 'Bad syntax detected in upgrade file(s).', 1) >> + elif data_upgrade.upgradefailed: >> + raise admintool.ScriptError('IPA upgrade failed.', 1) >> + elif data_upgrade.modified: >> + self.log.info('Data update complete') >> + else: >> + self.log.info('Data update complete, no data were >> modified') >> >> Why does not IPAUpgrade raise errors instead? >> > For historical reasons, I can investigate what would break this > change, I will send it in separate patch. >> >> +class IPAVersionError(Exception): >> + pass >> + >> +class PlatformMismatchError(IPAVersionError): >> + pass >> + >> +class DataUpgradeRequiredError(IPAVersionError): >> + pass >> + >> +class DataInNewerVersionError(IPAVersionError): >> + pass >> >> I don't like the "IPA" in "IPAVersionError", it does not tell you >> much about what kind of version is that. Also data version errors >> should only tell you what is wrong, not how you fix it. IMO better >> names for these would be e.g. "UpgradeVersionError", >> "UpgradePlatformError", "UpgradeDataOlderVersionError", >> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >> check_ipa_version. >> > Ok. >> >> Why is it not an error if there is no version in check_ipa_version? >> IMO it should, even if you then ignore the exception most of the time. > I can raise error in that case and ignore the exception. >> >> >> Honza >> > Martin^2 > Updated patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227.3-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 6829 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228.3-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 17421 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229.3-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From mkosek at redhat.com Thu Apr 23 10:56:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Apr 2015 12:56:46 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <1429714063.22399.147.camel@willson.usersys.redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <5537AB5C.1010503@redhat.com> <20150422141601.GH26437@redhat.com> <1429714063.22399.147.camel@willson.usersys.redhat.com> Message-ID: <5538CFEE.7030300@redhat.com> On 04/22/2015 04:47 PM, Simo Sorce wrote: > On Wed, 2015-04-22 at 17:16 +0300, Alexander Bokovoy wrote: >> On Wed, 22 Apr 2015, Rob Crittenden wrote: >>> Jan Cholasta wrote: >>>> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >>>>> Hello, >>>>> >>>>> looking at freeipa-users list, following kind of conversation is quite >>>>> common: >>>>> >>>>> user: 'IPA reports an internal error, what should I do?' >>>>> dev: 'see HTTPd error log on the IPA server' >>>>> user: 'what server?' >>>>> dev: 'enable debugging on client and see which server was contacted' >>>>> >>>>> >>>>> Can we make InternalError more useful and eliminate this kind of >>>>> ping-pong? >>>>> >>>>> Looking at sources: >>>>> $ git grep 'class .*InternalError' >>>>> ipalib/errors.py:class InternalError(PublicError): >>>>> ipalib/errors.py:class ServerInternalError(PublicError): >>>>> >>>>> $ git grep ServerInternalError >>>>> ipalib/errors.py:class ServerInternalError(PublicError): >>>>> ipalib/errors.py: >>> raise >>>>> ServerInternalError(server='https://localhost') >>>>> ipalib/errors.py: ServerInternalError: an internal error has >>>>> occurred on >>>>> server at 'https://localhost' >>>>> >>>>> Apparently somebody was thinking about it in the past but >>>>> ServerInternalError >>>>> is not used anywhere. >>>>> >>>>> How hard would it be to translate InternalError on client side to >>>>> ServerInternalError with appropriate server name? >>>>> >>>>> Can we extend InternalError with text like this? >>>>> 'See httpd error log on server %s for more details.' >>>>> >>>>> Does it make sense? Should I open a ticket about this? >>>>> >>>> >>>> It's a good idea. >>> >>> I don't know. How many people ask about CA install failures without >>> looking into /var/log/*-install.log even though it states within just a >>> few lines of output this is where all the logging goes? >>> >>> The terseness was done on purpose. >>> >>>> On a related note, I would also like the server to send tracebacks to >>>> the client if debugging is enabled on the server. >>> >>> Call me conservative but this was a conscious choice originally as well. >>> The traceback is in the logs. The admin has the logs. >> I agree with Rob. Literally every single case when people report 'CA >> install fails' ends up with people asking us instead of looking into >> logs. There seems to general unwillingness to invest into understanding >> of what is being done and why things might fail. > > I have to say this is a completely incorrect way of looking at it. > > People may be willing, but we are suffering of our own success. > > We've made an incredibly complex system, easy enough for people that do > not fully understand it to use, and well *that* was the intention! So > huzzah! But ... > > But it come with the pricetag that users do not understand it fully, and > even knowing *where* logs are is not obvious, and it is not even obvious > what component is to look at when something breaks. > > so I think it is unfair to say people are unwilling to look at logs, > some may be, but I bet most simply do not know where to start even. > Also keep in mind you only see the percentage of users that have > trouble, those that *so* look at the logs and figure out themselves, or > are good at searching and fin the solution reported by a previous user > on their own do not show up. > > The long term solutions can only be: > a) centralize logging of the various components so that there is a > single place to go and look and correlate errors even for the untrained. This is something I was looking as a side gig, even posted a request for ideas or requirements on freeipa-users list: https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html but so far there were no responses. The centralized logging solutions like ELK server and derivatives can reveal some stuff, but you need to tell it what should it correlate together and maybe display. If you have any ideas how to improve the Troubleshooting by this mean, I would be very interested in it. > b) develop troubleshooting documentation as cases come up and are > solved, indexed by symptom I am encouraging everyone to keep updating the Troubleshooting page, when they came to a case with problem root cause that is not yet present on that page. We need to make Troubleshooting page as actual as possible, it may be already helping a lot, by people simply googling it and not asking on freeipa-users at all because the issue is resolved. > c) keep helping our beloved users :-) > > Simo. > From mbasti at redhat.com Thu Apr 23 11:06:02 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Apr 2015 13:06:02 +0200 Subject: [Freeipa-devel] [PATCHES 0231-0232] Server Upgrade: support base64 encoded values in update files + remove CSV In-Reply-To: <552FD1C0.2040104@redhat.com> References: <552FD1C0.2040104@redhat.com> Message-ID: <5538D21A.8040000@redhat.com> On 16/04/15 17:14, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4984 > > I had to remove CSV (which is evil) to be able fix this ticket. > > Patches attached. > > > Updated patches attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0231.2-Server-Upgrade-remove-CSV-from-upgrade-files.patch Type: text/x-patch Size: 127791 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0232.2-Server-Upgrade-Allow-base64-encoded-values.patch Type: text/x-patch Size: 15624 bytes Desc: not available URL: From jcholast at redhat.com Thu Apr 23 11:35:03 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Apr 2015 13:35:03 +0200 Subject: [Freeipa-devel] [PATCHES] 0688-0689 Remove Editable DN and DN component classes In-Reply-To: <5535266E.9020209@redhat.com> References: <5527D71D.5020209@redhat.com> <552F5EF2.9060308@redhat.com> <552FAC93.2060401@redhat.com> <5534B7DA.9040907@redhat.com> <5535178A.1020305@redhat.com> <553518E4.4030202@redhat.com> <5535266E.9020209@redhat.com> Message-ID: <5538D8E7.4030009@redhat.com> Dne 20.4.2015 v 18:16 Petr Viktorin napsal(a): > On 04/20/2015 05:19 PM, Jan Cholasta wrote: >> Dne 20.4.2015 v 17:13 Petr Viktorin napsal(a): >>> On 04/20/2015 10:24 AM, Jan Cholasta wrote: >>>> Dne 16.4.2015 v 14:35 Petr Viktorin napsal(a): >>>>> On 04/16/2015 09:04 AM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> Dne 10.4.2015 v 15:58 Petr Viktorin napsal(a): >>>>>>> The attached patches remove EditableDN, EditableRDN and EditableAVA. >>>>>>> They depend on Petr Voborn?k's patch 811 (performance: faster DN >>>>>>> implementation). >>>>>>> >>>>>>> >>>>>>> Mutable DNs are not very useful. When creating them it is easier to >>>>>>> work >>>>>>> with lists or generators, and needing to change DNs aside from >>>>>>> operations like `DN(new_rdn, original[1:])` is very rare -- I'd even >>>>>>> say >>>>>>> theoretical. >>>>>>> Mutable DNs are not hashable, so they can't be used as dist keys. >>>>>>> Storing them as "keys" in other structures (e.g. in a LDAPEntry) is >>>>>>> dangerous -- it's hard to reason about outside modifications. >>>>>>> >>>>>>> The first patch removes the last use of EditableDN. I could be >>>>>>> convinced >>>>>>> it's not an improvement in elegance/readability, but I believe >>>>>>> this is >>>>>>> the strongest case for EditableDN in IPA, and it doesn't justify >>>>>>> keeping >>>>>>> it. >>>>>> >>>>>> LGTM, but patch 688 needs to be rebased. >>>>> >>>>> Here you go. >>>> >>>> Regarding patch 688, it seems we are always replacing the suffix of the >>>> DN, so I think we can simplify _dn_replace to: >>>> >>>> if not dn.endswith(old): >>>> raise ValueError('no replacement made') >>>> return DN(*dn[:-len(old)]) + new >>>> >>> >>> Sure, here's a patches with this change. >>> >> >> Thanks, but it looks like you forgot to raise the ValueError. >> > > Ah, sorry for that. Fixed. > ACK. Pushed to master: 2cafb47ed7e4eba354355fa3aed1d8bcbac5fb68 -- Jan Cholasta From simo at redhat.com Thu Apr 23 12:10:08 2015 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Apr 2015 08:10:08 -0400 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <553882E5.8040902@redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <1429709542.22399.124.camel@willson.usersys.redhat.com> <553882E5.8040902@redhat.com> Message-ID: <1429791008.13607.0.camel@willson.usersys.redhat.com> On Thu, 2015-04-23 at 07:28 +0200, Jan Cholasta wrote: > Dne 22.4.2015 v 15:32 Simo Sorce napsal(a): > > On Wed, 2015-04-22 at 09:59 +0200, Jan Cholasta wrote: > >> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): > >>> Hello, > >>> > >>> looking at freeipa-users list, following kind of conversation is quite common: > >>> > >>> user: 'IPA reports an internal error, what should I do?' > >>> dev: 'see HTTPd error log on the IPA server' > >>> user: 'what server?' > >>> dev: 'enable debugging on client and see which server was contacted' > >>> > >>> > >>> Can we make InternalError more useful and eliminate this kind of ping-pong? > >>> > >>> Looking at sources: > >>> $ git grep 'class .*InternalError' > >>> ipalib/errors.py:class InternalError(PublicError): > >>> ipalib/errors.py:class ServerInternalError(PublicError): > >>> > >>> $ git grep ServerInternalError > >>> ipalib/errors.py:class ServerInternalError(PublicError): > >>> ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') > >>> ipalib/errors.py: ServerInternalError: an internal error has occurred on > >>> server at 'https://localhost' > >>> > >>> Apparently somebody was thinking about it in the past but ServerInternalError > >>> is not used anywhere. > >>> > >>> How hard would it be to translate InternalError on client side to > >>> ServerInternalError with appropriate server name? > >>> > >>> Can we extend InternalError with text like this? > >>> 'See httpd error log on server %s for more details.' > >>> > >>> Does it make sense? Should I open a ticket about this? > >>> > >> > >> It's a good idea. > >> > >> On a related note, I would also like the server to send tracebacks to > >> the client if debugging is enabled on the server. > > > > I am not too hot on this idea, unless there is a specific switch to > > allow sending tracebacks (default to off). > > Emphasis on "if debugging is enabled". If I enable debugging on the server, I still may not want all clients to receive backtraces, especially if I am trying to resolve a problem in production. Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Thu Apr 23 12:12:59 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Apr 2015 14:12:59 +0200 Subject: [Freeipa-devel] [PATCH] 823 ipaldap: raise DatabaseError on unbind if disconnected In-Reply-To: <5538C84C.9020407@redhat.com> References: <5538C84C.9020407@redhat.com> Message-ID: <5538E1CB.8040705@redhat.com> On 04/23/2015 12:24 PM, Petr Vobornik wrote: > If unbind was called when disconnected it raised: > AttributeError: 'NoneType' object has no attribute 'unbind_s' > > AttributeError is not a public error and therefore it prevented > ldap2.destroy_connection() to be called multiple times. > > fixes: > https://fedorahosted.org/freeipa/ticket/4991 > > Note: this issue also prevented rpcserver.change_password from working. > Therefore I think that there might have been an error in recent ipaldap > refactoring and if #4991 was not run on master then there might have > been other issue, which probably have been fixed by the refactoring. > After discussion with Honza, the approach was changed. Also I've added patch which removes unnecessary incorrect code which revealed the regression. Additional testing shows that these patches actually don't fix the original issue of #4991. See https://fedorahosted.org/freeipa/ticket/4991#comment:4 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0824-rpcserver-remove-unnecessary-conn.destroy_connection.patch Type: text/x-patch Size: 1562 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0823-2-allow-to-call-ldap2.destroy_connection-multiple-time.patch Type: text/x-patch Size: 1592 bytes Desc: not available URL: From dkupka at redhat.com Thu Apr 23 13:26:24 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 23 Apr 2015 15:26:24 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <552BA727.2010307@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> Message-ID: <5538F300.80904@redhat.com> On 04/13/2015 01:23 PM, David Kupka wrote: > On 04/10/2015 02:55 PM, Simo Sorce wrote: >> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>> On (08/04/15 08:53), Simo Sorce wrote: >>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>> unable to >>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>> master for sure >>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>> >>>>>>>>> >>>>>>>>> ACK >>>>>>>> >>>>>>>> Are all the new disables really just false positives? >>>>>>> >>>>>>> It seems to me as a false positives. >>>>>>> >>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>>>>>> >>>>>>> >>> import ssl >>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>> 3 >>>>>>> >>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>> >>>>>>> dateutil.parser.parse() returns datetime.datetime object and it has >>>>>>> both tzinfo and timetuple methods >>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>> >>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>> __index__) >>>>>>> >>>>>>> This is the line lint is complaining about: >>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>> integers. >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> tested on: >>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>> - F22: master branch. >>>>>>>>> >>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in >>>>>>>>> F22 >>>>>>>> >>>>>> >>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>> tentative NACK. >>>>> >>>>> I tested it this way: >>>>> 1. started with Fedora-22-x86_64-minimal system >>>>> 2. dnf install git >>>>> 3. clone freeipa >>>>> 4. make version-update # to get freeipa.spec >>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>> 6. ./make-lint >>>>> >>>>>> >>>>>> It seem the main offenders are "No value for argument 'second' in >>>>>> method >>>>>> call" (this one only in test_ipautul.py) and "No value for argument >>>>>> 'extClass' in method call" sprinkled around various test plugins. >>>>>> These cause E1120(no-value-for-parameter). >>>>> >>>>> Could you please paste the output of make-lint somewhere? >>>> >>>> Here it is. >>>> This is with my f22 desktop, fully updated with buildrequires running >>>> make-lint straight after applying your patch: >>>> >>>> ************* Module ipatests.test_ipapython.test_ipautil >>>> ipatests/test_ipapython/test_ipautil.py:93: >>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:96: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:97: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:98: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:99: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:100: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:101: >>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>> for argument 'excClass' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:105: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:106: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:107: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:108: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:109: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:110: >>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:114: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:116: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:128: >>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:130: >>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:140: >>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:143: >>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:161: >>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:179: >>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:189: >>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:199: >>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:207: >>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:217: >>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:229: >>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:232: >>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:253: >>>> [E1120(no-value-for-parameter), >>>> TestCIDict.test_update_duplicate_values_dict] No value for argument >>>> 'excClass' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:257: >>>> [E1120(no-value-for-parameter), >>>> TestCIDict.test_update_duplicate_values_list] No value for argument >>>> 'excClass' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:261: >>>> [E1120(no-value-for-parameter), >>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:270: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:273: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:275: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:278: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:280: >>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:283: >>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:286: >>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:289: >>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>> argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:290: >>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:295: >>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:298: >>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:303: >>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:308: >>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:323: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:324: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:325: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:326: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:327: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:328: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>> for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:334: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:335: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:336: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:337: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:338: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:339: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:345: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:346: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:347: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:348: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:349: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:350: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:355: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:356: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:357: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:358: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:359: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:360: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:365: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:366: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:367: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:368: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:369: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:370: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:371: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:377: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:378: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:380: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:385: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:386: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:388: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:393: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:394: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:398: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:403: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:404: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ipatests/test_ipapython/test_ipautil.py:406: >>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>> value for argument 'second' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>> value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>> [E1120(no-value-for-parameter), >>>> test_automount.test_b_automountkey_del] No value for argument >>>> 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>> [E1120(no-value-for-parameter), >>>> test_automount.test_c_automountlocation_del] No value for argument >>>> 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>> [E1120(no-value-for-parameter), >>>> test_automount.test_d_automountmap_del] No value for argument >>>> 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>> [E1120(no-value-for-parameter), >>>> test_automount_direct.test_3_automountlocation_del] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect.test_3_automountkey_del] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect.test_4_automountmap_del] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>> argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect_no_parent.test_3_automountkey_del] No value >>>> for argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect_no_parent.test_4_automountmap_del] No value >>>> for argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>> [E1120(no-value-for-parameter), >>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>> value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>> No value for argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>> No value for argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>> No value for argument 'excClass' in method call) >>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>> No value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>> value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>> [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] >>>> No value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>> value for argument 'excClass' in method call) >>>> ************* Module ipatests.test_ipaserver.test_ldap >>>> ipatests/test_ipaserver/test_ldap.py:232: >>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>> for argument 'excClass' in method call) >>>> >>> >>> I cannot see such warnings and make-lint passed without any problem with >>> David's patch. >>> >>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>> pytest-2.6.4-1.fc22.noarch >>> python-pytest-sourceorder-0.4-2.fc22.noarch >>> python-pytest-multihost-0.6-2.fc22.noarch >> >> I have the same packages >> What version of pylint ? >> >> I have pylint-1.4.1-3.fc22.noarch >> >> Simo. >> > > Thanks to Honza I've finally found a way to get the same errors you're > reporting. All of them seems to be false positives but I'll investigate > little more to be sure. > > The thing is that python-nose package that is still used in some test is > not in BuildRequires so I didn't install it. > > Another weird thing is that lint do not complain that tests are > importing nose that is not installed. > nose.tools module from python-nose package imports assertEqual and assertRaises from unittest.case and provides them as assert_equal and assert_raises. This confuses pylint so we need to detect this situation and skip checking of this functions unless we either drop python-nose or pylint will become more powerful. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0046-Lint-Skip-checking-of-functions-stolen-by-python-nos.patch Type: text/x-patch Size: 2263 bytes Desc: not available URL: From pspacek at redhat.com Thu Apr 23 13:41:47 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Apr 2015 15:41:47 +0200 Subject: [Freeipa-devel] user-friendly 'IPA internal error' message In-Reply-To: <1429791008.13607.0.camel@willson.usersys.redhat.com> References: <5537482A.7030201@redhat.com> <553754D6.6050006@redhat.com> <1429709542.22399.124.camel@willson.usersys.redhat.com> <553882E5.8040902@redhat.com> <1429791008.13607.0.camel@willson.usersys.redhat.com> Message-ID: <5538F69B.3040409@redhat.com> On 23.4.2015 14:10, Simo Sorce wrote: > On Thu, 2015-04-23 at 07:28 +0200, Jan Cholasta wrote: >> Dne 22.4.2015 v 15:32 Simo Sorce napsal(a): >>> On Wed, 2015-04-22 at 09:59 +0200, Jan Cholasta wrote: >>>> Dne 22.4.2015 v 09:05 Petr Spacek napsal(a): >>>>> Hello, >>>>> >>>>> looking at freeipa-users list, following kind of conversation is quite common: >>>>> >>>>> user: 'IPA reports an internal error, what should I do?' >>>>> dev: 'see HTTPd error log on the IPA server' >>>>> user: 'what server?' >>>>> dev: 'enable debugging on client and see which server was contacted' >>>>> >>>>> >>>>> Can we make InternalError more useful and eliminate this kind of ping-pong? >>>>> >>>>> Looking at sources: >>>>> $ git grep 'class .*InternalError' >>>>> ipalib/errors.py:class InternalError(PublicError): >>>>> ipalib/errors.py:class ServerInternalError(PublicError): >>>>> >>>>> $ git grep ServerInternalError >>>>> ipalib/errors.py:class ServerInternalError(PublicError): >>>>> ipalib/errors.py: >>> raise ServerInternalError(server='https://localhost') >>>>> ipalib/errors.py: ServerInternalError: an internal error has occurred on >>>>> server at 'https://localhost' >>>>> >>>>> Apparently somebody was thinking about it in the past but ServerInternalError >>>>> is not used anywhere. >>>>> >>>>> How hard would it be to translate InternalError on client side to >>>>> ServerInternalError with appropriate server name? >>>>> >>>>> Can we extend InternalError with text like this? >>>>> 'See httpd error log on server %s for more details.' >>>>> >>>>> Does it make sense? Should I open a ticket about this? >>>>> >>>> >>>> It's a good idea. >>>> >>>> On a related note, I would also like the server to send tracebacks to >>>> the client if debugging is enabled on the server. >>> >>> I am not too hot on this idea, unless there is a specific switch to >>> allow sending tracebacks (default to off). >> >> Emphasis on "if debugging is enabled". > > If I enable debugging on the server, I still may not want all clients to > receive backtraces, especially if I am trying to resolve a problem in > production. Good point, I agree with Simo on this. It should be a separate switch. -- Petr^2 Spacek From npmccallum at redhat.com Thu Apr 23 20:18:10 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Thu, 23 Apr 2015 16:18:10 -0400 Subject: [Freeipa-devel] [PATCH] 823 ipaldap: raise DatabaseError on unbind if disconnected In-Reply-To: <5538E1CB.8040705@redhat.com> References: <5538C84C.9020407@redhat.com> <5538E1CB.8040705@redhat.com> Message-ID: <1429820290.5680.7.camel@redhat.com> On Thu, 2015-04-23 at 14:12 +0200, Petr Vobornik wrote: > On 04/23/2015 12:24 PM, Petr Vobornik wrote: > > If unbind was called when disconnected it raised: > > AttributeError: 'NoneType' object has no attribute 'unbind_s' > > > > AttributeError is not a public error and therefore it prevented > > ldap2.destroy_connection() to be called multiple times. > > > > fixes: > > https://fedorahosted.org/freeipa/ticket/4991 > > > > Note: this issue also prevented rpcserver.change_password from > > working. > > Therefore I think that there might have been an error in recent > > ipaldap > > refactoring and if #4991 was not run on master then there might > > have > > been other issue, which probably have been fixed by the > > refactoring. > > > > After discussion with Honza, the approach was changed. > > Also I've added patch which removes unnecessary incorrect code which > revealed the regression. > > Additional testing shows that these patches actually don't fix the > original issue of #4991. See > https://fedorahosted.org/freeipa/ticket/4991#comment:4 0823 - ACK 0824 - ACK Nathaniel From jcholast at redhat.com Fri Apr 24 05:19:07 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 24 Apr 2015 07:19:07 +0200 Subject: [Freeipa-devel] [PATCH] 823 ipaldap: raise DatabaseError on unbind if disconnected In-Reply-To: <1429820290.5680.7.camel@redhat.com> References: <5538C84C.9020407@redhat.com> <5538E1CB.8040705@redhat.com> <1429820290.5680.7.camel@redhat.com> Message-ID: <5539D24B.5050600@redhat.com> Dne 23.4.2015 v 22:18 Nathaniel McCallum napsal(a): > On Thu, 2015-04-23 at 14:12 +0200, Petr Vobornik wrote: >> On 04/23/2015 12:24 PM, Petr Vobornik wrote: >>> If unbind was called when disconnected it raised: >>> AttributeError: 'NoneType' object has no attribute 'unbind_s' >>> >>> AttributeError is not a public error and therefore it prevented >>> ldap2.destroy_connection() to be called multiple times. >>> >>> fixes: >>> https://fedorahosted.org/freeipa/ticket/4991 >>> >>> Note: this issue also prevented rpcserver.change_password from >>> working. >>> Therefore I think that there might have been an error in recent >>> ipaldap >>> refactoring and if #4991 was not run on master then there might >>> have >>> been other issue, which probably have been fixed by the >>> refactoring. >>> >> >> After discussion with Honza, the approach was changed. >> >> Also I've added patch which removes unnecessary incorrect code which >> revealed the regression. >> >> Additional testing shows that these patches actually don't fix the >> original issue of #4991. See >> https://fedorahosted.org/freeipa/ticket/4991#comment:4 > > 0823 - ACK > 0824 - ACK > > Nathaniel > I would prefer if the connection was closed manually in patch 824, IMO it is a good practice to release resources once you are done with them just in time, and I don't think you can always trust the automatic disconnect at the end of request. -- Jan Cholasta From pvoborni at redhat.com Fri Apr 24 11:31:26 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Apr 2015 13:31:26 +0200 Subject: [Freeipa-devel] [PATCH] 823 ipaldap: raise DatabaseError on unbind if disconnected In-Reply-To: <5539D24B.5050600@redhat.com> References: <5538C84C.9020407@redhat.com> <5538E1CB.8040705@redhat.com> <1429820290.5680.7.camel@redhat.com> <5539D24B.5050600@redhat.com> Message-ID: <553A298E.2020807@redhat.com> On 04/24/2015 07:19 AM, Jan Cholasta wrote: > Dne 23.4.2015 v 22:18 Nathaniel McCallum napsal(a): >> On Thu, 2015-04-23 at 14:12 +0200, Petr Vobornik wrote: >>> On 04/23/2015 12:24 PM, Petr Vobornik wrote: >>>> If unbind was called when disconnected it raised: >>>> AttributeError: 'NoneType' object has no attribute 'unbind_s' >>>> >>>> AttributeError is not a public error and therefore it prevented >>>> ldap2.destroy_connection() to be called multiple times. >>>> >>>> fixes: >>>> https://fedorahosted.org/freeipa/ticket/4991 >>>> >>>> Note: this issue also prevented rpcserver.change_password from >>>> working. >>>> Therefore I think that there might have been an error in recent >>>> ipaldap >>>> refactoring and if #4991 was not run on master then there might >>>> have >>>> been other issue, which probably have been fixed by the >>>> refactoring. >>>> >>> >>> After discussion with Honza, the approach was changed. >>> >>> Also I've added patch which removes unnecessary incorrect code which >>> revealed the regression. >>> >>> Additional testing shows that these patches actually don't fix the >>> original issue of #4991. See >>> https://fedorahosted.org/freeipa/ticket/4991#comment:4 >> >> 0823 - ACK >> 0824 - ACK >> >> Nathaniel >> > > I would prefer if the connection was closed manually in patch 824, IMO > it is a good practice to release resources once you are done with them > just in time, and I don't think you can always trust the automatic > disconnect at the end of request. > Changed (also in user-status command). -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0824-2-use-Connectible.disconnect-instead-of-.destroy_conne.patch Type: text/x-patch Size: 1888 bytes Desc: not available URL: From mbasti at redhat.com Fri Apr 24 12:56:40 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Apr 2015 14:56:40 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation Message-ID: <553A3D88.6080200@redhat.com> Patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0233-DNSSEC-Improve-global-forwarders-validation.patch Type: text/x-patch Size: 13093 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0234-DNSSEC-validate-forward-zone-forwarders.patch Type: text/x-patch Size: 10741 bytes Desc: not available URL: From mbasti at redhat.com Fri Apr 24 13:17:38 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Apr 2015 15:17:38 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <5538F300.80904@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> Message-ID: <553A4272.5040604@redhat.com> On 23/04/15 15:26, David Kupka wrote: > On 04/13/2015 01:23 PM, David Kupka wrote: >> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>> unable to >>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>> master for sure >>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ACK >>>>>>>>> >>>>>>>>> Are all the new disables really just false positives? >>>>>>>> >>>>>>>> It seems to me as a false positives. >>>>>>>> >>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>> member) >>>>>>>> >>>>>>>> >>> import ssl >>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>> 3 >>>>>>>> >>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>> >>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>> has >>>>>>>> both tzinfo and timetuple methods >>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>> >>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>> __index__) >>>>>>>> >>>>>>>> This is the line lint is complaining about: >>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>> integers. >>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> tested on: >>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>> - F22: master branch. >>>>>>>>>> >>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in >>>>>>>>>> F22 >>>>>>>>> >>>>>>> >>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>> tentative NACK. >>>>>> >>>>>> I tested it this way: >>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>> 2. dnf install git >>>>>> 3. clone freeipa >>>>>> 4. make version-update # to get freeipa.spec >>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>> 6. ./make-lint >>>>>> >>>>>>> >>>>>>> It seem the main offenders are "No value for argument 'second' in >>>>>>> method >>>>>>> call" (this one only in test_ipautul.py) and "No value for argument >>>>>>> 'extClass' in method call" sprinkled around various test plugins. >>>>>>> These cause E1120(no-value-for-parameter). >>>>>> >>>>>> Could you please paste the output of make-lint somewhere? >>>>> >>>>> Here it is. >>>>> This is with my f22 desktop, fully updated with buildrequires running >>>>> make-lint straight after applying your patch: >>>>> >>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>> for argument 'excClass' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>> [E1120(no-value-for-parameter), >>>>> TestCIDict.test_update_duplicate_values_dict] No value for argument >>>>> 'excClass' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>> [E1120(no-value-for-parameter), >>>>> TestCIDict.test_update_duplicate_values_list] No value for argument >>>>> 'excClass' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>> [E1120(no-value-for-parameter), >>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>> argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>> for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>> value for argument 'second' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>> value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount.test_b_automountkey_del] No value for argument >>>>> 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>> 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount.test_d_automountmap_del] No value for argument >>>>> 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>> argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No value >>>>> for argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No value >>>>> for argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>> [E1120(no-value-for-parameter), >>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>> value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>> No value for argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>> No value for argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>> No value for argument 'excClass' in method call) >>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>> No value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>> value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>> [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] >>>>> No value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>> value for argument 'excClass' in method call) >>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>> for argument 'excClass' in method call) >>>>> >>>> >>>> I cannot see such warnings and make-lint passed without any problem >>>> with >>>> David's patch. >>>> >>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>> pytest-2.6.4-1.fc22.noarch >>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>> python-pytest-multihost-0.6-2.fc22.noarch >>> >>> I have the same packages >>> What version of pylint ? >>> >>> I have pylint-1.4.1-3.fc22.noarch >>> >>> Simo. >>> >> >> Thanks to Honza I've finally found a way to get the same errors you're >> reporting. All of them seems to be false positives but I'll investigate >> little more to be sure. >> >> The thing is that python-nose package that is still used in some test is >> not in BuildRequires so I didn't install it. >> >> Another weird thing is that lint do not complain that tests are >> importing nose that is not installed. >> > nose.tools module from python-nose package imports assertEqual and > assertRaises from unittest.case and provides them as assert_equal and > assert_raises. This confuses pylint so we need to detect this > situation and skip checking of this functions unless we either drop > python-nose or pylint will become more powerful. > > > Hello, This empty line should not be there, it is unrelated and unneeded change. @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): 'domain', 'master', 'replicas', 'clients', 'ad_domains'] } + def _related_classes(self, klass): yield klass for base in klass.ancestors(): Otherwise it looks good to me and works for me on f22, f21. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Apr 24 13:19:27 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Apr 2015 15:19:27 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <5534BFA4.2080406@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> <5534B989.3010005@redhat.com> <5534BFA4.2080406@redhat.com> Message-ID: <553A42DF.1070300@redhat.com> On 20/04/15 10:58, Martin Babinsky wrote: > On 04/20/2015 10:32 AM, Martin Basti wrote: >> On 17/04/15 14:11, Martin Babinsky wrote: >>> On 04/17/2015 12:41 PM, Martin Babinsky wrote: >>>> On 04/17/2015 12:36 PM, Martin Basti wrote: >>>>> On 17/04/15 12:33, Martin Babinsky wrote: >>>>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>>>> This patch addresses >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>>>> >>>>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>>>> unsuccessful >>>>>>>>>>> attempts to remove files that do not exist anymore. These >>>>>>>>>>> errors >>>>>>>>>>> are >>>>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hello, thank you for the patch. >>>>>>>>>> >>>>>>>>>> 1) >>>>>>>>>> The option add_warning is quite unclear to me. It does not show >>>>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>>>> promt_manual_removal >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Continue... >>>>>>>>> >>>>>>>>> 2) >>>>>>>>> >>>>>>>>> if file_exists(preferences_fname): >>>>>>>>> try: >>>>>>>>> os.remove(preferences_fname) >>>>>>>>> except OSError as e: >>>>>>>>> log_file_removal_error(e, preferences_fname, >>>>>>>>> True) >>>>>>>>> >>>>>>>>> In this case file not found error should never happen. >>>>>>>>> >>>>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>>>> exception? >>>>>>>>> >>>>>>>> I just reverted this bit to original form in order to not fix >>>>>>>> something that isn't broken. Is that ok? >>>>>>>>> 3) >>>>>>>>> this is inconsistent with change above, choose one style please: >>>>>>>>> >>>>>>>>> if os.path.exists(ca_file): >>>>>>>>> try: >>>>>>>>> os.unlink(ca_file) >>>>>>>>> except OSError, e: >>>>>>>>> root_logger.error( >>>>>>>>> "Failed to remove '%s': %s", ca_file, e) >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Martin Basti >>>>>>>>> >>>>>>>> >>>>>>>> Attaching updated patch. >>>>>>>> >>>>>>> thanks, >>>>>>> >>>>>>> just one nitpick, can you move the new function into >>>>>>> installutils, it >>>>>>> can be used in different scripts not just in ipaclient. >>>>>>> >>>>>> >>>>>> I'm not sure if it is a good idea as installutils is a part for >>>>>> freeipa-server package. >>>>>> >>>>>> Placing it there would create an unnecessary dependency of >>>>>> freeipa-client on freeipa-server because of a single function. >>>>>> >>>>> you are right, I do not why I thought that ipa-client-install uses >>>>> installutils. >>>>> >>>>> ACK >>>>> >>>> self-NACK, I will try to rewrite the patch in a slightly less dumb >>>> way. >>>> >>>> Sorry for the confusion. >>>> >>> >>> Attaching updated patch which does the same but using a wrapper around >>> os.remove(). >>> >>> Jan suggested to keep the new function in 'ipa-client-install' and >>> move it around when we do installer re#$%@^ing. >>> >>> Is that ok? >>> >> It looks better, ACK. >> > Jan NACKed your ACK. > > Attaching updated patch. > Sorry, NACK ************* Module ipa-client-install ipa-client/ipa-install/ipa-client-install:791: [E1121(too-many-function-args), uninstall] Too many positional arguments for function call) ipa-client/ipa-install/ipa-client-install:797: [E1121(too-many-function-args), uninstall] Too many positional arguments for function call) consult with Honza if option which show prompt user to delete file manually, should be there or not. -- Martin Basti From dkupka at redhat.com Fri Apr 24 13:22:36 2015 From: dkupka at redhat.com (David Kupka) Date: Fri, 24 Apr 2015 15:22:36 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553A4272.5040604@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> Message-ID: <553A439C.7040001@redhat.com> On 04/24/2015 03:17 PM, Martin Basti wrote: > On 23/04/15 15:26, David Kupka wrote: >> On 04/13/2015 01:23 PM, David Kupka wrote: >>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>> unable to >>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>> master for sure >>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>> >>>>>>>>> It seems to me as a false positives. >>>>>>>>> >>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>> member) >>>>>>>>> >>>>>>>>> >>> import ssl >>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>> 3 >>>>>>>>> >>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), >>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>> >>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>> has >>>>>>>>> both tzinfo and timetuple methods >>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>> >>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), >>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>> __index__) >>>>>>>>> >>>>>>>>> This is the line lint is complaining about: >>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>> integers. >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> tested on: >>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>> - F22: master branch. >>>>>>>>>>> >>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in >>>>>>>>>>> F22 >>>>>>>>>> >>>>>>>> >>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>> tentative NACK. >>>>>>> >>>>>>> I tested it this way: >>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>> 2. dnf install git >>>>>>> 3. clone freeipa >>>>>>> 4. make version-update # to get freeipa.spec >>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>> 6. ./make-lint >>>>>>> >>>>>>>> >>>>>>>> It seem the main offenders are "No value for argument 'second' in >>>>>>>> method >>>>>>>> call" (this one only in test_ipautul.py) and "No value for argument >>>>>>>> 'extClass' in method call" sprinkled around various test plugins. >>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>> >>>>>>> Could you please paste the output of make-lint somewhere? >>>>>> >>>>>> Here it is. >>>>>> This is with my f22 desktop, fully updated with buildrequires running >>>>>> make-lint straight after applying your patch: >>>>>> >>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>> for argument 'excClass' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>> [E1120(no-value-for-parameter), >>>>>> TestCIDict.test_update_duplicate_values_dict] No value for argument >>>>>> 'excClass' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>> [E1120(no-value-for-parameter), >>>>>> TestCIDict.test_update_duplicate_values_list] No value for argument >>>>>> 'excClass' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>> [E1120(no-value-for-parameter), >>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>> argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No value >>>>>> for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_hour_min_sec] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>> value for argument 'second' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>> value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>> 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>> 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>> 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>> argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No value >>>>>> for argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No value >>>>>> for argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>> [E1120(no-value-for-parameter), >>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>> value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>>> No value for argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>>> No value for argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>> [E1120(no-value-for-parameter), test_sudorule.test_l_sudorule_order] >>>>>> No value for argument 'excClass' in method call) >>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>> No value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>> value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>> [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] >>>>>> No value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>> value for argument 'excClass' in method call) >>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>> for argument 'excClass' in method call) >>>>>> >>>>> >>>>> I cannot see such warnings and make-lint passed without any problem >>>>> with >>>>> David's patch. >>>>> >>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>> pytest-2.6.4-1.fc22.noarch >>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>> >>>> I have the same packages >>>> What version of pylint ? >>>> >>>> I have pylint-1.4.1-3.fc22.noarch >>>> >>>> Simo. >>>> >>> >>> Thanks to Honza I've finally found a way to get the same errors you're >>> reporting. All of them seems to be false positives but I'll investigate >>> little more to be sure. >>> >>> The thing is that python-nose package that is still used in some test is >>> not in BuildRequires so I didn't install it. >>> >>> Another weird thing is that lint do not complain that tests are >>> importing nose that is not installed. >>> >> nose.tools module from python-nose package imports assertEqual and >> assertRaises from unittest.case and provides them as assert_equal and >> assert_raises. This confuses pylint so we need to detect this >> situation and skip checking of this functions unless we either drop >> python-nose or pylint will become more powerful. >> >> >> > Hello, > > This empty line should not be there, it is unrelated and unneeded change. > @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): > 'domain', 'master', 'replicas', 'clients', 'ad_domains'] > } > > + > def _related_classes(self, klass): > yield klass > for base in klass.ancestors(): > > Otherwise it looks good to me and works for me on f22, f21. > Thanks for reviewing the patch. I removed the accidentally added empty line. Updated patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0046.1-Lint-Skip-checking-of-functions-stolen-by-python-nos.patch Type: text/x-patch Size: 2027 bytes Desc: not available URL: From pvoborni at redhat.com Fri Apr 24 13:31:04 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Apr 2015 15:31:04 +0200 Subject: [Freeipa-devel] [PATCH 0082] Update python-yubico dependency version In-Reply-To: References: <1427811900.7498.1.camel@redhat.com> <1429731931.2795.44.camel@redhat.com> Message-ID: <553A4598.5040205@redhat.com> On 04/23/2015 04:55 AM, Gabe Alford wrote: > Ack. Pushed to master: 9bd181b33d263d8edf7a900fc925779e0c4fadda Ticket https://fedorahosted.org/freeipa/ticket/4954 added to the commit message. > > Thanks, > > Gabe > > On Wed, Apr 22, 2015 at 1:45 PM, Nathaniel McCallum > wrote: > >> On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote: >>> This change enables support for all current YubiKey hardware. >> >> Can someone please review this patch? >> >> Nathaniel >> -- Petr Vobornik From pvoborni at redhat.com Fri Apr 24 13:36:54 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Apr 2015 15:36:54 +0200 Subject: [Freeipa-devel] [PATCHES 0224-0225] Use NTP servers detected from SRV records in ntp configuration In-Reply-To: <552FE16A.10008@redhat.com> References: <552E72E9.5000001@redhat.com> <552F9E5C.2070704@redhat.com> <552FA2CC.1020002@redhat.com> <552FD1CB.3080005@redhat.com> <552FE16A.10008@redhat.com> Message-ID: <553A46F6.9070301@redhat.com> On 04/16/2015 06:20 PM, Martin Babinsky wrote: > On 04/16/2015 05:14 PM, Martin Basti wrote: >> On 16/04/15 13:53, Martin Babinsky wrote: >>> On 04/16/2015 01:34 PM, Martin Babinsky wrote: >>>> On 04/15/2015 04:17 PM, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4981 >>> >> Stupid me, thank you >> >> Updated patches attached. >> > ACK > pushed to master: * e395bdb911ebf69fbf6b3e1c9e0e148a9600bd90 ipa client: make --ntp-server option multivalued * e55d8ee5d4649b2fd35aa6f29ed2a8f60088d1a8 ipa client: use NTP servers detected from SRV -- Petr Vobornik From pvoborni at redhat.com Fri Apr 24 13:39:44 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Apr 2015 15:39:44 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization In-Reply-To: <552FE182.9080409@redhat.com> References: <552E734A.5090005@redhat.com> <552F9EA6.10806@redhat.com> <552FD1D5.9060107@redhat.com> <552FE182.9080409@redhat.com> Message-ID: <553A47A0.3030408@redhat.com> On 04/16/2015 06:21 PM, Martin Babinsky wrote: > On 04/16/2015 05:14 PM, Martin Basti wrote: >> On 16/04/15 13:36, Martin Babinsky wrote: >>> On 04/15/2015 04:18 PM, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/4983 >>>> >>>> Patch attached. >>> >>> NACK until you fix PATCH 224. >>> >> Updated patch attached. >> > ACK > Pushed to master: 2c8c4b8c885fe34cc722cce91639230a7734c3f3 -- Petr Vobornik From mbasti at redhat.com Fri Apr 24 13:50:56 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Apr 2015 15:50:56 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553A439C.7040001@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> Message-ID: <553A4A40.3070002@redhat.com> On 24/04/15 15:22, David Kupka wrote: > On 04/24/2015 03:17 PM, Martin Basti wrote: >> On 23/04/15 15:26, David Kupka wrote: >>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>>> unable to >>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>> master for sure >>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ACK >>>>>>>>>>> >>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>> >>>>>>>>>> It seems to me as a false positives. >>>>>>>>>> >>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>> member) >>>>>>>>>> >>>>>>>>>> >>> import ssl >>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>> 3 >>>>>>>>>> >>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>> [E1101(no-member), >>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>> >>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>>> has >>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>> __index__) >>>>>>>>>> >>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) >>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>>> integers. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> tested on: >>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>> >>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>> F22 >>>>>>>>>>> >>>>>>>>> >>>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>>> tentative NACK. >>>>>>>> >>>>>>>> I tested it this way: >>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>> 2. dnf install git >>>>>>>> 3. clone freeipa >>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>> 6. ./make-lint >>>>>>>> >>>>>>>>> >>>>>>>>> It seem the main offenders are "No value for argument 'second' in >>>>>>>>> method >>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>> argument >>>>>>>>> 'extClass' in method call" sprinkled around various test plugins. >>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>> >>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>> >>>>>>> Here it is. >>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>> running >>>>>>> make-lint straight after applying your patch: >>>>>>> >>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>> for argument 'excClass' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No value >>>>>>> for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value >>>>>>> for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No value >>>>>>> for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for argument >>>>>>> 'excClass' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestCIDict.test_update_duplicate_values_list] No value for argument >>>>>>> 'excClass' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>> argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>> value >>>>>>> for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>> value for argument 'second' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>> value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>> 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>>> 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>> 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>>> argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No value >>>>>>> for argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No value >>>>>>> for argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>>> value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>> No value for argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>> No value for argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>> [E1120(no-value-for-parameter), >>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>> No value for argument 'excClass' in method call) >>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>>> No value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>> value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>> [E1120(no-value-for-parameter), test_pwpolicy.test_d_pwpolicy_show] >>>>>>> No value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>>> value for argument 'excClass' in method call) >>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>>> for argument 'excClass' in method call) >>>>>>> >>>>>> >>>>>> I cannot see such warnings and make-lint passed without any problem >>>>>> with >>>>>> David's patch. >>>>>> >>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>> pytest-2.6.4-1.fc22.noarch >>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>> >>>>> I have the same packages >>>>> What version of pylint ? >>>>> >>>>> I have pylint-1.4.1-3.fc22.noarch >>>>> >>>>> Simo. >>>>> >>>> >>>> Thanks to Honza I've finally found a way to get the same errors you're >>>> reporting. All of them seems to be false positives but I'll >>>> investigate >>>> little more to be sure. >>>> >>>> The thing is that python-nose package that is still used in some >>>> test is >>>> not in BuildRequires so I didn't install it. >>>> >>>> Another weird thing is that lint do not complain that tests are >>>> importing nose that is not installed. >>>> >>> nose.tools module from python-nose package imports assertEqual and >>> assertRaises from unittest.case and provides them as assert_equal and >>> assert_raises. This confuses pylint so we need to detect this >>> situation and skip checking of this functions unless we either drop >>> python-nose or pylint will become more powerful. >>> >>> >>> >> Hello, >> >> This empty line should not be there, it is unrelated and unneeded >> change. >> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >> 'domain', 'master', 'replicas', 'clients', 'ad_domains'] >> } >> >> + >> def _related_classes(self, klass): >> yield klass >> for base in klass.ancestors(): >> >> Otherwise it looks good to me and works for me on f22, f21. >> > > Thanks for reviewing the patch. I removed the accidentally added empty > line. Updated patch attached. > ACK -- Martin Basti From tbabej at redhat.com Fri Apr 24 13:56:57 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 24 Apr 2015 15:56:57 +0200 Subject: [Freeipa-devel] [PATCH 0030] use separate ccache filename for each IPA DNSSEC daemon In-Reply-To: <55351AC1.5080906@redhat.com> References: <5535150E.3000702@redhat.com> <55351AC1.5080906@redhat.com> Message-ID: <553A4BA9.1010007@redhat.com> On 04/20/2015 05:26 PM, Petr Spacek wrote: > On 20.4.2015 17:02, Martin Babinsky wrote: >> The attached patch implements a request by Petr^2 Spacek during the review of >> my PATCHES 0015-0017, which are prerequisites of the patch and were pushed today. >> >> Petr wanted each DNSSEC daemon (ipa-dnskeysync-replica, ipa-dnskeysyncd, and >> ipa-ods-exporter) to have its own CCache file to simplify his life during >> debugging DNSSEC-related issues. > Obvious ACK. Thank you! > Pushed to master: 528e9503ed71c7d4b5231689ceb8bb37901efced From tbabej at redhat.com Fri Apr 24 13:58:34 2015 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 24 Apr 2015 15:58:34 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553A4A40.3070002@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> Message-ID: <553A4C0A.6010109@redhat.com> On 04/24/2015 03:50 PM, Martin Basti wrote: > On 24/04/15 15:22, David Kupka wrote: >> On 04/24/2015 03:17 PM, Martin Basti wrote: >>> On 23/04/15 15:26, David Kupka wrote: >>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>>>> unable to >>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ACK >>>>>>>>>>>> >>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>> >>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>> >>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>> member) >>>>>>>>>>> >>>>>>>>>>> >>> import ssl >>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>> 3 >>>>>>>>>>> >>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>> [E1101(no-member), >>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>> >>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>>>> has >>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>>> __index__) >>>>>>>>>>> >>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >>>>>>>>>>> 2)) >>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>>>> integers. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> tested on: >>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>> >>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>> F22 >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>>>> tentative NACK. >>>>>>>>> >>>>>>>>> I tested it this way: >>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>> 2. dnf install git >>>>>>>>> 3. clone freeipa >>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>>> 6. ./make-lint >>>>>>>>> >>>>>>>>>> >>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>> 'second' in >>>>>>>>>> method >>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>> argument >>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>> plugins. >>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>> >>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>> >>>>>>>> Here it is. >>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>> running >>>>>>>> make-lint straight after applying your patch: >>>>>>>> >>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>> for argument 'excClass' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>> for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>> for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value >>>>>>>> for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>> value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>> value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>> value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>> argument >>>>>>>> 'excClass' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>> argument >>>>>>>> 'excClass' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>> argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>> value >>>>>>>> for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>> value for argument 'second' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>>> value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>> 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>>>> 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>> 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>>>> argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>> value >>>>>>>> for argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>> value >>>>>>>> for argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>>>> value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>> No value for argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>> No value for argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>> No value for argument 'excClass' in method call) >>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>>>> No value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>>> value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>> [E1120(no-value-for-parameter), >>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>> No value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>>>> value for argument 'excClass' in method call) >>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>>>> for argument 'excClass' in method call) >>>>>>>> >>>>>>> >>>>>>> I cannot see such warnings and make-lint passed without any problem >>>>>>> with >>>>>>> David's patch. >>>>>>> >>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>> >>>>>> I have the same packages >>>>>> What version of pylint ? >>>>>> >>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>> >>>>>> Simo. >>>>>> >>>>> >>>>> Thanks to Honza I've finally found a way to get the same errors >>>>> you're >>>>> reporting. All of them seems to be false positives but I'll >>>>> investigate >>>>> little more to be sure. >>>>> >>>>> The thing is that python-nose package that is still used in some >>>>> test is >>>>> not in BuildRequires so I didn't install it. >>>>> >>>>> Another weird thing is that lint do not complain that tests are >>>>> importing nose that is not installed. >>>>> >>>> nose.tools module from python-nose package imports assertEqual and >>>> assertRaises from unittest.case and provides them as assert_equal and >>>> assert_raises. This confuses pylint so we need to detect this >>>> situation and skip checking of this functions unless we either drop >>>> python-nose or pylint will become more powerful. >>>> >>>> >>>> >>> Hello, >>> >>> This empty line should not be there, it is unrelated and unneeded >>> change. >>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>> 'domain', 'master', 'replicas', 'clients', 'ad_domains'] >>> } >>> >>> + >>> def _related_classes(self, klass): >>> yield klass >>> for base in klass.ancestors(): >>> >>> Otherwise it looks good to me and works for me on f22, f21. >>> >> >> Thanks for reviewing the patch. I removed the accidentally added >> empty line. Updated patch attached. >> > ACK > Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b From ofayans at redhat.com Fri Apr 24 14:05:18 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 24 Apr 2015 16:05:18 +0200 Subject: [Freeipa-devel] [PATCH 0001] Fixed incorrect ldap_uri population Message-ID: <553A4D9E.5000201@redhat.com> Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5002 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001-Fixed-incorrect-ldap_uri-population.patch Type: text/x-patch Size: 896 bytes Desc: not available URL: From pvoborni at redhat.com Fri Apr 24 14:08:40 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Apr 2015 16:08:40 +0200 Subject: [Freeipa-devel] [PATCH 0226] Use user specified NTP servers during initial synchronization In-Reply-To: <553A47A0.3030408@redhat.com> References: <552E734A.5090005@redhat.com> <552F9EA6.10806@redhat.com> <552FD1D5.9060107@redhat.com> <552FE182.9080409@redhat.com> <553A47A0.3030408@redhat.com> Message-ID: <553A4E68.2040804@redhat.com> On 04/24/2015 03:39 PM, Petr Vobornik wrote: > On 04/16/2015 06:21 PM, Martin Babinsky wrote: >> On 04/16/2015 05:14 PM, Martin Basti wrote: >>> On 16/04/15 13:36, Martin Babinsky wrote: >>>> On 04/15/2015 04:18 PM, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4983 >>>>> >>>>> Patch attached. >>>> >>>> NACK until you fix PATCH 224. >>>> >>> Updated patch attached. >>> >> ACK >> > > Pushed to master: 2c8c4b8c885fe34cc722cce91639230a7734c3f3 > Would be NACK, but it's already pushed: - if options.ntp_server: + if options.ntp_servers Should have been in patch 225 not 226. -- Petr Vobornik From mbasti at redhat.com Fri Apr 24 14:15:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Apr 2015 16:15:51 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <5534DC1C.1040903@redhat.com> References: <54F847EF.2080608@redhat.com> <553110F1.2030008@redhat.com> <5534DC1C.1040903@redhat.com> Message-ID: <553A5017.5000908@redhat.com> On 20/04/15 12:59, Martin Babinsky wrote: > On 04/17/2015 03:56 PM, Martin Babinsky wrote: >> On 03/05/2015 01:11 PM, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/4900 >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> Nobody to review this? >> > > Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one > for master. > > > Hello, thank for patches: 1) why is there + PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG I cannot find it used in patches? Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Fri Apr 24 14:27:45 2015 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 24 Apr 2015 16:27:45 +0200 Subject: [Freeipa-devel] [PATCH 0001] Fixed incorrect ldap_uri population In-Reply-To: <553A4D9E.5000201@redhat.com> References: <553A4D9E.5000201@redhat.com> Message-ID: <553A52E1.8060309@redhat.com> This one is even more correct. On 04/24/2015 04:05 PM, Oleg Fayans wrote: > Corresponding ticket is > https://fedorahosted.org/freeipa/ticket/5002 > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0001-Fixed-incorrect-ldap_uri-population.patch Type: text/x-patch Size: 933 bytes Desc: not available URL: From jcholast at redhat.com Mon Apr 27 05:55:54 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 27 Apr 2015 07:55:54 +0200 Subject: [Freeipa-devel] [PATCH] 810 speed up indirect member processing In-Reply-To: <5534CE05.5010304@redhat.com> References: <551A72D4.9080002@redhat.com> <5524E517.9000704@redhat.com> <552668FD.1080101@redhat.com> <5534AFF1.9090206@redhat.com> <5534CE05.5010304@redhat.com> Message-ID: <553DCF6A.5070009@redhat.com> Dne 20.4.2015 v 11:59 Petr Vobornik napsal(a): > On 04/20/2015 09:51 AM, Jan Cholasta wrote: >> Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a): >>> On 04/08/2015 10:21 AM, Jan Cholasta wrote: >>>> 4) The processing of memberof should be done even when memberofindirect >>>> is not requested, otherwise its value will depend on whether >>>> memberofindirect was requested or not. >>> >>> True, but it's the same behavior as before. Could be changed in other >>> patch. >> >> OK. Should we file a ticket? > > AFAIK, memberof and memberofindirect are requested always together atm. > Do we have a use case for this change? It's a bug. Use case is when someone requests memberof only, they must get direct memberof values only. > In any case, I've opened a ticket > about more finer control of fetching members (as was discussed > previously in triage and dev mtgs), it might be part of it. > > https://fedorahosted.org/freeipa/ticket/4995 OK. > >>> >>>> >>>> >>>> 5) I would prefer if all membership processing >>>> (.convert_attribute_members() and .get_indirect_members()) was done >>>> in a >>>> single LDAPObject method. >>> >>> Now, as before, get_indirect_members is called before post callbacks and >>> convert_attribute_members after. If it should be combined, it should be >>> done separately. >> >> OK, but at least move get_indirect_members to LDAPObject. >> > > Moved Thanks, ACK. Pushed to master: 4364ac08c538e3a4253804f523707092b34c2ed2 -- Jan Cholasta From tbordaz at redhat.com Mon Apr 27 08:18:14 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 27 Apr 2015 10:18:14 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <55360F10.7010804@redhat.com> References: <552B84C5.80300@redhat.com> <553522A2.9090007@redhat.com> <55360F10.7010804@redhat.com> Message-ID: <553DF0C6.30403@redhat.com> On 04/21/2015 10:49 AM, Ludwig Krispenz wrote: > > On 04/20/2015 06:00 PM, thierry bordaz wrote: >> On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >>> Hi, >>> >>> in the attachment you find the latest state of the "topology >>> plugin", it implements what is defined in the design page: >>> http://www.freeipa.org/page/V4/Manage_replication_topology (which is >>> also waiting for a reviewer) >>> >>> It contains the plugin itself and a core of ipa commands to manage >>> a topology. to be really applicable, some work outside is required, >>> eg the management of the domain level and a decision where the >>> binddn group should be maintained. >>> >>> Thanks, >>> Ludwig >>> >>> >> Hello Ludwig, >> >> Quite long review to do. So far I only looked at the startup phase >> and I have only few questions and comments. > Thanks for your time, and I'm looking forward to your review of the > other parts, you raise some valid points. > I'll try to answer some of them inline, but will integrate some into a > next version of the patch >> >> In ipa_topo_start, do you need to get argc/argv as you are not using >> plugin-argxx attributes ? > no. It was a leftover from a "standard" plugin >> >> >> topo_plugin_conf configuration parameters are not freed when the >> plugin is closed. Is it closed only at shutdown ? >> Also I would initiatlize it to {NULL}. > So far it is not planned to be dynamic, but I will addres the memory > management >> >> In case the config does not contain any >> nsslapd-topo-plugin-shared-replica-root, I wonder if >> ipa_topo_apply_shared_config may crash as shared_replica_root will be >> NULL. >> or at least in >> ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf. >> >> Also if nsslapd-topo-plugin-shared-replica-root contains an invalid >> root suffix (typo), topoRepl remains NULL and >> ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash. > for the two comments above, I was assuming that plugin conf and shared > tree would be setup by ipa tools and server setup, so assuming only > valid data, but you are right, checking for bad data doesn't hurt. >> >> In ipa_topo_util_segment_from_entry, if the config entry has no >> direction/left/right it will crash. Shouldn't it return an error if >> the config is invalid. > adding a segment should be done with the ipa command 'ipa > topologysegment-add ...' and this always provides a direction (param > or default). If you try to add a segment directly, direction is a > required attribute of teh segment objectclass, so it should be rejected- >> >> The update of domainLevel may start the plugin. If two mods update >> the domainLevel they could be done in parallele. > yes :-( >> >> >> In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no >> segment it deletes the agreement. >> Is it possible there is a segment but no agmnt ? For example, if the >> server were stopped or crashed after the segment was created but >> before the local config was updated. > then it should be created from the segment >> >> >> Hosts are taken from shared config tree (cn=masters,), is it >> possible to have a replica agreement to a host that is not under >> 'cn=masters,' > yes, it will be ignored by the plugin >> >> >> thanks >> thierry >> > Hi Ludwig, I continued the review of the design/topology plugin code. This is really an interesting plugin but unfortunately I have not yet reviewed all the parts. I went through the design and digging the related parts in the code. So far I need to review the rest starting at http://www.freeipa.org/page/V4/Manage_replication_topology#connectivity_management. I think I did ~50% design but may be more than 50% of the code. Here are additional points: in ipa_topo_set_domain_level, you may record the new Domain level value as FATAL (it is already recorded in case of oneline import) ipa_topo_be_state_change is called for any backend going online. Domain level and start should be done only for a backend mapping a shared-replica-root. Also the plugin can be started many times (each online init), ipa_topo_util_start is not protected by a lock Some fields will leak (in ipa_topo_init_shared_config) Also I wonder if you reinit several times the same replica-root, its previous config will leak. (replica->repl_segments) In ipa_topo_apply_shared_replica_config, I do not see where replica_config is kept (leak ?) ipa_topo_util_start/ipa_topo_apply_shared_config is called at startup or during online-init. For online-init, if the plugin was already active, what is the need of calling ipa_topo_util_start ? For online-init, It initializes all the replica-root. Could it init only the reinitialized replic-root ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_database, it mentions ipaReplTopoConfigMaster. Is it implemented ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_segment, what happens if a server under cn=masters is removed ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_example. There is a segment cn=111_to_102. For example it was created by vm-111 when topology plugin starts with 'dc=example,dc=com' . What prevents vm-102 topology plugins to create the segment cn=102_to_111 ? in ipa_topo_post_mod. Is it 100% that if we have 'cn=replica example,cn=topology,dc=example,dc=com' then it exists the related config in topo_shared_conf.replicas. In ipa_topo_util_get_replica_conf, it is looking like the entry can exist before the related config is added. In that case when modifying a segment ipa_topo_util_get_conf_for_segment will return 'tconf' config that is not linked in topo_shared_conf.replicas tconf will leak and I am unsure the post_mod is fully processed. In ipa_topo_post_mod in ipa_topo_util_segment_update if the segment.ipaReplTopoSegmentDirection was "none" and MOD set it to "both", segment->right/left are not set but it is said to be bidirectional ipaReplTopoSegmentStatus: can not find it in the design in ipa_topo_util_existing_agmts_update, my understanding is that a host only updates its local replica agreement. So even if the segment update is replicated, others hosts will not skip updates where ->origin is not themself. I think you may add a comment about this as it looks an important thing. Also I did not find this comment in the design but may be I missed it. in ipa_topo_util_existing_agmts_update, it applies the mods on left or on right. That means we do not support serveral instance on the same machine. I also missed that point in the design. in ipa_topo_agmt_mod, it does nothing when deleting a managed attribute ? in ipa_topo_agmt_mod, if update of the replica agreement fails (ipa_topo_agreement_dn or ipa_topo_util_modify) you may log a message in ipa_topo_agmt_mod, if the mod is not related to any managed attribute, there is no replica agreement update but the 'dn' is not freed. in ipa_topo_post_mod, I do not see 'domainLevel' in the schema. Is it stored in an extensible object ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Mon Apr 27 08:31:41 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Apr 2015 10:31:41 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553A4C0A.6010109@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> Message-ID: <553DF3ED.8030506@redhat.com> On 04/24/2015 03:58 PM, Tomas Babej wrote: > > > On 04/24/2015 03:50 PM, Martin Basti wrote: >> On 24/04/15 15:22, David Kupka wrote: >>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>> On 23/04/15 15:26, David Kupka wrote: >>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ACK >>>>>>>>>>>>> >>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>> >>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>> >>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>> member) >>>>>>>>>>>> >>>>>>>>>>>> >>> import ssl >>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>> 3 >>>>>>>>>>>> >>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>> >>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>>>>> has >>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>>>> __index__) >>>>>>>>>>>> >>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >>>>>>>>>>>> 2)) >>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>>>>> integers. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>> F22 >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>>>>> tentative NACK. >>>>>>>>>> >>>>>>>>>> I tested it this way: >>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>> 2. dnf install git >>>>>>>>>> 3. clone freeipa >>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>>>> 6. ./make-lint >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>> 'second' in >>>>>>>>>>> method >>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>> argument >>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>> plugins. >>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>> >>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>> >>>>>>>>> Here it is. >>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>> running >>>>>>>>> make-lint straight after applying your patch: >>>>>>>>> >>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>> for argument 'excClass' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>> for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>> for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value >>>>>>>>> for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>> value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>> value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>> value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>> argument >>>>>>>>> 'excClass' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>> argument >>>>>>>>> 'excClass' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>> argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>> value >>>>>>>>> for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>> value for argument 'second' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>> 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>>>>> 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>> 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>>>>> argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>> value >>>>>>>>> for argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>> value >>>>>>>>> for argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>>>>> for argument 'excClass' in method call) >>>>>>>>> >>>>>>>> >>>>>>>> I cannot see such warnings and make-lint passed without any problem >>>>>>>> with >>>>>>>> David's patch. >>>>>>>> >>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>> >>>>>>> I have the same packages >>>>>>> What version of pylint ? >>>>>>> >>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>> you're >>>>>> reporting. All of them seems to be false positives but I'll >>>>>> investigate >>>>>> little more to be sure. >>>>>> >>>>>> The thing is that python-nose package that is still used in some >>>>>> test is >>>>>> not in BuildRequires so I didn't install it. >>>>>> >>>>>> Another weird thing is that lint do not complain that tests are >>>>>> importing nose that is not installed. >>>>>> >>>>> nose.tools module from python-nose package imports assertEqual and >>>>> assertRaises from unittest.case and provides them as assert_equal and >>>>> assert_raises. This confuses pylint so we need to detect this >>>>> situation and skip checking of this functions unless we either drop >>>>> python-nose or pylint will become more powerful. >>>>> >>>>> >>>>> >>>> Hello, >>>> >>>> This empty line should not be there, it is unrelated and unneeded >>>> change. >>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>> 'domain', 'master', 'replicas', 'clients', 'ad_domains'] >>>> } >>>> >>>> + >>>> def _related_classes(self, klass): >>>> yield klass >>>> for base in klass.ancestors(): >>>> >>>> Otherwise it looks good to me and works for me on f22, f21. >>>> >>> >>> Thanks for reviewing the patch. I removed the accidentally added >>> empty line. Updated patch attached. >>> >> ACK >> > > Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b > Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). Fortunately the fix is just a simple one-liner. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0047-Lint-Fix-error-on-pylint-1.3.1-introduced-by-fix-for.patch Type: text/x-patch Size: 862 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Apr 27 08:33:22 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Apr 2015 10:33:22 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <553A42DF.1070300@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> <5534B989.3010005@redhat.com> <5534BFA4.2080406@redhat.com> <553A42DF.1070300@redhat.com> Message-ID: <553DF452.2030209@redhat.com> On 04/24/2015 03:19 PM, Martin Basti wrote: > On 20/04/15 10:58, Martin Babinsky wrote: >> On 04/20/2015 10:32 AM, Martin Basti wrote: >>> On 17/04/15 14:11, Martin Babinsky wrote: >>>> On 04/17/2015 12:41 PM, Martin Babinsky wrote: >>>>> On 04/17/2015 12:36 PM, Martin Basti wrote: >>>>>> On 17/04/15 12:33, Martin Babinsky wrote: >>>>>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>>>>> This patch addresses >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>>>>> >>>>>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>>>>> unsuccessful >>>>>>>>>>>> attempts to remove files that do not exist anymore. These >>>>>>>>>>>> errors >>>>>>>>>>>> are >>>>>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Hello, thank you for the patch. >>>>>>>>>>> >>>>>>>>>>> 1) >>>>>>>>>>> The option add_warning is quite unclear to me. It does not show >>>>>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>>>>> promt_manual_removal >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Continue... >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> >>>>>>>>>> if file_exists(preferences_fname): >>>>>>>>>> try: >>>>>>>>>> os.remove(preferences_fname) >>>>>>>>>> except OSError as e: >>>>>>>>>> log_file_removal_error(e, preferences_fname, >>>>>>>>>> True) >>>>>>>>>> >>>>>>>>>> In this case file not found error should never happen. >>>>>>>>>> >>>>>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>>>>> exception? >>>>>>>>>> >>>>>>>>> I just reverted this bit to original form in order to not fix >>>>>>>>> something that isn't broken. Is that ok? >>>>>>>>>> 3) >>>>>>>>>> this is inconsistent with change above, choose one style please: >>>>>>>>>> >>>>>>>>>> if os.path.exists(ca_file): >>>>>>>>>> try: >>>>>>>>>> os.unlink(ca_file) >>>>>>>>>> except OSError, e: >>>>>>>>>> root_logger.error( >>>>>>>>>> "Failed to remove '%s': %s", ca_file, e) >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Martin Basti >>>>>>>>>> >>>>>>>>> >>>>>>>>> Attaching updated patch. >>>>>>>>> >>>>>>>> thanks, >>>>>>>> >>>>>>>> just one nitpick, can you move the new function into >>>>>>>> installutils, it >>>>>>>> can be used in different scripts not just in ipaclient. >>>>>>>> >>>>>>> >>>>>>> I'm not sure if it is a good idea as installutils is a part for >>>>>>> freeipa-server package. >>>>>>> >>>>>>> Placing it there would create an unnecessary dependency of >>>>>>> freeipa-client on freeipa-server because of a single function. >>>>>>> >>>>>> you are right, I do not why I thought that ipa-client-install uses >>>>>> installutils. >>>>>> >>>>>> ACK >>>>>> >>>>> self-NACK, I will try to rewrite the patch in a slightly less dumb >>>>> way. >>>>> >>>>> Sorry for the confusion. >>>>> >>>> >>>> Attaching updated patch which does the same but using a wrapper around >>>> os.remove(). >>>> >>>> Jan suggested to keep the new function in 'ipa-client-install' and >>>> move it around when we do installer re#$%@^ing. >>>> >>>> Is that ok? >>>> >>> It looks better, ACK. >>> >> Jan NACKed your ACK. >> >> Attaching updated patch. >> > Sorry, NACK > > ************* Module ipa-client-install > ipa-client/ipa-install/ipa-client-install:791: > [E1121(too-many-function-args), uninstall] Too many positional arguments > for function call) > ipa-client/ipa-install/ipa-client-install:797: > [E1121(too-many-function-args), uninstall] Too many positional arguments > for function call) > > consult with Honza if option which show prompt user to delete file > manually, should be there or not. > Updated patch attached. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0029.5-suppress-errors-arising-from-deleting-non-existent-f.patch Type: text/x-patch Size: 3380 bytes Desc: not available URL: From mbasti at redhat.com Mon Apr 27 08:49:26 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 10:49:26 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553DF3ED.8030506@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> <553DF3ED.8030506@redhat.com> Message-ID: <553DF816.7060703@redhat.com> On 27/04/15 10:31, David Kupka wrote: > On 04/24/2015 03:58 PM, Tomas Babej wrote: >> >> >> On 04/24/2015 03:50 PM, Martin Basti wrote: >>> On 24/04/15 15:22, David Kupka wrote: >>>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>>> On 23/04/15 15:26, David Kupka wrote: >>>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise >>>>>>>>>>>>>>>> we'll be >>>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ACK >>>>>>>>>>>>>> >>>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>>> >>>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>>> >>>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>>> member) >>>>>>>>>>>>> >>>>>>>>>>>>> >>> import ssl >>>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>>> 3 >>>>>>>>>>>>> >>>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: >>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>>> >>>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object >>>>>>>>>>>>> and it >>>>>>>>>>>>> has >>>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>>>>> __index__) >>>>>>>>>>>>> >>>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >>>>>>>>>>>>> 2)) >>>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else >>>>>>>>>>>>> than >>>>>>>>>>>>> integers. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>>> F22 >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> This patch doesn't seem to fix all my issues building on >>>>>>>>>>>> F22, so >>>>>>>>>>>> tentative NACK. >>>>>>>>>>> >>>>>>>>>>> I tested it this way: >>>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>>> 2. dnf install git >>>>>>>>>>> 3. clone freeipa >>>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>>>>> 6. ./make-lint >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>>> 'second' in >>>>>>>>>>>> method >>>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>>> argument >>>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>>> plugins. >>>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>>> >>>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>>> >>>>>>>>>> Here it is. >>>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>>> running >>>>>>>>>> make-lint straight after applying your patch: >>>>>>>>>> >>>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>> value for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>>> argument >>>>>>>>>> 'excClass' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>>> argument >>>>>>>>>> 'excClass' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value >>>>>>>>>> for >>>>>>>>>> argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value >>>>>>>>>> for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>> value >>>>>>>>>> for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>>> 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount.test_c_automountlocation_del] No value for >>>>>>>>>> argument >>>>>>>>>> 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>>> 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No >>>>>>>>>> value for >>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>>> value >>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>>> value >>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] >>>>>>>>>> No >>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_sudorule.test_m_sudorule_del] >>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>> test_hbac.test_z_hbacrule_del] No >>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No >>>>>>>>>> value >>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>> >>>>>>>>> >>>>>>>>> I cannot see such warnings and make-lint passed without any >>>>>>>>> problem >>>>>>>>> with >>>>>>>>> David's patch. >>>>>>>>> >>>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>>> >>>>>>>> I have the same packages >>>>>>>> What version of pylint ? >>>>>>>> >>>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>>> you're >>>>>>> reporting. All of them seems to be false positives but I'll >>>>>>> investigate >>>>>>> little more to be sure. >>>>>>> >>>>>>> The thing is that python-nose package that is still used in some >>>>>>> test is >>>>>>> not in BuildRequires so I didn't install it. >>>>>>> >>>>>>> Another weird thing is that lint do not complain that tests are >>>>>>> importing nose that is not installed. >>>>>>> >>>>>> nose.tools module from python-nose package imports assertEqual and >>>>>> assertRaises from unittest.case and provides them as assert_equal >>>>>> and >>>>>> assert_raises. This confuses pylint so we need to detect this >>>>>> situation and skip checking of this functions unless we either drop >>>>>> python-nose or pylint will become more powerful. >>>>>> >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> This empty line should not be there, it is unrelated and unneeded >>>>> change. >>>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>>> 'domain', 'master', 'replicas', 'clients', >>>>> 'ad_domains'] >>>>> } >>>>> >>>>> + >>>>> def _related_classes(self, klass): >>>>> yield klass >>>>> for base in klass.ancestors(): >>>>> >>>>> Otherwise it looks good to me and works for me on f22, f21. >>>>> >>>> >>>> Thanks for reviewing the patch. I removed the accidentally added >>>> empty line. Updated patch attached. >>>> >>> ACK >>> >> >> Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b >> > Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). > Fortunately the fix is just a simple one-liner. > ACK, works for both F21 and F22 please push dkupka-0042 (I originally thought It was pushed) -- Martin Basti From mbabinsk at redhat.com Mon Apr 27 08:54:32 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Apr 2015 10:54:32 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <553A5017.5000908@redhat.com> References: <54F847EF.2080608@redhat.com> <553110F1.2030008@redhat.com> <5534DC1C.1040903@redhat.com> <553A5017.5000908@redhat.com> Message-ID: <553DF948.2030908@redhat.com> On 04/24/2015 04:15 PM, Martin Basti wrote: > On 20/04/15 12:59, Martin Babinsky wrote: >> On 04/17/2015 03:56 PM, Martin Babinsky wrote: >>> On 03/05/2015 01:11 PM, Martin Babinsky wrote: >>>> https://fedorahosted.org/freeipa/ticket/4900 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-devel mailing list >>>> Freeipa-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> >>> >>> Nobody to review this? >>> >> >> Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one >> for master. >> >> >> > Hello, thank for patches: > > 1) > why is there > > + PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG > > I cannot find it used in patches? > > > Martin^2 > > -- > Martin Basti > That was likely only my oversight. Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-1-mbabinsk-0014.3-point-the-users-to-PKI-related-logs-when-CA-configur.patch Type: text/x-patch Size: 3604 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0014.3-point-the-users-to-PKI-related-logs-when-CA-configur.patch Type: text/x-patch Size: 3908 bytes Desc: not available URL: From mkosek at redhat.com Mon Apr 27 09:04:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 27 Apr 2015 11:04:14 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553DF816.7060703@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> <553DF3ED.8030506@redhat.com> <553DF816.7060703@redhat.com> Message-ID: <553DFB8E.3020802@redhat.com> On 04/27/2015 10:49 AM, Martin Basti wrote: > On 27/04/15 10:31, David Kupka wrote: >> On 04/24/2015 03:58 PM, Tomas Babej wrote: >>> >>> >>> On 04/24/2015 03:50 PM, Martin Basti wrote: >>>> On 24/04/15 15:22, David Kupka wrote: >>>>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>>>> On 23/04/15 15:26, David Kupka wrote: >>>>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ACK >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>>>> >>>>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>>>> member) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>> import ssl >>>>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>>>> 3 >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>>>> >>>>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>>>>>>> has >>>>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>>>>>> __index__) >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >>>>>>>>>>>>>> 2)) >>>>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>>>>>>> integers. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>>>> F22 >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>>>>>>> tentative NACK. >>>>>>>>>>>> >>>>>>>>>>>> I tested it this way: >>>>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>>>> 2. dnf install git >>>>>>>>>>>> 3. clone freeipa >>>>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>>>>>> 6. ./make-lint >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>>>> 'second' in >>>>>>>>>>>>> method >>>>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>>>> argument >>>>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>>>> plugins. >>>>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>>>> >>>>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>>>> >>>>>>>>>>> Here it is. >>>>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>>>> running >>>>>>>>>>> make-lint straight after applying your patch: >>>>>>>>>>> >>>>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>>> for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>>> for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value >>>>>>>>>>> for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>>>> value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>> value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>> value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>>>> argument >>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>>>> argument >>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>>>> value >>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I cannot see such warnings and make-lint passed without any problem >>>>>>>>>> with >>>>>>>>>> David's patch. >>>>>>>>>> >>>>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>>>> >>>>>>>>> I have the same packages >>>>>>>>> What version of pylint ? >>>>>>>>> >>>>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>> >>>>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>>>> you're >>>>>>>> reporting. All of them seems to be false positives but I'll >>>>>>>> investigate >>>>>>>> little more to be sure. >>>>>>>> >>>>>>>> The thing is that python-nose package that is still used in some >>>>>>>> test is >>>>>>>> not in BuildRequires so I didn't install it. >>>>>>>> >>>>>>>> Another weird thing is that lint do not complain that tests are >>>>>>>> importing nose that is not installed. >>>>>>>> >>>>>>> nose.tools module from python-nose package imports assertEqual and >>>>>>> assertRaises from unittest.case and provides them as assert_equal and >>>>>>> assert_raises. This confuses pylint so we need to detect this >>>>>>> situation and skip checking of this functions unless we either drop >>>>>>> python-nose or pylint will become more powerful. >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, >>>>>> >>>>>> This empty line should not be there, it is unrelated and unneeded >>>>>> change. >>>>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>>>> 'domain', 'master', 'replicas', 'clients', 'ad_domains'] >>>>>> } >>>>>> >>>>>> + >>>>>> def _related_classes(self, klass): >>>>>> yield klass >>>>>> for base in klass.ancestors(): >>>>>> >>>>>> Otherwise it looks good to me and works for me on f22, f21. >>>>>> >>>>> >>>>> Thanks for reviewing the patch. I removed the accidentally added >>>>> empty line. Updated patch attached. >>>>> >>>> ACK >>>> >>> >>> Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b >>> >> Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). Fortunately >> the fix is just a simple one-liner. >> > ACK, works for both F21 and F22 > > please push dkupka-0042 (I originally thought It was pushed) > Pushed both to master: f19f3e57419df112c1d83aebddc71663e49b659f BTW, what about ipa-4-1 branch, does it also need some of the patches? From mbasti at redhat.com Mon Apr 27 10:18:35 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 12:18:35 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553DFB8E.3020802@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> <553DF3ED.8030506@redhat.com> <553DF816.7060703@redhat.com> <553DFB8E.3020802@redhat.com> Message-ID: <553E0CFB.8020609@redhat.com> On 27/04/15 11:04, Martin Kosek wrote: > On 04/27/2015 10:49 AM, Martin Basti wrote: >> On 27/04/15 10:31, David Kupka wrote: >>> On 04/24/2015 03:58 PM, Tomas Babej wrote: >>>> >>>> On 04/24/2015 03:50 PM, Martin Basti wrote: >>>>> On 24/04/15 15:22, David Kupka wrote: >>>>>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>>>>> On 23/04/15 15:26, David Kupka wrote: >>>>>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise we'll be >>>>>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ACK >>>>>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>> import ssl >>>>>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>>>>> 3 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object and it >>>>>>>>>>>>>>> has >>>>>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance with >>>>>>>>>>>>>>> __index__) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >>>>>>>>>>>>>>> 2)) >>>>>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything else than >>>>>>>>>>>>>>> integers. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>>>>> F22 >>>>>>>>>>>>>> This patch doesn't seem to fix all my issues building on F22, so >>>>>>>>>>>>>> tentative NACK. >>>>>>>>>>>>> I tested it this way: >>>>>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>>>>> 2. dnf install git >>>>>>>>>>>>> 3. clone freeipa >>>>>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` >>>>>>>>>>>>> 6. ./make-lint >>>>>>>>>>>>> >>>>>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>>>>> 'second' in >>>>>>>>>>>>>> method >>>>>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>>>>> argument >>>>>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>>>>> plugins. >>>>>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>>>>> Here it is. >>>>>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>>>>> running >>>>>>>>>>>> make-lint straight after applying your patch: >>>>>>>>>>>> >>>>>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>>>> for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No value >>>>>>>>>>>> for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No value >>>>>>>>>>>> for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>>>>> value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>> value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>> value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>>>>> argument >>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>>>>> argument >>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_fractions] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_time_zones] No >>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>>>>> [E1120(no-value-for-parameter), test_cert.test_0001_cert_add] No >>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount.test_c_automountlocation_del] No value for argument >>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_direct.test_3_automountlocation_del] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No value for >>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>>>>> value >>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] No >>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>>>>> [E1120(no-value-for-parameter), test_sudorule.test_m_sudorule_del] >>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>>>>> [E1120(no-value-for-parameter), test_passwd.test_3_user_del] No >>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>>>>> [E1120(no-value-for-parameter), test_hbac.test_z_hbacrule_del] No >>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No value >>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>> >>>>>>>>>>> I cannot see such warnings and make-lint passed without any problem >>>>>>>>>>> with >>>>>>>>>>> David's patch. >>>>>>>>>>> >>>>>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>>>>> I have the same packages >>>>>>>>>> What version of pylint ? >>>>>>>>>> >>>>>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>>>>> >>>>>>>>>> Simo. >>>>>>>>>> >>>>>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>>>>> you're >>>>>>>>> reporting. All of them seems to be false positives but I'll >>>>>>>>> investigate >>>>>>>>> little more to be sure. >>>>>>>>> >>>>>>>>> The thing is that python-nose package that is still used in some >>>>>>>>> test is >>>>>>>>> not in BuildRequires so I didn't install it. >>>>>>>>> >>>>>>>>> Another weird thing is that lint do not complain that tests are >>>>>>>>> importing nose that is not installed. >>>>>>>>> >>>>>>>> nose.tools module from python-nose package imports assertEqual and >>>>>>>> assertRaises from unittest.case and provides them as assert_equal and >>>>>>>> assert_raises. This confuses pylint so we need to detect this >>>>>>>> situation and skip checking of this functions unless we either drop >>>>>>>> python-nose or pylint will become more powerful. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> This empty line should not be there, it is unrelated and unneeded >>>>>>> change. >>>>>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>>>>> 'domain', 'master', 'replicas', 'clients', 'ad_domains'] >>>>>>> } >>>>>>> >>>>>>> + >>>>>>> def _related_classes(self, klass): >>>>>>> yield klass >>>>>>> for base in klass.ancestors(): >>>>>>> >>>>>>> Otherwise it looks good to me and works for me on f22, f21. >>>>>>> >>>>>> Thanks for reviewing the patch. I removed the accidentally added >>>>>> empty line. Updated patch attached. >>>>>> >>>>> ACK >>>>> >>>> Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b >>>> >>> Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). Fortunately >>> the fix is just a simple one-liner. >>> >> ACK, works for both F21 and F22 >> >> please push dkupka-0042 (I originally thought It was pushed) >> > Pushed both to master: f19f3e57419df112c1d83aebddc71663e49b659f > > BTW, what about ipa-4-1 branch, does it also need some of the patches? Just patch dkupka-0042 should go to ipa-4-1. Patch needs rebase. -- Martin Basti From dkupka at redhat.com Mon Apr 27 10:42:20 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Apr 2015 12:42:20 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553E0CFB.8020609@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> <553DF3ED.8030506@redhat.com> <553DF816.7060703@redhat.com> <553DFB8E.3020802@redhat.com> <553E0CFB.8020609@redhat.com> Message-ID: <553E128C.2040809@redhat.com> On 04/27/2015 12:18 PM, Martin Basti wrote: > On 27/04/15 11:04, Martin Kosek wrote: >> On 04/27/2015 10:49 AM, Martin Basti wrote: >>> On 27/04/15 10:31, David Kupka wrote: >>>> On 04/24/2015 03:58 PM, Tomas Babej wrote: >>>>> >>>>> On 04/24/2015 03:50 PM, Martin Basti wrote: >>>>>> On 24/04/15 15:22, David Kupka wrote: >>>>>>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>>>>>> On 23/04/15 15:26, David Kupka wrote: >>>>>>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise >>>>>>>>>>>>>>>>>>> we'll be >>>>>>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ACK >>>>>>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>> import ssl >>>>>>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>>>>>> 3 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: >>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object >>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance >>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>> __index__) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, >>>>>>>>>>>>>>>> len(hexval), >>>>>>>>>>>>>>>> 2)) >>>>>>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything >>>>>>>>>>>>>>>> else than >>>>>>>>>>>>>>>> integers. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>>>>>> F22 >>>>>>>>>>>>>>> This patch doesn't seem to fix all my issues building on >>>>>>>>>>>>>>> F22, so >>>>>>>>>>>>>>> tentative NACK. >>>>>>>>>>>>>> I tested it this way: >>>>>>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>>>>>> 2. dnf install git >>>>>>>>>>>>>> 3. clone freeipa >>>>>>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' >>>>>>>>>>>>>> freeipa.spec` >>>>>>>>>>>>>> 6. ./make-lint >>>>>>>>>>>>>> >>>>>>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>>>>>> 'second' in >>>>>>>>>>>>>>> method >>>>>>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>>>>>> argument >>>>>>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>>>>>> plugins. >>>>>>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>>>>>> Here it is. >>>>>>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>>>>>> running >>>>>>>>>>>>> make-lint straight after applying your patch: >>>>>>>>>>>>> >>>>>>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] >>>>>>>>>>>>> No value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>>>>>> argument >>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>>>>>> argument >>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_cert.test_0001_cert_add] No >>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module >>>>>>>>>>>>> ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount.test_c_automountlocation_del] No value for >>>>>>>>>>>>> argument >>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_direct.test_3_automountlocation_del] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No >>>>>>>>>>>>> value for >>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] >>>>>>>>>>>>> No >>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_sudorule.test_m_sudorule_del] >>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_passwd.test_3_user_del] No >>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>> test_hbac.test_z_hbacrule_del] No >>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No >>>>>>>>>>>>> value >>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>> >>>>>>>>>>>> I cannot see such warnings and make-lint passed without any >>>>>>>>>>>> problem >>>>>>>>>>>> with >>>>>>>>>>>> David's patch. >>>>>>>>>>>> >>>>>>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>>>>>> I have the same packages >>>>>>>>>>> What version of pylint ? >>>>>>>>>>> >>>>>>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>>>>>> >>>>>>>>>>> Simo. >>>>>>>>>>> >>>>>>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>>>>>> you're >>>>>>>>>> reporting. All of them seems to be false positives but I'll >>>>>>>>>> investigate >>>>>>>>>> little more to be sure. >>>>>>>>>> >>>>>>>>>> The thing is that python-nose package that is still used in some >>>>>>>>>> test is >>>>>>>>>> not in BuildRequires so I didn't install it. >>>>>>>>>> >>>>>>>>>> Another weird thing is that lint do not complain that tests are >>>>>>>>>> importing nose that is not installed. >>>>>>>>>> >>>>>>>>> nose.tools module from python-nose package imports assertEqual and >>>>>>>>> assertRaises from unittest.case and provides them as >>>>>>>>> assert_equal and >>>>>>>>> assert_raises. This confuses pylint so we need to detect this >>>>>>>>> situation and skip checking of this functions unless we either >>>>>>>>> drop >>>>>>>>> python-nose or pylint will become more powerful. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> This empty line should not be there, it is unrelated and unneeded >>>>>>>> change. >>>>>>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>>>>>> 'domain', 'master', 'replicas', 'clients', >>>>>>>> 'ad_domains'] >>>>>>>> } >>>>>>>> >>>>>>>> + >>>>>>>> def _related_classes(self, klass): >>>>>>>> yield klass >>>>>>>> for base in klass.ancestors(): >>>>>>>> >>>>>>>> Otherwise it looks good to me and works for me on f22, f21. >>>>>>>> >>>>>>> Thanks for reviewing the patch. I removed the accidentally added >>>>>>> empty line. Updated patch attached. >>>>>>> >>>>>> ACK >>>>>> >>>>> Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b >>>>> >>>> Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). >>>> Fortunately >>>> the fix is just a simple one-liner. >>>> >>> ACK, works for both F21 and F22 >>> >>> please push dkupka-0042 (I originally thought It was pushed) >>> >> Pushed both to master: f19f3e57419df112c1d83aebddc71663e49b659f >> >> BTW, what about ipa-4-1 branch, does it also need some of the patches? > Just patch dkupka-0042 should go to ipa-4-1. > Patch needs rebase. > Rebased patch attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0042-ipa41-Make-lint-work-on-Fedora-22.patch Type: text/x-patch Size: 3183 bytes Desc: not available URL: From mkosek at redhat.com Mon Apr 27 10:53:13 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 27 Apr 2015 12:53:13 +0200 Subject: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22. In-Reply-To: <553E128C.2040809@redhat.com> References: <551561FA.6080702@redhat.com> <5515E223.3090808@redhat.com> <5518DB2D.40309@redhat.com> <55192234.6050208@redhat.com> <1428324531.19641.123.camel@willson.usersys.redhat.com> <5524E52C.3050207@redhat.com> <1428497595.19641.166.camel@willson.usersys.redhat.com> <20150410105554.GB26699@mail.corp.redhat.com> <1428670542.19641.297.camel@willson.usersys.redhat.com> <552BA727.2010307@redhat.com> <5538F300.80904@redhat.com> <553A4272.5040604@redhat.com> <553A439C.7040001@redhat.com> <553A4A40.3070002@redhat.com> <553A4C0A.6010109@redhat.com> <553DF3ED.8030506@redhat.com> <553DF816.7060703@redhat.com> <553DFB8E.3020802@redhat.com> <553E0CFB.8020609@redhat.com> <553E128C.2040809@redhat.com> Message-ID: <553E1519.50402@redhat.com> On 04/27/2015 12:42 PM, David Kupka wrote: > On 04/27/2015 12:18 PM, Martin Basti wrote: >> On 27/04/15 11:04, Martin Kosek wrote: >>> On 04/27/2015 10:49 AM, Martin Basti wrote: >>>> On 27/04/15 10:31, David Kupka wrote: >>>>> On 04/24/2015 03:58 PM, Tomas Babej wrote: >>>>>> >>>>>> On 04/24/2015 03:50 PM, Martin Basti wrote: >>>>>>> On 24/04/15 15:22, David Kupka wrote: >>>>>>>> On 04/24/2015 03:17 PM, Martin Basti wrote: >>>>>>>>> On 23/04/15 15:26, David Kupka wrote: >>>>>>>>>> On 04/13/2015 01:23 PM, David Kupka wrote: >>>>>>>>>>> On 04/10/2015 02:55 PM, Simo Sorce wrote: >>>>>>>>>>>> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >>>>>>>>>>>>> On (08/04/15 08:53), Simo Sorce wrote: >>>>>>>>>>>>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>>>>>>>>>>>>>> On 04/06/2015 02:48 PM, Simo Sorce wrote: >>>>>>>>>>>>>>>> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >>>>>>>>>>>>>>>>> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>>>>>>>>>>>>>>>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>>>>>>>>>>>>>>>>>> On 27.3.2015 14:58, David Kupka wrote: >>>>>>>>>>>>>>>>>>>> pylint changed slightly so we must react otherwise >>>>>>>>>>>>>>>>>>>> we'll be >>>>>>>>>>>>>>>>>>>> unable to >>>>>>>>>>>>>>>>>>>> build freeipa rpms on Fedora 22. This patch should go to >>>>>>>>>>>>>>>>>>>> master for sure >>>>>>>>>>>>>>>>>>>> but I don't know if we want it in 4.1. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ACK >>>>>>>>>>>>>>>>>> Are all the new disables really just false positives? >>>>>>>>>>>>>>>>> It seems to me as a false positives. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >>>>>>>>>>>>>>>>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>> import ssl >>>>>>>>>>>>>>>>> >>> ssl.PROTOCOL_TLSv1 >>>>>>>>>>>>>>>>> 3 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2. ipaserver/install/ipa_otptoken_import.py:63: >>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'tzinfo' member) >>>>>>>>>>>>>>>>> ipaserver/install/ipa_otptoken_import.py:64: >>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>> convertDate] Instance of 'tuple' has no 'timetuple' member) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> dateutil.parser.parse() returns datetime.datetime object >>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>> both tzinfo and timetuple methods >>>>>>>>>>>>>>>>> (https://docs.python.org/2/library/datetime.html#datetime-objects) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 3. ipapython/dnssec/ldapkeydb.py:26: >>>>>>>>>>>>>>>>> [E1127(invalid-slice-index), >>>>>>>>>>>>>>>>> uri_escape] Slice index is not an int, None, or instance >>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>> __index__) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This is the line lint is complaining about: >>>>>>>>>>>>>>>>> out += '%'.join(hexval[i:i+2] for i in range(0, >>>>>>>>>>>>>>>>> len(hexval), >>>>>>>>>>>>>>>>> 2)) >>>>>>>>>>>>>>>>> I don't see a chance for 'i' or 'i+1' to be anything >>>>>>>>>>>>>>>>> else than >>>>>>>>>>>>>>>>> integers. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> tested on: >>>>>>>>>>>>>>>>>>> - F21: ipa-4-1, master branch >>>>>>>>>>>>>>>>>>> - F22: master branch. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>>>>>>>>>>>>>>>>>> 4.1.4 in >>>>>>>>>>>>>>>>>>> F22 >>>>>>>>>>>>>>>> This patch doesn't seem to fix all my issues building on >>>>>>>>>>>>>>>> F22, so >>>>>>>>>>>>>>>> tentative NACK. >>>>>>>>>>>>>>> I tested it this way: >>>>>>>>>>>>>>> 1. started with Fedora-22-x86_64-minimal system >>>>>>>>>>>>>>> 2. dnf install git >>>>>>>>>>>>>>> 3. clone freeipa >>>>>>>>>>>>>>> 4. make version-update # to get freeipa.spec >>>>>>>>>>>>>>> 5. dnf install `awk '/^BuildRequires/ {print $2}' >>>>>>>>>>>>>>> freeipa.spec` >>>>>>>>>>>>>>> 6. ./make-lint >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It seem the main offenders are "No value for argument >>>>>>>>>>>>>>>> 'second' in >>>>>>>>>>>>>>>> method >>>>>>>>>>>>>>>> call" (this one only in test_ipautul.py) and "No value for >>>>>>>>>>>>>>>> argument >>>>>>>>>>>>>>>> 'extClass' in method call" sprinkled around various test >>>>>>>>>>>>>>>> plugins. >>>>>>>>>>>>>>>> These cause E1120(no-value-for-parameter). >>>>>>>>>>>>>>> Could you please paste the output of make-lint somewhere? >>>>>>>>>>>>>> Here it is. >>>>>>>>>>>>>> This is with my f22 desktop, fully updated with buildrequires >>>>>>>>>>>>>> running >>>>>>>>>>>>>> make-lint straight after applying your patch: >>>>>>>>>>>>>> >>>>>>>>>>>>>> ************* Module ipatests.test_ipapython.test_ipautil >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:93: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:96: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:97: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:98: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:99: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:100: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:101: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:105: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:106: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:107: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:108: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:109: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:110: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_get] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:114: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:116: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:128: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:130: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_clear] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:140: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:143: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_copy] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:161: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_items] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:179: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iteritems] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:189: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_iterkeys] >>>>>>>>>>>>>> No value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:199: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_itervalues] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:207: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_keys] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:217: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_values] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:229: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:232: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_update] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:253: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_dict] No value for >>>>>>>>>>>>>> argument >>>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:257: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_list] No value for >>>>>>>>>>>>>> argument >>>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:261: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestCIDict.test_update_duplicate_values_kwargs] No value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:270: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:273: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:275: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:278: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:280: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_setdefault] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:283: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:286: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:289: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:290: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_pop] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:295: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:298: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:303: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:308: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestCIDict.test_popitem] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:323: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:324: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:325: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:326: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:327: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:328: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), TestTimeParser.test_simple] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:334: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:335: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:336: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:337: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:338: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:339: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_hour_min_sec] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:345: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:346: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:347: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:348: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:349: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:350: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:355: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:356: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:357: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:358: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:359: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:360: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:365: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:366: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:367: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:368: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:369: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:370: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:371: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_fractions] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:377: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:378: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:380: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:385: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:386: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:388: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:393: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:394: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:398: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:403: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:404: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ipatests/test_ipapython/test_ipautil.py:406: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> TestTimeParser.test_time_zones] No >>>>>>>>>>>>>> value for argument 'second' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_cert_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_cert_plugin.py:132: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_cert.test_0001_cert_add] No >>>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>> ipatests.test_xmlrpc.test_automount_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:297: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount.test_b_automountkey_del] No value for argument >>>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:309: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount.test_c_automountlocation_del] No value for >>>>>>>>>>>>>> argument >>>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:318: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount.test_d_automountmap_del] No value for argument >>>>>>>>>>>>>> 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:378: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_direct.test_3_automountlocation_del] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:453: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect.test_3_automountkey_del] No value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:465: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect.test_4_automountmap_del] No value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:477: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect.test_5_automountlocation_del] No >>>>>>>>>>>>>> value for >>>>>>>>>>>>>> argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:560: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect_no_parent.test_3_automountkey_del] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:572: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect_no_parent.test_4_automountmap_del] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_automount_plugin.py:584: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_automount_indirect_no_parent.test_5_automountlocation_del] >>>>>>>>>>>>>> No >>>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_sudorule_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:759: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:764: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:769: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_sudorule.test_l_sudorule_order] >>>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_sudorule_plugin.py:783: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_sudorule.test_m_sudorule_del] >>>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_passwd_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_passwd_plugin.py:68: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_passwd.test_3_user_del] No >>>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_pwpolicy_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_pwpolicy_plugin.py:213: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_pwpolicy.test_d_pwpolicy_show] >>>>>>>>>>>>>> No value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_xmlrpc.test_hbac_plugin >>>>>>>>>>>>>> ipatests/test_xmlrpc/test_hbac_plugin.py:487: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), >>>>>>>>>>>>>> test_hbac.test_z_hbacrule_del] No >>>>>>>>>>>>>> value for argument 'excClass' in method call) >>>>>>>>>>>>>> ************* Module ipatests.test_ipaserver.test_ldap >>>>>>>>>>>>>> ipatests/test_ipaserver/test_ldap.py:232: >>>>>>>>>>>>>> [E1120(no-value-for-parameter), test_LDAPEntry.test_pop] No >>>>>>>>>>>>>> value >>>>>>>>>>>>>> for argument 'excClass' in method call) >>>>>>>>>>>>>> >>>>>>>>>>>>> I cannot see such warnings and make-lint passed without any >>>>>>>>>>>>> problem >>>>>>>>>>>>> with >>>>>>>>>>>>> David's patch. >>>>>>>>>>>>> >>>>>>>>>>>>> [root at 8e5f379469b0 freeipa]# rpm -qa | grep pytest >>>>>>>>>>>>> pytest-2.6.4-1.fc22.noarch >>>>>>>>>>>>> python-pytest-sourceorder-0.4-2.fc22.noarch >>>>>>>>>>>>> python-pytest-multihost-0.6-2.fc22.noarch >>>>>>>>>>>> I have the same packages >>>>>>>>>>>> What version of pylint ? >>>>>>>>>>>> >>>>>>>>>>>> I have pylint-1.4.1-3.fc22.noarch >>>>>>>>>>>> >>>>>>>>>>>> Simo. >>>>>>>>>>>> >>>>>>>>>>> Thanks to Honza I've finally found a way to get the same errors >>>>>>>>>>> you're >>>>>>>>>>> reporting. All of them seems to be false positives but I'll >>>>>>>>>>> investigate >>>>>>>>>>> little more to be sure. >>>>>>>>>>> >>>>>>>>>>> The thing is that python-nose package that is still used in some >>>>>>>>>>> test is >>>>>>>>>>> not in BuildRequires so I didn't install it. >>>>>>>>>>> >>>>>>>>>>> Another weird thing is that lint do not complain that tests are >>>>>>>>>>> importing nose that is not installed. >>>>>>>>>>> >>>>>>>>>> nose.tools module from python-nose package imports assertEqual and >>>>>>>>>> assertRaises from unittest.case and provides them as >>>>>>>>>> assert_equal and >>>>>>>>>> assert_raises. This confuses pylint so we need to detect this >>>>>>>>>> situation and skip checking of this functions unless we either >>>>>>>>>> drop >>>>>>>>>> python-nose or pylint will become more powerful. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> This empty line should not be there, it is unrelated and unneeded >>>>>>>>> change. >>>>>>>>> @@ -95,6 +96,7 @@ class IPATypeChecker(TypeChecker): >>>>>>>>> 'domain', 'master', 'replicas', 'clients', >>>>>>>>> 'ad_domains'] >>>>>>>>> } >>>>>>>>> >>>>>>>>> + >>>>>>>>> def _related_classes(self, klass): >>>>>>>>> yield klass >>>>>>>>> for base in klass.ancestors(): >>>>>>>>> >>>>>>>>> Otherwise it looks good to me and works for me on f22, f21. >>>>>>>>> >>>>>>>> Thanks for reviewing the patch. I removed the accidentally added >>>>>>>> empty line. Updated patch attached. >>>>>>>> >>>>>>> ACK >>>>>>> >>>>>> Pushed to master: 4a5f5b14c3159e3517b2bfefc3e89f16cebe9d4b >>>>>> >>>>> Actually this commit introduced bug on Fedora 21 (pylint-1.3.1). >>>>> Fortunately >>>>> the fix is just a simple one-liner. >>>>> >>>> ACK, works for both F21 and F22 >>>> >>>> please push dkupka-0042 (I originally thought It was pushed) >>>> >>> Pushed both to master: f19f3e57419df112c1d83aebddc71663e49b659f >>> >>> BTW, what about ipa-4-1 branch, does it also need some of the patches? >> Just patch dkupka-0042 should go to ipa-4-1. >> Patch needs rebase. >> > Rebased patch attached. > Pushed to ipa-4-1: 0acfd39197054f29b515352a18db3615db6daa29 From mbasti at redhat.com Mon Apr 27 11:05:38 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 13:05:38 +0200 Subject: [Freeipa-devel] [PATCHES 0231-0232] Server Upgrade: support base64 encoded values in update files + remove CSV In-Reply-To: <5538D21A.8040000@redhat.com> References: <552FD1C0.2040104@redhat.com> <5538D21A.8040000@redhat.com> Message-ID: <553E1802.8050409@redhat.com> On 23/04/15 13:06, Martin Basti wrote: > On 16/04/15 17:14, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4984 >> >> I had to remove CSV (which is evil) to be able fix this ticket. >> >> Patches attached. >> >> >> > Updated patches attached. > > -- > Martin Basti > > Rebased patches attached. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0231.3-Server-Upgrade-remove-CSV-from-upgrade-files.patch Type: text/x-patch Size: 127820 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0232.3-Server-Upgrade-Allow-base64-encoded-values.patch Type: text/x-patch Size: 15624 bytes Desc: not available URL: From mbasti at redhat.com Mon Apr 27 11:38:16 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 13:38:16 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5538CFA9.9080700@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> Message-ID: <553E1FA8.8020503@redhat.com> On 23/04/15 12:55, Martin Basti wrote: > On 21/04/15 10:31, Martin Basti wrote: >> On 21/04/15 08:12, Jan Cholasta wrote: >>> Hi, >>> >>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>> https://fedorahosted.org/freeipa/ticket/4904 >>>> >>>> Patches attached. >>>> >>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>> removed after installer modifications. >>>> >>>> This patch may cause temporal upgrade issues (corner cases), until >>>> installer part will be finished. >>>> >>>> If somebody will be hit by them, please use --skip-version-check for >>>> ipactl and ipa-server-upgrade. >>> >>> Regarding that option vs. --force: I think the common assumption is >>> that --force ignores *all* non-fatal errors, but you break that >>> assumption in ipactl. IMO --force should both ignore errors in >>> service startup *and* skip version check, and a new option should be >>> added to just ignore errors in service startup (e.g. >>> --ignore-service-failures). >> Originally I used --force option to skip detection, but there was >> objections against it on list. >> >> However, to have option --force, which set true for both >> --ignore-service-failures and --skip-version-check options, might be >> better. >> >>> >>> ipa-server-upgrade should probably also have --force, even if it >>> does the same thing as --skip-version-check, again because --force >>> is common. >>> >>> >>> This is a weird API: >>> >>> + if data_upgrade.badsyntax: >>> + raise admintool.ScriptError( >>> + 'Bad syntax detected in upgrade file(s).', 1) >>> + elif data_upgrade.upgradefailed: >>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>> + elif data_upgrade.modified: >>> + self.log.info('Data update complete') >>> + else: >>> + self.log.info('Data update complete, no data were >>> modified') >>> >>> Why does not IPAUpgrade raise errors instead? >>> >> For historical reasons, I can investigate what would break this >> change, I will send it in separate patch. >>> >>> +class IPAVersionError(Exception): >>> + pass >>> + >>> +class PlatformMismatchError(IPAVersionError): >>> + pass >>> + >>> +class DataUpgradeRequiredError(IPAVersionError): >>> + pass >>> + >>> +class DataInNewerVersionError(IPAVersionError): >>> + pass >>> >>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>> much about what kind of version is that. Also data version errors >>> should only tell you what is wrong, not how you fix it. IMO better >>> names for these would be e.g. "UpgradeVersionError", >>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>> check_ipa_version. >>> >> Ok. >>> >>> Why is it not an error if there is no version in check_ipa_version? >>> IMO it should, even if you then ignore the exception most of the time. >> I can raise error in that case and ignore the exception. >>> >>> >>> Honza >>> >> Martin^2 >> > Updated patches attached. > > > Updated patches attached -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227.4-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 6829 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228.4-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 17421 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229.4-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From abokovoy at redhat.com Mon Apr 27 12:57:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Apr 2015 15:57:26 +0300 Subject: [Freeipa-devel] FYI: Fedora 22 and trusts Message-ID: <20150427125726.GR26437@redhat.com> Hi, if you are playing with Fedora 22 beta, your experience with FreeIPA may be rough. When installing freeipa-server-trust-ad make sure to also install samba-common-tools package. Samba packaging was split to allow samba-common to be an architecture-independent package but samba package didn't get dependency to samba-common-tools subpackage which contains /usr/bin/net utility. This utility is used by FreeIPA when you run ipa-adtrust-install. I've submitted update which fixes this issue [1] but until it reaches stable updates of Fedora 22, simply install samba-common-tools in addition to freeipa-server-trust-ad. As with any pre-release software, it is recommended to always run up-to-date system as bugs get fixed almost every day before release. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-5.fc22 -- / Alexander Bokovoy From redhatrises at gmail.com Mon Apr 27 13:02:57 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Mon, 27 Apr 2015 07:02:57 -0600 Subject: [Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install Message-ID: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4575 Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0046-Remove-unneeded-ip-address-option-in-ipa-adtrust-ins.patch Type: text/x-patch Size: 5393 bytes Desc: not available URL: From redhatrises at gmail.com Mon Apr 27 13:03:03 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Mon, 27 Apr 2015 07:03:03 -0600 Subject: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent Message-ID: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0047-Unsaved-changes-dialog-internally-inconsistent.patch Type: text/x-patch Size: 1278 bytes Desc: not available URL: From npmccallum at redhat.com Mon Apr 27 14:30:37 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Mon, 27 Apr 2015 10:30:37 -0400 Subject: [Freeipa-devel] [PATCH 0083] Fix a signedness bug in OTP code Message-ID: <1430145037.2682.15.camel@redhat.com> This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0083-Fix-a-signedness-bug-in-OTP-code.patch Type: text/x-patch Size: 1659 bytes Desc: not available URL: From ftweedal at redhat.com Mon Apr 27 14:30:46 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 28 Apr 2015 00:30:46 +1000 Subject: [Freeipa-devel] design review: Certificate Profiles In-Reply-To: <5530F7BD.2070609@redhat.com> References: <20150416080338.GR26212@dhcp-40-8.bne.redhat.com> <5530F7BD.2070609@redhat.com> Message-ID: <20150427143046.GB16379@dhcp-40-8.bne.redhat.com> On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > 1) here did you get this feature template? It is the one that is obsolete > (header levels, document structure, missing author in the box)... This is > the right template: > http://www.freeipa.org/page/Feature_template > I saw you updated the formatting and added the `certprofile-mod` command - thanks! > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > through existing profiles. > The command will exist, but it is still missing from design page; I will add it. > 3) Permissions > So your plan is to allow different groups use different profiles? So there > would be for example profiles allowed to all users (something like > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > authorization? Will be on a FreeIPA framework level or for example by DS > ACIs that would simply not show the profiles? > The design is living in the sub-CAs proposal. The discussion is ongoing (in another thread). > 4) Searching for certificates by profile - FEEDBACK REQUIRED > It would be nice to incorporate this filter to current cert-find command. > I added `cert-find` and the filter. > 5) Default set of profiles > Should we also propose a basic set of canned profiles so that I can picture > what will be the possibilities? > > Would it be something like > * Server profile > * Client profile > We will have a set of included profiles: - The current caIPAserverCert profile (we will rebrand it; "TLS Server and Client Profile" or something) - One for TLS server auth *without* client auth. - User authentication I will include this in design page. > 6) Upgrades > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > would be nice to have a section how it would do it. > Should be trivial; I have added some commentary to design page. > This is all I could think of so far. > Thanks for your feedback! From mbasti at redhat.com Mon Apr 27 14:45:34 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 16:45:34 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <553E1FA8.8020503@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> Message-ID: <553E4B8E.6000103@redhat.com> On 27/04/15 13:38, Martin Basti wrote: > On 23/04/15 12:55, Martin Basti wrote: >> On 21/04/15 10:31, Martin Basti wrote: >>> On 21/04/15 08:12, Jan Cholasta wrote: >>>> Hi, >>>> >>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>> >>>>> Patches attached. >>>>> >>>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>>> removed after installer modifications. >>>>> >>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>> installer part will be finished. >>>>> >>>>> If somebody will be hit by them, please use --skip-version-check for >>>>> ipactl and ipa-server-upgrade. >>>> >>>> Regarding that option vs. --force: I think the common assumption is >>>> that --force ignores *all* non-fatal errors, but you break that >>>> assumption in ipactl. IMO --force should both ignore errors in >>>> service startup *and* skip version check, and a new option should >>>> be added to just ignore errors in service startup (e.g. >>>> --ignore-service-failures). >>> Originally I used --force option to skip detection, but there was >>> objections against it on list. >>> >>> However, to have option --force, which set true for both >>> --ignore-service-failures and --skip-version-check options, might be >>> better. >>> >>>> >>>> ipa-server-upgrade should probably also have --force, even if it >>>> does the same thing as --skip-version-check, again because --force >>>> is common. >>>> >>>> >>>> This is a weird API: >>>> >>>> + if data_upgrade.badsyntax: >>>> + raise admintool.ScriptError( >>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>> + elif data_upgrade.upgradefailed: >>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>> + elif data_upgrade.modified: >>>> + self.log.info('Data update complete') >>>> + else: >>>> + self.log.info('Data update complete, no data were >>>> modified') >>>> >>>> Why does not IPAUpgrade raise errors instead? >>>> >>> For historical reasons, I can investigate what would break this >>> change, I will send it in separate patch. >>>> >>>> +class IPAVersionError(Exception): >>>> + pass >>>> + >>>> +class PlatformMismatchError(IPAVersionError): >>>> + pass >>>> + >>>> +class DataUpgradeRequiredError(IPAVersionError): >>>> + pass >>>> + >>>> +class DataInNewerVersionError(IPAVersionError): >>>> + pass >>>> >>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>> much about what kind of version is that. Also data version errors >>>> should only tell you what is wrong, not how you fix it. IMO better >>>> names for these would be e.g. "UpgradeVersionError", >>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>> check_ipa_version. >>>> >>> Ok. >>>> >>>> Why is it not an error if there is no version in check_ipa_version? >>>> IMO it should, even if you then ignore the exception most of the time. >>> I can raise error in that case and ignore the exception. >>>> >>>> >>>> Honza >>>> >>> Martin^2 >>> >> Updated patches attached. >> >> >> > Updated patches attached > > -- > Martin Basti > > Updated patch attached -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227.5-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 6829 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228.5-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 17416 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229.5-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From mbasti at redhat.com Mon Apr 27 14:46:47 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 16:46:47 +0200 Subject: [Freeipa-devel] [PATCHES 0231-0232] Server Upgrade: support base64 encoded values in update files + remove CSV In-Reply-To: <553E1802.8050409@redhat.com> References: <552FD1C0.2040104@redhat.com> <5538D21A.8040000@redhat.com> <553E1802.8050409@redhat.com> Message-ID: <553E4BD7.4010707@redhat.com> On 27/04/15 13:05, Martin Basti wrote: > On 23/04/15 13:06, Martin Basti wrote: >> On 16/04/15 17:14, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4984 >>> >>> I had to remove CSV (which is evil) to be able fix this ticket. >>> >>> Patches attached. >>> >>> >>> >> Updated patches attached. >> >> -- >> Martin Basti >> >> > Rebased patches attached. > > -- > Martin Basti > > rebased patches attached -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0231.4-Server-Upgrade-remove-CSV-from-upgrade-files.patch Type: text/x-patch Size: 127820 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0232.4-Server-Upgrade-Allow-base64-encoded-values.patch Type: text/x-patch Size: 15008 bytes Desc: not available URL: From pvoborni at redhat.com Mon Apr 27 15:43:55 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 27 Apr 2015 17:43:55 +0200 Subject: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent In-Reply-To: References: Message-ID: <553E593B.7040505@redhat.com> On 04/27/2015 03:03 PM, Gabe Alford wrote: > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/4926 > > Thanks, > > Gabe > PatternFly has new recommendations for terminology and wording [1]. I'm not entirely sure if the usage of 'save' here is good. PF defines 'edit' as the recommended term. The page doesn't say if 'save' is not recommended, though. Save seems to me as a confirmation of editing. Kyle, could you advise what is the best term for reflecting user changes and for confirmation of this action? Technical notes: 1. it would be better to add a new string and then use it in the button instead of having 'Save' text for '@i18n:buttons.update' definition. 2. String changes in internal.py should be also reflected in install/ui/test/data/ipa_init.json (for static web ui demo). 3. optional: in addition to text change, buttons and related actions could also be renamed (same reasons as in 1). It's more proper but much more complicated. [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels -- Petr Vobornik From dkupka at redhat.com Mon Apr 27 16:23:55 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Apr 2015 18:23:55 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <553E4B8E.6000103@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> Message-ID: <553E629B.3090809@redhat.com> On 04/27/2015 04:45 PM, Martin Basti wrote: > On 27/04/15 13:38, Martin Basti wrote: >> On 23/04/15 12:55, Martin Basti wrote: >>> On 21/04/15 10:31, Martin Basti wrote: >>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>> >>>>>> Patches attached. >>>>>> >>>>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>>>> removed after installer modifications. >>>>>> >>>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>>> installer part will be finished. >>>>>> >>>>>> If somebody will be hit by them, please use --skip-version-check for >>>>>> ipactl and ipa-server-upgrade. >>>>> >>>>> Regarding that option vs. --force: I think the common assumption is >>>>> that --force ignores *all* non-fatal errors, but you break that >>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>> service startup *and* skip version check, and a new option should >>>>> be added to just ignore errors in service startup (e.g. >>>>> --ignore-service-failures). >>>> Originally I used --force option to skip detection, but there was >>>> objections against it on list. >>>> >>>> However, to have option --force, which set true for both >>>> --ignore-service-failures and --skip-version-check options, might be >>>> better. >>>> >>>>> >>>>> ipa-server-upgrade should probably also have --force, even if it >>>>> does the same thing as --skip-version-check, again because --force >>>>> is common. >>>>> >>>>> >>>>> This is a weird API: >>>>> >>>>> + if data_upgrade.badsyntax: >>>>> + raise admintool.ScriptError( >>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>> + elif data_upgrade.upgradefailed: >>>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>>> + elif data_upgrade.modified: >>>>> + self.log.info('Data update complete') >>>>> + else: >>>>> + self.log.info('Data update complete, no data were >>>>> modified') >>>>> >>>>> Why does not IPAUpgrade raise errors instead? >>>>> >>>> For historical reasons, I can investigate what would break this >>>> change, I will send it in separate patch. >>>>> >>>>> +class IPAVersionError(Exception): >>>>> + pass >>>>> + >>>>> +class PlatformMismatchError(IPAVersionError): >>>>> + pass >>>>> + >>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>> + pass >>>>> + >>>>> +class DataInNewerVersionError(IPAVersionError): >>>>> + pass >>>>> >>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>> much about what kind of version is that. Also data version errors >>>>> should only tell you what is wrong, not how you fix it. IMO better >>>>> names for these would be e.g. "UpgradeVersionError", >>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>> check_ipa_version. >>>>> >>>> Ok. >>>>> >>>>> Why is it not an error if there is no version in check_ipa_version? >>>>> IMO it should, even if you then ignore the exception most of the time. >>>> I can raise error in that case and ignore the exception. >>>>> >>>>> >>>>> Honza >>>>> >>>> Martin^2 >>>> >>> Updated patches attached. >>> >>> >>> >> Updated patches attached >> >> -- >> Martin Basti >> >> > > Updated patch attached > Looks good to me and works as expected. Honza, are you OK with the patches? -- David Kupka From dkupka at redhat.com Mon Apr 27 16:42:15 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Apr 2015 18:42:15 +0200 Subject: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater In-Reply-To: <552FD1C8.8030403@redhat.com> References: <552FD1C8.8030403@redhat.com> Message-ID: <553E66E7.6010107@redhat.com> On 04/16/2015 05:14 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4904 > > Patch attached > > > I guess the rest of the comment is also outdated. Can you update it, too? -- David Kupka From dkupka at redhat.com Tue Apr 28 08:23:25 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Apr 2015 10:23:25 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <552F964E.2060304@redhat.com> References: <552F964E.2060304@redhat.com> Message-ID: <553F437D.5080103@redhat.com> On 04/16/2015 01:00 PM, thierry bordaz wrote: > Hello, > > Here is the next patch for User life cycle that introduces > del/mod/find and show stageuser plugin commands. > > * 0000-User Life Cycle (create containers and scoping DS plugins): > *pushed* > * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: > *pushed* > * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* > * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* > * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under > review *(this one)** > * 0004-User-life-cycle-new-stageuser-commands-activate.patch > * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch > * 0006-User-life-cycle-user-del-supports-permanently-preser.patch > * 0008-User-life-cycle-user-find-support-finding-delete-use.patch > * 0009-User-life-cycle-support-of-user-undel.patch > * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch > * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch > * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch > * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch > > Thanks > thierry > > > > Hi Thierry, thanks for the patch, the code looks good to me but there is probably a bug in ACIs. After creating a stage user and setting password for him I can kinit as the stage user. I'm unable to login to the IPA client and id command for this stage user responds "no such user" but I can kinit and invoke ipa commands. Steps: 0. build freeipa with your patch 1. # ipa-server-install 2. $ kinit admin 3. $ ipa stageuser-add suser0 --first Stage --last User --password 4. $ kdestroy 5. $ kinit suser0 6. $ ipa user-find Actual: Prints out list of ipa users. Expected: kinit fails with "suser0 at ... not found in Kerberos database" -- David Kupka From tbordaz at redhat.com Tue Apr 28 08:28:39 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 28 Apr 2015 10:28:39 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <553F437D.5080103@redhat.com> References: <552F964E.2060304@redhat.com> <553F437D.5080103@redhat.com> Message-ID: <553F44B7.6040100@redhat.com> On 04/28/2015 10:23 AM, David Kupka wrote: > On 04/16/2015 01:00 PM, thierry bordaz wrote: >> Hello, >> >> Here is the next patch for User life cycle that introduces >> del/mod/find and show stageuser plugin commands. >> >> * 0000-User Life Cycle (create containers and scoping DS plugins): >> *pushed* >> * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: >> *pushed* >> * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* >> * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* >> * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under >> review *(this one)** >> * 0004-User-life-cycle-new-stageuser-commands-activate.patch >> * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch >> * 0006-User-life-cycle-user-del-supports-permanently-preser.patch >> * 0008-User-life-cycle-user-find-support-finding-delete-use.patch >> * 0009-User-life-cycle-support-of-user-undel.patch >> * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch >> * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch >> * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch >> * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch >> >> Thanks >> thierry >> >> >> >> > Hi Thierry, > thanks for the patch, the code looks good to me but there is probably > a bug in ACIs. > After creating a stage user and setting password for him I can kinit > as the stage user. I'm unable to login to the IPA client and id > command for this stage user responds "no such user" but I can kinit > and invoke ipa commands. > > Steps: > 0. build freeipa with your patch > 1. # ipa-server-install > 2. $ kinit admin > 3. $ ipa stageuser-add suser0 --first Stage --last User --password > 4. $ kdestroy > 5. $ kinit suser0 > 6. $ ipa user-find > > Actual: > Prints out list of ipa users. > > Expected: > kinit fails with "suser0 at ... not found in Kerberos database" > Hi David, Thank you so much for having looked at this patch :-) You are right. The Staging users (as well as the Delete users) are not lockout in that patch. The patch 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will take care of this. Do you prefer that I merged the two patches right now ? thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Tue Apr 28 08:40:14 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Apr 2015 10:40:14 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <553F44B7.6040100@redhat.com> References: <552F964E.2060304@redhat.com> <553F437D.5080103@redhat.com> <553F44B7.6040100@redhat.com> Message-ID: <553F476E.8080502@redhat.com> On 04/28/2015 10:28 AM, thierry bordaz wrote: > On 04/28/2015 10:23 AM, David Kupka wrote: >> On 04/16/2015 01:00 PM, thierry bordaz wrote: >>> Hello, >>> >>> Here is the next patch for User life cycle that introduces >>> del/mod/find and show stageuser plugin commands. >>> >>> * 0000-User Life Cycle (create containers and scoping DS plugins): >>> *pushed* >>> * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: >>> *pushed* >>> * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* >>> * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* >>> * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under >>> review *(this one)** >>> * 0004-User-life-cycle-new-stageuser-commands-activate.patch >>> * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch >>> * 0006-User-life-cycle-user-del-supports-permanently-preser.patch >>> * 0008-User-life-cycle-user-find-support-finding-delete-use.patch >>> * 0009-User-life-cycle-support-of-user-undel.patch >>> * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch >>> * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch >>> * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch >>> * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch >>> >>> Thanks >>> thierry >>> >>> >>> >>> >> Hi Thierry, >> thanks for the patch, the code looks good to me but there is probably >> a bug in ACIs. >> After creating a stage user and setting password for him I can kinit >> as the stage user. I'm unable to login to the IPA client and id >> command for this stage user responds "no such user" but I can kinit >> and invoke ipa commands. >> >> Steps: >> 0. build freeipa with your patch >> 1. # ipa-server-install >> 2. $ kinit admin >> 3. $ ipa stageuser-add suser0 --first Stage --last User --password >> 4. $ kdestroy >> 5. $ kinit suser0 >> 6. $ ipa user-find >> >> Actual: >> Prints out list of ipa users. >> >> Expected: >> kinit fails with "suser0 at ... not found in Kerberos database" >> > Hi David, > > Thank you so much for having looked at this patch :-) > You are right. The Staging users (as well as the Delete users) are not > lockout in that patch. > The patch > 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will > take care of this. > > Do you prefer that I merged the two patches right now ? > > thanks > thierry > Hi Thierry, no, it is not necessary to merge the patches it's ok to have it separated. I'm not sure if the patch should be pushed now or rather wait and push it together with the others. I'm looking forward to next ULC patches from you. -- David Kupka From jcholast at redhat.com Tue Apr 28 11:18:35 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Apr 2015 13:18:35 +0200 Subject: [Freeipa-devel] [PATCH 0001] Fixed incorrect ldap_uri population In-Reply-To: <553A52E1.8060309@redhat.com> References: <553A4D9E.5000201@redhat.com> <553A52E1.8060309@redhat.com> Message-ID: <553F6C8B.5010509@redhat.com> Hi, Dne 24.4.2015 v 16:27 Oleg Fayans napsal(a): > This one is even more correct. > > On 04/24/2015 04:05 PM, Oleg Fayans wrote: >> Corresponding ticket is >> https://fedorahosted.org/freeipa/ticket/5002 thanks for the patch, but the bug is purely hypothetical, as the __ldap_uri attribute is always set. Anyway, you shouldn't use "'name' in dir(obj)" to check if attribute is set, there is "hasattr(obj, 'name')" for that. Also, "__ldap_uri" starts with two underscores, so the name is mangled to "_ldap2__ldap_uri", which means the check in your patch will always fail and ldap_uri will always return self.api.env.ldap_uri, which is in fact more wrong than the current behavior. Honza -- Jan Cholasta From mbasti at redhat.com Tue Apr 28 12:45:07 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 14:45:07 +0200 Subject: [Freeipa-devel] [PATCHES 0235-0237] Use global DS write lock during upgrade Message-ID: <553F80D3.6070606@redhat.com> https://fedorahosted.org/freeipa/ticket/4925 I had to use ldif parser to edit DSE file instead (patch 236) and due to cyclic import caused by upgrade instace and dsintance I had to move realm_to_serverid from dsinstance to installutils. Patches attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0235-move-realm_to_serverid-to-installutils-module.patch Type: text/x-patch Size: 19591 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0236-Server-Upgrade-use-LDIF-parser-to-modify-DSE.ldif.patch Type: text/x-patch Size: 8154 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0237-Server-Upgrade-enable-DS-global-lock-during-upgrade.patch Type: text/x-patch Size: 6894 bytes Desc: not available URL: From mbasti at redhat.com Tue Apr 28 12:48:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 14:48:37 +0200 Subject: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater In-Reply-To: <553E66E7.6010107@redhat.com> References: <552FD1C8.8030403@redhat.com> <553E66E7.6010107@redhat.com> Message-ID: <553F81A5.90800@redhat.com> On 27/04/15 18:42, David Kupka wrote: > On 04/16/2015 05:14 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4904 >> >> Patch attached >> >> >> > > I guess the rest of the comment is also outdated. Can you update it, too? > Updated patch attached. -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0230.2-Server-Upgrade-fix-a-comment-in-ldapupdater.patch Type: text/x-patch Size: 1095 bytes Desc: not available URL: From pspacek at redhat.com Tue Apr 28 12:50:47 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Apr 2015 14:50:47 +0200 Subject: [Freeipa-devel] [PATCH 0321] Update and standardize copyright headers; introduce AUTHORS file Message-ID: <553F8227.8070509@redhat.com> Hello, I'm going to add couple new files to the source tree and current copyright header drove me mad, so here is (finally) a clenaup. Update and standardize copyright headers; introduce AUTHORS file. Dates in all headers were harmonized with Git history. AUTHORS file lists all authors listed in Git history and source files too. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0321-Update-and-standardize-copyright-headers-introduce-A.patch Type: text/x-patch Size: 49110 bytes Desc: not available URL: From mbasti at redhat.com Tue Apr 28 13:03:17 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 15:03:17 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <553DF452.2030209@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> <5534B989.3010005@redhat.com> <5534BFA4.2080406@redhat.com> <553A42DF.1070300@redhat.com> <553DF452.2030209@redhat.com> Message-ID: <553F8515.2010104@redhat.com> On 27/04/15 10:33, Martin Babinsky wrote: > On 04/24/2015 03:19 PM, Martin Basti wrote: >> On 20/04/15 10:58, Martin Babinsky wrote: >>> On 04/20/2015 10:32 AM, Martin Basti wrote: >>>> On 17/04/15 14:11, Martin Babinsky wrote: >>>>> On 04/17/2015 12:41 PM, Martin Babinsky wrote: >>>>>> On 04/17/2015 12:36 PM, Martin Basti wrote: >>>>>>> On 17/04/15 12:33, Martin Babinsky wrote: >>>>>>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>>>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>>>>>> This patch addresses >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>>>>>> >>>>>>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>>>>>> unsuccessful >>>>>>>>>>>>> attempts to remove files that do not exist anymore. These >>>>>>>>>>>>> errors >>>>>>>>>>>>> are >>>>>>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Hello, thank you for the patch. >>>>>>>>>>>> >>>>>>>>>>>> 1) >>>>>>>>>>>> The option add_warning is quite unclear to me. It does not >>>>>>>>>>>> show >>>>>>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>>>>>> promt_manual_removal >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Continue... >>>>>>>>>>> >>>>>>>>>>> 2) >>>>>>>>>>> >>>>>>>>>>> if file_exists(preferences_fname): >>>>>>>>>>> try: >>>>>>>>>>> os.remove(preferences_fname) >>>>>>>>>>> except OSError as e: >>>>>>>>>>> log_file_removal_error(e, >>>>>>>>>>> preferences_fname, >>>>>>>>>>> True) >>>>>>>>>>> >>>>>>>>>>> In this case file not found error should never happen. >>>>>>>>>>> >>>>>>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>>>>>> exception? >>>>>>>>>>> >>>>>>>>>> I just reverted this bit to original form in order to not fix >>>>>>>>>> something that isn't broken. Is that ok? >>>>>>>>>>> 3) >>>>>>>>>>> this is inconsistent with change above, choose one style >>>>>>>>>>> please: >>>>>>>>>>> >>>>>>>>>>> if os.path.exists(ca_file): >>>>>>>>>>> try: >>>>>>>>>>> os.unlink(ca_file) >>>>>>>>>>> except OSError, e: >>>>>>>>>>> root_logger.error( >>>>>>>>>>> "Failed to remove '%s': %s", >>>>>>>>>>> ca_file, e) >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Martin Basti >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Attaching updated patch. >>>>>>>>>> >>>>>>>>> thanks, >>>>>>>>> >>>>>>>>> just one nitpick, can you move the new function into >>>>>>>>> installutils, it >>>>>>>>> can be used in different scripts not just in ipaclient. >>>>>>>>> >>>>>>>> >>>>>>>> I'm not sure if it is a good idea as installutils is a part for >>>>>>>> freeipa-server package. >>>>>>>> >>>>>>>> Placing it there would create an unnecessary dependency of >>>>>>>> freeipa-client on freeipa-server because of a single function. >>>>>>>> >>>>>>> you are right, I do not why I thought that ipa-client-install uses >>>>>>> installutils. >>>>>>> >>>>>>> ACK >>>>>>> >>>>>> self-NACK, I will try to rewrite the patch in a slightly less dumb >>>>>> way. >>>>>> >>>>>> Sorry for the confusion. >>>>>> >>>>> >>>>> Attaching updated patch which does the same but using a wrapper >>>>> around >>>>> os.remove(). >>>>> >>>>> Jan suggested to keep the new function in 'ipa-client-install' and >>>>> move it around when we do installer re#$%@^ing. >>>>> >>>>> Is that ok? >>>>> >>>> It looks better, ACK. >>>> >>> Jan NACKed your ACK. >>> >>> Attaching updated patch. >>> >> Sorry, NACK >> >> ************* Module ipa-client-install >> ipa-client/ipa-install/ipa-client-install:791: >> [E1121(too-many-function-args), uninstall] Too many positional arguments >> for function call) >> ipa-client/ipa-install/ipa-client-install:797: >> [E1121(too-many-function-args), uninstall] Too many positional arguments >> for function call) >> >> consult with Honza if option which show prompt user to delete file >> manually, should be there or not. >> > > Updated patch attached. > ACK -- Martin Basti From mbasti at redhat.com Tue Apr 28 13:03:39 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 15:03:39 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <553DF948.2030908@redhat.com> References: <54F847EF.2080608@redhat.com> <553110F1.2030008@redhat.com> <5534DC1C.1040903@redhat.com> <553A5017.5000908@redhat.com> <553DF948.2030908@redhat.com> Message-ID: <553F852B.8040103@redhat.com> On 27/04/15 10:54, Martin Babinsky wrote: > On 04/24/2015 04:15 PM, Martin Basti wrote: >> On 20/04/15 12:59, Martin Babinsky wrote: >>> On 04/17/2015 03:56 PM, Martin Babinsky wrote: >>>> On 03/05/2015 01:11 PM, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4900 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> Freeipa-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>> >>>> Nobody to review this? >>>> >>> >>> Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one >>> for master. >>> >>> >>> >> Hello, thank for patches: >> >> 1) >> why is there >> >> + PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG >> >> I cannot find it used in patches? >> >> >> Martin^2 >> >> -- >> Martin Basti >> > That was likely only my oversight. Attaching updated patches. > ACK -- Martin Basti From mbasti at redhat.com Tue Apr 28 13:18:09 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 15:18:09 +0200 Subject: [Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install In-Reply-To: References: Message-ID: <553F8891.10809@redhat.com> On 27/04/15 15:02, Gabe Alford wrote: > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/4575 > > Thanks, > > Gabe > > Hello, thank you for your patch, looks good. However, IMO you can remove hostaddr variable as well, it was used for validate IP address. I could not find it used anywhere, did you? Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From redhatrises at gmail.com Tue Apr 28 13:36:34 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Tue, 28 Apr 2015 07:36:34 -0600 Subject: [Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install In-Reply-To: <553F8891.10809@redhat.com> References: <553F8891.10809@redhat.com> Message-ID: On Tue, Apr 28, 2015 at 7:18 AM, Martin Basti wrote: > On 27/04/15 15:02, Gabe Alford wrote: > > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/4575 > > Thanks, > > Gabe > > > Hello, > > thank you for your patch, looks good. > > However, IMO you can remove hostaddr variable as well, it was used for > validate IP address. > I could not find it used anywhere, did you? > Removed. It still seemed like it could be a logical check to have to me which is why I kept it in the first place. Updated patch attached. > Martin^2 > > -- > Martin Basti > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0046-2-Remove-unneeded-ip-address-option-in-ipa-adtrust-ins.patch Type: text/x-patch Size: 5462 bytes Desc: not available URL: From tbordaz at redhat.com Tue Apr 28 14:40:14 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 28 Apr 2015 16:40:14 +0200 Subject: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands In-Reply-To: <553F476E.8080502@redhat.com> References: <552F964E.2060304@redhat.com> <553F437D.5080103@redhat.com> <553F44B7.6040100@redhat.com> <553F476E.8080502@redhat.com> Message-ID: <553F9BCE.6010000@redhat.com> On 04/28/2015 10:40 AM, David Kupka wrote: > On 04/28/2015 10:28 AM, thierry bordaz wrote: >> On 04/28/2015 10:23 AM, David Kupka wrote: >>> On 04/16/2015 01:00 PM, thierry bordaz wrote: >>>> Hello, >>>> >>>> Here is the next patch for User life cycle that introduces >>>> del/mod/find and show stageuser plugin commands. >>>> >>>> * 0000-User Life Cycle (create containers and scoping DS plugins): >>>> *pushed* >>>> * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: >>>> *pushed* >>>> * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* >>>> * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* >>>> * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under >>>> review *(this one)** >>>> * 0004-User-life-cycle-new-stageuser-commands-activate.patch >>>> * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch >>>> * 0006-User-life-cycle-user-del-supports-permanently-preser.patch >>>> * 0008-User-life-cycle-user-find-support-finding-delete-use.patch >>>> * 0009-User-life-cycle-support-of-user-undel.patch >>>> * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch >>>> * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch >>>> * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch >>>> * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch >>>> >>>> Thanks >>>> thierry >>>> >>>> >>>> >>>> >>> Hi Thierry, >>> thanks for the patch, the code looks good to me but there is probably >>> a bug in ACIs. >>> After creating a stage user and setting password for him I can kinit >>> as the stage user. I'm unable to login to the IPA client and id >>> command for this stage user responds "no such user" but I can kinit >>> and invoke ipa commands. >>> >>> Steps: >>> 0. build freeipa with your patch >>> 1. # ipa-server-install >>> 2. $ kinit admin >>> 3. $ ipa stageuser-add suser0 --first Stage --last User --password >>> 4. $ kdestroy >>> 5. $ kinit suser0 >>> 6. $ ipa user-find >>> >>> Actual: >>> Prints out list of ipa users. >>> >>> Expected: >>> kinit fails with "suser0 at ... not found in Kerberos database" >>> >> Hi David, >> >> Thank you so much for having looked at this patch :-) >> You are right. The Staging users (as well as the Delete users) are not >> lockout in that patch. >> The patch >> 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will >> take care of this. >> >> Do you prefer that I merged the two patches right now ? >> >> thanks >> thierry >> > > Hi Thierry, > no, it is not necessary to merge the patches it's ok to have it > separated. I'm not sure if the patch should be pushed now or rather > wait and push it together with the others. > I'm looking forward to next ULC patches from you. > Hi David, Here are all the available patches. I also attach a test script that is a kind of regression tests that I am using. Thanks again thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0014-User-life-cycle-Add-Stage-User-Provisioning-permissi.patch Type: text/x-patch Size: 5606 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0013-User-life-cycle-Stage-user-Administrators-permission.patch Type: text/x-patch Size: 28975 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0012-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch Type: text/x-patch Size: 989 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch Type: text/x-patch Size: 1951 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0010-User-life-cycle-support-of-user-undel.patch Type: text/x-patch Size: 3911 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0009-User-life-cycle-user-find-support-finding-delete-use.patch Type: text/x-patch Size: 4128 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0008-User-life-cycle-user-del-supports-permanently-preser.patch Type: text/x-patch Size: 9201 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0007-User-life-cycle-new-stageuser-commands-activate-prov.patch Type: text/x-patch Size: 6445 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0006-User-life-cycle-new-stageuser-commands-activate.patch Type: text/x-patch Size: 16827 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0005-User-life-cycle-new-stageuser-commands-del-mod-find-.patch Type: text/x-patch Size: 22058 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: demo_ulc.sh Type: application/x-shellscript Size: 7781 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Apr 28 15:42:21 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 28 Apr 2015 17:42:21 +0200 Subject: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade Message-ID: <553FAA5D.8030705@redhat.com> The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and implement the solution proposed in Comment 2. Please review the hell out of them. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0031-HTTPInstance-should-set-up-dedicated-CCache-file-for.patch Type: text/x-patch Size: 4325 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0032-rename-httpd.service-to-ipa-httpd.service.patch Type: text/x-patch Size: 4270 bytes Desc: not available URL: From Duncan.Innes at virginmoney.com Tue Apr 28 15:58:01 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 28 Apr 2015 16:58:01 +0100 Subject: [Freeipa-devel] Suggestion for the A part of IPA Message-ID: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> Folks, The A part of IPA has always been of great interest to me. Our current IPA infrastructure works well at the I & P parts, giving us great failover abilities and connectivity through hardware firewalls without punching too many holes. Whilst the A part may not be solely about centralised logging, it's the thing I've been looking into recently. To do this I've built a setup around the ELK stack using a pair of Logstash servers and an ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, but this is proof of concept still). To expand on this, I've been looking at running the Logstash serviceon each of our IPA servers as that gives us a failover pair in each part of our network. The Logstash servers then connect to the ES cluster as non-data nodes. Each client has an rsyslog7 (still using RHEL6 at the moment) config that writes sends the logs in JSON format with some extra bespoke fields added (such as Project, Environment, and Use to help us search better). The sending is done in rsyslog's rather clunky failover method to the local pair of Logstash servers (with a third failover being to /dev/null). It struck me that this kind of setup might not be too far removed from some of the A part of IPA. I'm not good at ASCII flowchart diagrams, so will leave it there for now. The main point of this - does any of this idea sound reasonable to add in to FreeIPA? To me it sounds like a good fit for getting (some) logging data back to a central point. The Logstash indexers currently have a very low load (perhaps due to the incoming data already being JSON) and small memory footprint. They run without issue on our IPA servers. The ES nodes are different and I won't pretent to be any sort of expert in what they do. They load up a bit when I shut 1 of them down, but that's the rebalancing happening. Apologies if this is off topic, or wide of the mark. Cheers Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Apr 28 16:56:36 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 18:56:36 +0200 Subject: [Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install In-Reply-To: References: <553F8891.10809@redhat.com> Message-ID: <553FBBC4.8050904@redhat.com> On 28/04/15 15:36, Gabe Alford wrote: > On Tue, Apr 28, 2015 at 7:18 AM, Martin Basti > wrote: > > On 27/04/15 15:02, Gabe Alford wrote: >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/4575 >> >> Thanks, >> >> Gabe >> >> > Hello, > > thank you for your patch, looks good. > > However, IMO you can remove hostaddr variable as well, it was used > for validate IP address. > I could not find it used anywhere, did you? > > > Removed. It still seemed like it could be a logical check to have to > me which is why I kept it in the first place. > Updated patch attached. > > Martin^2 > > -- > Martin Basti > > Thank you, ACK! This check is not needed anymore, it will not work with dualstack, and adtrustisntance is installed on IPA server which must have resolvable IP address. -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 28 18:03:13 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Apr 2015 21:03:13 +0300 Subject: [Freeipa-devel] [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <20150428170157.GA26437@redhat.com> References: <20150428170157.GA26437@redhat.com> Message-ID: <20150428180313.GD26437@redhat.com> Sending my answer to the list too. On Tue, 28 Apr 2015, Alexander Bokovoy wrote: >On Tue, 28 Apr 2015, Christopher Lamb wrote: >> >>Hi All >> >>I wish to pick your brains on the attribute sambaPwdLastSet >> >>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an >>old 3.0.0 instance. >> >>We are also running Samba to share files to Windows and OSX users. This >>means that all the FreeIPA user accounts have the attribute >>sambaPwdLastSet. >> >>If this has the value 0, our users cannot map Samba shares, so we need to >>make sure the value is a positive integer. >> >>In an attempt to do this, I modified user.py, adding the attribute to the >>takes_params for the class user as follows: >> >>class user(LDAPObject): >> . . . >> takes_params = ( >> . . . >> Int('sambapwdlastset?', >> label=_('sambaPwdLastSet'), >> doc=_('Date as an integer when the samba password was last set' >>), >> default=1, >> autofill=True, >> ), >> . . . >> >>This works fine if I create a user via the CLI. >> >>However if I create a user via the Web UI, or use the Web UI to reset a >>user's password, then the attribute sambaPwdLastSet is set to zero. >> >>So what scripts do I need to change to make sure the Web UI sets >>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify >>scripts, or have to use Apache Directory Studio to hack the db..) >> >>Or is there an altogether better approach to handling this field? >Yes, there is. > >Given that you are running FreeIPA 4.1, you now can use SSSD as your >libwbclient provider to be able to run Samba on IPA client against IPA >database. There will be no dependency on sambaPwdLastSet anymore. > >See >http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > >This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA >client. It does not work though with non-Kerberos (NTLM) logins. > >However, if you insist on using sambaPwdLastSet attribute, then user >password change rule is applying: > >- if admin changes user password, sambaPwdLastSet is cleared to 0 to > force users to change their passwords also via Samba > >If user changes the password him/herself, sambaPwdLastSet is set to the >current time (i.e. not 0). > >This really goes into enforcing privacy of user passwords -- if admins >change user passwords, the password is not really secret anymore and >cannot be considered secure, so it is only used once. > >See also https://www.freeipa.org/page/Self-Service_Password_Reset and >https://www.freeipa.org/page/New_Passwords_Expired > >-- >/ Alexander Bokovoy -- / Alexander Bokovoy From ayoung at redhat.com Tue Apr 28 18:07:49 2015 From: ayoung at redhat.com (Adam Young) Date: Tue, 28 Apr 2015 14:07:49 -0400 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> Message-ID: <553FCC75.9060508@redhat.com> On 04/28/2015 11:58 AM, Innes, Duncan wrote: > Folks, > The A part of IPA has always been of great interest to me. Our > current IPA infrastructure works well at the I & P parts, giving us > great failover abilities and connectivity through hardware firewalls > without punching too many holes. > Whilst the A part may not be solely about centralised logging, it's > the thing I've been looking into recently. To do this I've built a > setup around the ELK stack using a pair of Logstash servers and an > ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, > but this is proof of concept still). To expand on this, I've been > looking at running the Logstash serviceon each of our IPA servers as > that gives us a failover pair in each part of our network. The > Logstash servers then connect to the ES cluster as non-data nodes. > Each client has an rsyslog7 (still using RHEL6 at the moment) config > that writes sends the logs in JSON format with some extra bespoke > fields added (such as Project, Environment, and Use to help us search > better). The sending is done in rsyslog's rather clunky failover > method to the local pair of Logstash servers (with a third failover > being to /dev/null). I think I am in alignment with what you are saying. I like rsyslogd as the basic "ship the log off the server" tool. Let's use what the platform support first natively and formost; We want something native, not Ruby, not even Python if we can avoid it, for the normal case. Bumping up to logstash for more complex host-side rules might be fine. Remember, the Hosts side of integration with FreeIPA is sssd. Logstash can be the server side of the audit collection as well, and then it puts fewer demands on the server. We need to ensure that the audit data can be sent over a GSSAPI protected pathway. On the IPA side, I would think we would register the audit server as a host, and have specific service entires for the protocols supported. Would you see IPA owning the audit server, or just integrating in with an existing one? I don't think the IPA server itself should be the ELK server for obvious reasons. I would love to see the ELK server supported along the lines of how we do a replica setup. > It struck me that this kind of setup might not be too far removed from > some of the A part of IPA. > I'm not good at ASCII flowchart diagrams, so will leave it there for > now. The main point of this - does any of this idea sound reasonable > to add in to FreeIPA? To me it sounds like a good fit for getting > (some) logging data back to a central point. > The Logstash indexers currently have a very low load (perhaps due to > the incoming data already being JSON) and small memory footprint. > They run without issue on our IPA servers. The ES nodes are different > and I won't pretent to be any sort of expert in what they do. They > load up a bit when I shut 1 of them down, but that's the rebalancing > happening. > Apologies if this is off topic, or wide of the mark. > Cheers > Duncan Innes > > This message has been checked for viruses and spam by the Virgin Money > email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money plc - Registered in England and Wales (Company no. > 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon > Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority > and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both > authorised and regulated by the Financial Conduct Authority, are > registered in England and Wales and have their registered office at > Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money > Personal Financial Service Limited (Company no. 3072766) and Virgin > Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our > website at virginmoney.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Apr 29 05:22:02 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 07:22:02 +0200 Subject: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails In-Reply-To: <553F852B.8040103@redhat.com> References: <54F847EF.2080608@redhat.com> <553110F1.2030008@redhat.com> <5534DC1C.1040903@redhat.com> <553A5017.5000908@redhat.com> <553DF948.2030908@redhat.com> <553F852B.8040103@redhat.com> Message-ID: <55406A7A.6060809@redhat.com> Dne 28.4.2015 v 15:03 Martin Basti napsal(a): > On 27/04/15 10:54, Martin Babinsky wrote: >> On 04/24/2015 04:15 PM, Martin Basti wrote: >>> On 20/04/15 12:59, Martin Babinsky wrote: >>>> On 04/17/2015 03:56 PM, Martin Babinsky wrote: >>>>> On 03/05/2015 01:11 PM, Martin Babinsky wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/4900 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> Freeipa-devel at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> >>>>> >>>>> Nobody to review this? >>>>> >>>> >>>> Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one >>>> for master. >>>> >>>> >>>> >>> Hello, thank for patches: >>> >>> 1) >>> why is there >>> >>> + PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG >>> >>> I cannot find it used in patches? >>> >>> >>> Martin^2 >>> >>> -- >>> Martin Basti >>> >> That was likely only my oversight. Attaching updated patches. >> > ACK > Pushed to: master: a1f91247ccf69a60d1e18942e6697f45b951fe4b ipa-4-1: 04fbbbb5842784e06f7e3f973b534d34d08a74a7 (Shamelessly added myself as a reviewer, since I did an offline review which lead to the changes done between the first and second generation of the patches.) -- Jan Cholasta From jcholast at redhat.com Wed Apr 29 05:25:42 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 07:25:42 +0200 Subject: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall In-Reply-To: <553F8515.2010104@redhat.com> References: <552D072D.3040002@redhat.com> <552D2040.0@redhat.com> <552D2322.5020002@redhat.com> <552E6D58.4090901@redhat.com> <5530DAB3.6040208@redhat.com> <5530E160.9090201@redhat.com> <5530E248.6000200@redhat.com> <5530E347.8080709@redhat.com> <5530F86C.6000707@redhat.com> <5534B989.3010005@redhat.com> <5534BFA4.2080406@redhat.com> <553A42DF.1070300@redhat.com> <553DF452.2030209@redhat.com> <553F8515.2010104@redhat.com> Message-ID: <55406B56.7000205@redhat.com> Dne 28.4.2015 v 15:03 Martin Basti napsal(a): > On 27/04/15 10:33, Martin Babinsky wrote: >> On 04/24/2015 03:19 PM, Martin Basti wrote: >>> On 20/04/15 10:58, Martin Babinsky wrote: >>>> On 04/20/2015 10:32 AM, Martin Basti wrote: >>>>> On 17/04/15 14:11, Martin Babinsky wrote: >>>>>> On 04/17/2015 12:41 PM, Martin Babinsky wrote: >>>>>>> On 04/17/2015 12:36 PM, Martin Basti wrote: >>>>>>>> On 17/04/15 12:33, Martin Babinsky wrote: >>>>>>>>> On 04/17/2015 12:04 PM, Martin Basti wrote: >>>>>>>>>> On 15/04/15 15:53, Martin Babinsky wrote: >>>>>>>>>>> On 04/14/2015 04:24 PM, Martin Basti wrote: >>>>>>>>>>>> On 14/04/15 16:12, Martin Basti wrote: >>>>>>>>>>>>> On 14/04/15 14:25, Martin Babinsky wrote: >>>>>>>>>>>>>> This patch addresses >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4966 >>>>>>>>>>>>>> >>>>>>>>>>>>>> The noise during rollback/uninstall is caused mainly by >>>>>>>>>>>>>> unsuccessful >>>>>>>>>>>>>> attempts to remove files that do not exist anymore. These >>>>>>>>>>>>>> errors >>>>>>>>>>>>>> are >>>>>>>>>>>>>> now logged at debug level and do not pop-up to stdout/stderr. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> Hello, thank you for the patch. >>>>>>>>>>>>> >>>>>>>>>>>>> 1) >>>>>>>>>>>>> The option add_warning is quite unclear to me. It does not >>>>>>>>>>>>> show >>>>>>>>>>>>> warning but error. I suggest something like, show_hint, >>>>>>>>>>>>> show_user_action, or something show_additional_..., or >>>>>>>>>>>>> promt_manual_removal >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Continue... >>>>>>>>>>>> >>>>>>>>>>>> 2) >>>>>>>>>>>> >>>>>>>>>>>> if file_exists(preferences_fname): >>>>>>>>>>>> try: >>>>>>>>>>>> os.remove(preferences_fname) >>>>>>>>>>>> except OSError as e: >>>>>>>>>>>> log_file_removal_error(e, >>>>>>>>>>>> preferences_fname, >>>>>>>>>>>> True) >>>>>>>>>>>> >>>>>>>>>>>> In this case file not found error should never happen. >>>>>>>>>>>> >>>>>>>>>>>> Could you remove the 'if file_exists' part and handle just >>>>>>>>>>>> exception? >>>>>>>>>>>> >>>>>>>>>>> I just reverted this bit to original form in order to not fix >>>>>>>>>>> something that isn't broken. Is that ok? >>>>>>>>>>>> 3) >>>>>>>>>>>> this is inconsistent with change above, choose one style >>>>>>>>>>>> please: >>>>>>>>>>>> >>>>>>>>>>>> if os.path.exists(ca_file): >>>>>>>>>>>> try: >>>>>>>>>>>> os.unlink(ca_file) >>>>>>>>>>>> except OSError, e: >>>>>>>>>>>> root_logger.error( >>>>>>>>>>>> "Failed to remove '%s': %s", >>>>>>>>>>>> ca_file, e) >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Martin Basti >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Attaching updated patch. >>>>>>>>>>> >>>>>>>>>> thanks, >>>>>>>>>> >>>>>>>>>> just one nitpick, can you move the new function into >>>>>>>>>> installutils, it >>>>>>>>>> can be used in different scripts not just in ipaclient. >>>>>>>>>> >>>>>>>>> >>>>>>>>> I'm not sure if it is a good idea as installutils is a part for >>>>>>>>> freeipa-server package. >>>>>>>>> >>>>>>>>> Placing it there would create an unnecessary dependency of >>>>>>>>> freeipa-client on freeipa-server because of a single function. >>>>>>>>> >>>>>>>> you are right, I do not why I thought that ipa-client-install uses >>>>>>>> installutils. >>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>> self-NACK, I will try to rewrite the patch in a slightly less dumb >>>>>>> way. >>>>>>> >>>>>>> Sorry for the confusion. >>>>>>> >>>>>> >>>>>> Attaching updated patch which does the same but using a wrapper >>>>>> around >>>>>> os.remove(). >>>>>> >>>>>> Jan suggested to keep the new function in 'ipa-client-install' and >>>>>> move it around when we do installer re#$%@^ing. >>>>>> >>>>>> Is that ok? >>>>>> >>>>> It looks better, ACK. >>>>> >>>> Jan NACKed your ACK. >>>> >>>> Attaching updated patch. >>>> >>> Sorry, NACK >>> >>> ************* Module ipa-client-install >>> ipa-client/ipa-install/ipa-client-install:791: >>> [E1121(too-many-function-args), uninstall] Too many positional arguments >>> for function call) >>> ipa-client/ipa-install/ipa-client-install:797: >>> [E1121(too-many-function-args), uninstall] Too many positional arguments >>> for function call) >>> >>> consult with Honza if option which show prompt user to delete file >>> manually, should be there or not. >>> >> >> Updated patch attached. >> > ACK > Pushed to: master: 98376589de9b33d7007c8d43366d26f3e3307662 ipa-4-1: b04435a0f5c63e18ec36f2d3e0849a6dee384589 -- Jan Cholasta From jcholast at redhat.com Wed Apr 29 05:34:22 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 07:34:22 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <553E629B.3090809@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> Message-ID: <55406D5E.8090207@redhat.com> Dne 27.4.2015 v 18:23 David Kupka napsal(a): > On 04/27/2015 04:45 PM, Martin Basti wrote: >> On 27/04/15 13:38, Martin Basti wrote: >>> On 23/04/15 12:55, Martin Basti wrote: >>>> On 21/04/15 10:31, Martin Basti wrote: >>>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>>> >>>>>>> Patches attached. >>>>>>> >>>>>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>>>>> removed after installer modifications. >>>>>>> >>>>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>>>> installer part will be finished. >>>>>>> >>>>>>> If somebody will be hit by them, please use --skip-version-check for >>>>>>> ipactl and ipa-server-upgrade. >>>>>> >>>>>> Regarding that option vs. --force: I think the common assumption is >>>>>> that --force ignores *all* non-fatal errors, but you break that >>>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>>> service startup *and* skip version check, and a new option should >>>>>> be added to just ignore errors in service startup (e.g. >>>>>> --ignore-service-failures). >>>>> Originally I used --force option to skip detection, but there was >>>>> objections against it on list. >>>>> >>>>> However, to have option --force, which set true for both >>>>> --ignore-service-failures and --skip-version-check options, might be >>>>> better. >>>>> >>>>>> >>>>>> ipa-server-upgrade should probably also have --force, even if it >>>>>> does the same thing as --skip-version-check, again because --force >>>>>> is common. >>>>>> >>>>>> >>>>>> This is a weird API: >>>>>> >>>>>> + if data_upgrade.badsyntax: >>>>>> + raise admintool.ScriptError( >>>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>>> + elif data_upgrade.upgradefailed: >>>>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>>>> + elif data_upgrade.modified: >>>>>> + self.log.info('Data update complete') >>>>>> + else: >>>>>> + self.log.info('Data update complete, no data were >>>>>> modified') >>>>>> >>>>>> Why does not IPAUpgrade raise errors instead? >>>>>> >>>>> For historical reasons, I can investigate what would break this >>>>> change, I will send it in separate patch. >>>>>> >>>>>> +class IPAVersionError(Exception): >>>>>> + pass >>>>>> + >>>>>> +class PlatformMismatchError(IPAVersionError): >>>>>> + pass >>>>>> + >>>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>>> + pass >>>>>> + >>>>>> +class DataInNewerVersionError(IPAVersionError): >>>>>> + pass >>>>>> >>>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>>> much about what kind of version is that. Also data version errors >>>>>> should only tell you what is wrong, not how you fix it. IMO better >>>>>> names for these would be e.g. "UpgradeVersionError", >>>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>>> check_ipa_version. >>>>>> >>>>> Ok. >>>>>> >>>>>> Why is it not an error if there is no version in check_ipa_version? >>>>>> IMO it should, even if you then ignore the exception most of the >>>>>> time. >>>>> I can raise error in that case and ignore the exception. >>>>>> >>>>>> >>>>>> Honza >>>>>> >>>>> Martin^2 >>>>> >>>> Updated patches attached. >>>> >>>> >>>> >>> Updated patches attached >>> >>> -- >>> Martin Basti >>> >>> >> >> Updated patch attached >> > > Looks good to me and works as expected. Honza, are you OK with the patches? > Some nitpicks: The command line tool class should be named "ServerUpgrade" rather than "IPAServerUpgrade" for consistency with others. The deprecated --debug option should not be used in new commands. I would like to see --skip-version-check also in ipa-server-upgrade, for consistency with ipactl. In the spec file ipa-server-upgrade is run with --quiet, so why redirect stdout to /dev/null? -- Jan Cholasta From mkosek at redhat.com Wed Apr 29 06:41:41 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 08:41:41 +0200 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> Message-ID: <55407D25.9030505@redhat.com> On 04/28/2015 05:58 PM, Innes, Duncan wrote: > Folks, > > The A part of IPA has always been of great interest to me. Our current > IPA infrastructure works well at the I & P parts, giving us great > failover abilities and connectivity through hardware firewalls without > punching too many holes. Good to hear :-) We recently also started investigating the Audit capabilities for (notice I write "for" and not "in") IPA. You can check my initial nudge to the freeipa-users list, which was unfortunately with no reply: https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html For the beginning, I would be interested for your use cases, if you are only looking for a centralized log store, or you are also looking for more analytics in the logs (like what API commands were run, user logins, etc.) or utilization of the server core services (LDAP/Kerberos/DNS/...) > Whilst the A part may not be solely about centralised logging, it's the > thing I've been looking into recently. To do this I've built a setup > around the ELK stack using a pair of Logstash servers and an > ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, but > this is proof of concept still). To expand on this, I've been looking > at running the Logstash serviceon each of our IPA servers as that gives > us a failover pair in each part of our network. The Logstash servers > then connect to the ES cluster as non-data nodes. Each client has an > rsyslog7 (still using RHEL6 at the moment) config that writes sends the > logs in JSON format with some extra bespoke fields added (such as > Project, Environment, and Use to help us search better). The sending is > done in rsyslog's rather clunky failover method to the local pair of > Logstash servers (with a third failover being to /dev/null). Ah, so you are running Logstash service on each IPA service? Isn't that too heavyweight? In our tests, we mostly simply wanted just configure rsyslog and get the logs out of the server, to the centralized ELK/REK/EFK servers which did the heavy lifting. After all, the IPA servers may be of different environments (Fedora, RHEL, CentOS, ...) and with different versions of the log processing software. On the REK server (yes, we did not use logstash at the POC), we are able to process the logs (make them structured), store and display them. This allows us do searches like "list of admins which added users in the last month". This if course required adding parsing rules to rsyslog to get the structure out of the API logs. Are you using logstash for the parsing or did you not start the parsing part yet? > It struck me that this kind of setup might not be too far removed from > some of the A part of IPA. The centralized log processing itself is a too big task for IPA itself, it is specialized on other things. But some integration should be added in time, I agree. It may be minimal, from top of my head for example: * Support of (rsyslog) configuration in ipa-client-install or ipa-server-install * Providing the secure, GSSAPI-based log transfer to the IPA clients and ELK/REK/EFK server * Providing parsing templates for rsyslog or base queries for Kibana > I'm not good at ASCII flowchart diagrams, so will leave it there for > now. The main point of this - does any of this idea sound reasonable to > add in to FreeIPA? To me it sounds like a good fit for getting (some) > logging data back to a central point. > > The Logstash indexers currently have a very low load (perhaps due to the > incoming data already being JSON) and small memory footprint. They run > without issue on our IPA servers. The ES nodes are different and I > won't pretent to be any sort of expert in what they do. They load up a > bit when I shut 1 of them down, but that's the rebalancing happening. > > Apologies if this is off topic, or wide of the mark. > > Cheers > > Duncan Innes > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > > > From mkosek at redhat.com Wed Apr 29 06:45:47 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 08:45:47 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <55406D5E.8090207@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> Message-ID: <55407E1B.5080904@redhat.com> On 04/29/2015 07:34 AM, Jan Cholasta wrote: > Dne 27.4.2015 v 18:23 David Kupka napsal(a): >> On 04/27/2015 04:45 PM, Martin Basti wrote: >>> On 27/04/15 13:38, Martin Basti wrote: >>>> On 23/04/15 12:55, Martin Basti wrote: >>>>> On 21/04/15 10:31, Martin Basti wrote: >>>>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>>>> >>>>>>>> Patches attached. >>>>>>>> >>>>>>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>>>>>> removed after installer modifications. >>>>>>>> >>>>>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>>>>> installer part will be finished. >>>>>>>> >>>>>>>> If somebody will be hit by them, please use --skip-version-check for >>>>>>>> ipactl and ipa-server-upgrade. >>>>>>> >>>>>>> Regarding that option vs. --force: I think the common assumption is >>>>>>> that --force ignores *all* non-fatal errors, but you break that >>>>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>>>> service startup *and* skip version check, and a new option should >>>>>>> be added to just ignore errors in service startup (e.g. >>>>>>> --ignore-service-failures). >>>>>> Originally I used --force option to skip detection, but there was >>>>>> objections against it on list. >>>>>> >>>>>> However, to have option --force, which set true for both >>>>>> --ignore-service-failures and --skip-version-check options, might be >>>>>> better. >>>>>> >>>>>>> >>>>>>> ipa-server-upgrade should probably also have --force, even if it >>>>>>> does the same thing as --skip-version-check, again because --force >>>>>>> is common. >>>>>>> >>>>>>> >>>>>>> This is a weird API: >>>>>>> >>>>>>> + if data_upgrade.badsyntax: >>>>>>> + raise admintool.ScriptError( >>>>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>>>> + elif data_upgrade.upgradefailed: >>>>>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>>>>> + elif data_upgrade.modified: >>>>>>> + self.log.info('Data update complete') >>>>>>> + else: >>>>>>> + self.log.info('Data update complete, no data were >>>>>>> modified') >>>>>>> >>>>>>> Why does not IPAUpgrade raise errors instead? >>>>>>> >>>>>> For historical reasons, I can investigate what would break this >>>>>> change, I will send it in separate patch. >>>>>>> >>>>>>> +class IPAVersionError(Exception): >>>>>>> + pass >>>>>>> + >>>>>>> +class PlatformMismatchError(IPAVersionError): >>>>>>> + pass >>>>>>> + >>>>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>>>> + pass >>>>>>> + >>>>>>> +class DataInNewerVersionError(IPAVersionError): >>>>>>> + pass >>>>>>> >>>>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>>>> much about what kind of version is that. Also data version errors >>>>>>> should only tell you what is wrong, not how you fix it. IMO better >>>>>>> names for these would be e.g. "UpgradeVersionError", >>>>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>>>> check_ipa_version. >>>>>>> >>>>>> Ok. >>>>>>> >>>>>>> Why is it not an error if there is no version in check_ipa_version? >>>>>>> IMO it should, even if you then ignore the exception most of the >>>>>>> time. >>>>>> I can raise error in that case and ignore the exception. >>>>>>> >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> Martin^2 >>>>>> >>>>> Updated patches attached. >>>>> >>>>> >>>>> >>>> Updated patches attached >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> >>> Updated patch attached >>> >> >> Looks good to me and works as expected. Honza, are you OK with the patches? >> > > Some nitpicks: > > The command line tool class should be named "ServerUpgrade" rather than > "IPAServerUpgrade" for consistency with others. > > The deprecated --debug option should not be used in new commands. Why is --debug option deprecated? I thought we wanted to deprecate --verbose option as --debug is used in most our CLI tools. Well, except ipa-ldap-updated which for some reasons marks --debug as deprecated. It does not matter now, given the command is removed/changed. > > I would like to see --skip-version-check also in ipa-server-upgrade, for > consistency with ipactl. > > In the spec file ipa-server-upgrade is run with --quiet, so why redirect stdout > to /dev/null? From jcholast at redhat.com Wed Apr 29 06:52:55 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 08:52:55 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <55407E1B.5080904@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> Message-ID: <55407FC7.1060502@redhat.com> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): > On 04/29/2015 07:34 AM, Jan Cholasta wrote: >> Dne 27.4.2015 v 18:23 David Kupka napsal(a): >>> On 04/27/2015 04:45 PM, Martin Basti wrote: >>>> On 27/04/15 13:38, Martin Basti wrote: >>>>> On 23/04/15 12:55, Martin Basti wrote: >>>>>> On 21/04/15 10:31, Martin Basti wrote: >>>>>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>>>>> >>>>>>>>> Patches attached. >>>>>>>>> >>>>>>>>> Also ipa-upgradeconfig part is called as a subprocess. This will be >>>>>>>>> removed after installer modifications. >>>>>>>>> >>>>>>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>>>>>> installer part will be finished. >>>>>>>>> >>>>>>>>> If somebody will be hit by them, please use --skip-version-check for >>>>>>>>> ipactl and ipa-server-upgrade. >>>>>>>> >>>>>>>> Regarding that option vs. --force: I think the common assumption is >>>>>>>> that --force ignores *all* non-fatal errors, but you break that >>>>>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>>>>> service startup *and* skip version check, and a new option should >>>>>>>> be added to just ignore errors in service startup (e.g. >>>>>>>> --ignore-service-failures). >>>>>>> Originally I used --force option to skip detection, but there was >>>>>>> objections against it on list. >>>>>>> >>>>>>> However, to have option --force, which set true for both >>>>>>> --ignore-service-failures and --skip-version-check options, might be >>>>>>> better. >>>>>>> >>>>>>>> >>>>>>>> ipa-server-upgrade should probably also have --force, even if it >>>>>>>> does the same thing as --skip-version-check, again because --force >>>>>>>> is common. >>>>>>>> >>>>>>>> >>>>>>>> This is a weird API: >>>>>>>> >>>>>>>> + if data_upgrade.badsyntax: >>>>>>>> + raise admintool.ScriptError( >>>>>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>>>>> + elif data_upgrade.upgradefailed: >>>>>>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>>>>>> + elif data_upgrade.modified: >>>>>>>> + self.log.info('Data update complete') >>>>>>>> + else: >>>>>>>> + self.log.info('Data update complete, no data were >>>>>>>> modified') >>>>>>>> >>>>>>>> Why does not IPAUpgrade raise errors instead? >>>>>>>> >>>>>>> For historical reasons, I can investigate what would break this >>>>>>> change, I will send it in separate patch. >>>>>>>> >>>>>>>> +class IPAVersionError(Exception): >>>>>>>> + pass >>>>>>>> + >>>>>>>> +class PlatformMismatchError(IPAVersionError): >>>>>>>> + pass >>>>>>>> + >>>>>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>>>>> + pass >>>>>>>> + >>>>>>>> +class DataInNewerVersionError(IPAVersionError): >>>>>>>> + pass >>>>>>>> >>>>>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>>>>> much about what kind of version is that. Also data version errors >>>>>>>> should only tell you what is wrong, not how you fix it. IMO better >>>>>>>> names for these would be e.g. "UpgradeVersionError", >>>>>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>>>>> check_ipa_version. >>>>>>>> >>>>>>> Ok. >>>>>>>> >>>>>>>> Why is it not an error if there is no version in check_ipa_version? >>>>>>>> IMO it should, even if you then ignore the exception most of the >>>>>>>> time. >>>>>>> I can raise error in that case and ignore the exception. >>>>>>>> >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> Updated patches attached. >>>>>> >>>>>> >>>>>> >>>>> Updated patches attached >>>>> >>>>> -- >>>>> Martin Basti >>>>> >>>>> >>>> >>>> Updated patch attached >>>> >>> >>> Looks good to me and works as expected. Honza, are you OK with the patches? >>> >> >> Some nitpicks: >> >> The command line tool class should be named "ServerUpgrade" rather than >> "IPAServerUpgrade" for consistency with others. >> >> The deprecated --debug option should not be used in new commands. > > Why is --debug option deprecated? I thought we wanted to deprecate --verbose > option as --debug is used in most our CLI tools. Well, except ipa-ldap-updated > which for some reasons marks --debug as deprecated. It does not matter now, > given the command is removed/changed. AdminTool provides --debug as a deprecated alias for --verbose when a subclass requests it. It seems the decision to deprecate --debug was already made back when AdminTool was introduced, so let's trust that decision. -- Jan Cholasta From mkosek at redhat.com Wed Apr 29 07:09:07 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 09:09:07 +0200 Subject: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade In-Reply-To: <553FAA5D.8030705@redhat.com> References: <553FAA5D.8030705@redhat.com> Message-ID: <55408393.5060201@redhat.com> On 04/28/2015 05:42 PM, Martin Babinsky wrote: > The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and > implement the solution proposed in Comment 2. > > Please review the hell out of them. Why did you split the work in 2 patches? It looks like you first did the first approach of modifying httpd.service and then changed your mind and did the ipa-httpd.service approach (which is what we agreed to). Also, shouldn't ipa-httpd.service be contained in the package itself, like ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not see any daemon-reload, so I am not sure if systemd would pick up the right configuration in the first install. Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. You chose "/tmp/ipa-httpd.ccache", is it the best approach CCACHE type/path we should use? This is mostly question to Simo, his mod_auth_gssapi will consume the ccache. From mbabinsk at redhat.com Wed Apr 29 07:29:50 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 29 Apr 2015 09:29:50 +0200 Subject: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade In-Reply-To: <55408393.5060201@redhat.com> References: <553FAA5D.8030705@redhat.com> <55408393.5060201@redhat.com> Message-ID: <5540886E.4050700@redhat.com> On 04/29/2015 09:09 AM, Martin Kosek wrote: > On 04/28/2015 05:42 PM, Martin Babinsky wrote: >> The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and >> implement the solution proposed in Comment 2. >> >> Please review the hell out of them. > > Why did you split the work in 2 patches? It looks like you first did the first > approach of modifying httpd.service and then changed your mind and did the > ipa-httpd.service approach (which is what we agreed to). > I was thinking about it as a two distinct operations (modify existing httpd.service to use KRB5CCNAME and rename httpd.service to ipa-httpd.service). But I can merge them if needed. > Also, shouldn't ipa-httpd.service be contained in the package itself, like > ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not > see any daemon-reload, so I am not sure if systemd would pick up the right > configuration in the first install. Martin^2 told me that generating service file from template is evil, so I will put the full service file into init/systemd directory so that it is already present in /etc/systemd/system after rpm install. > > Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. > You chose "/tmp/ipa-httpd.ccache", is it the best approach CCACHE type/path we > should use? This is mostly question to Simo, his mod_auth_gssapi will consume > the ccache. > I will ask Simo if there is some preferred way to name CCache files. -- Martin^3 Babinsky From jcholast at redhat.com Wed Apr 29 08:07:05 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 10:07:05 +0200 Subject: [Freeipa-devel] [PATCHES 0231-0232] Server Upgrade: support base64 encoded values in update files + remove CSV In-Reply-To: <553E4BD7.4010707@redhat.com> References: <552FD1C0.2040104@redhat.com> <5538D21A.8040000@redhat.com> <553E1802.8050409@redhat.com> <553E4BD7.4010707@redhat.com> Message-ID: <55409129.8020606@redhat.com> Dne 27.4.2015 v 16:46 Martin Basti napsal(a): > On 27/04/15 13:05, Martin Basti wrote: >> On 23/04/15 13:06, Martin Basti wrote: >>> On 16/04/15 17:14, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/4984 >>>> >>>> I had to remove CSV (which is evil) to be able fix this ticket. >>>> >>>> Patches attached. >>>> >>>> >>>> >>> Updated patches attached. >>> >>> -- >>> Martin Basti >>> >>> >> Rebased patches attached. >> >> -- >> Martin Basti >> >> > rebased patches attached > > -- > Martin Basti > > > ACK on patch 231. BTW I have found a 7 year old bug caused by CSV while reviewing it: . There is also similar git-only bug in install/updates/10-uniqueness.update: default:uniqueness-subtrees: 'cn=accounts,$SUFFIX' default:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' but your patch fixes it. I will review patch 232 later. Honza -- Jan Cholasta From Duncan.Innes at virginmoney.com Wed Apr 29 08:18:35 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Wed, 29 Apr 2015 09:18:35 +0100 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <553FCC75.9060508@redhat.com> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> <553FCC75.9060508@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478E5A5@EXVS2.nrplc.localnet> On 28/04/2015 19:08 PM, Young, Adam wrote: > > I think I am in alignment with what you are saying. > > I like rsyslogd as the basic "ship the log off the server" tool. Let's use what the platform support first > natively and formost; We want something native, not Ruby, not even Python if we can avoid it, for the normal > case. Bumping up to logstash for more complex host-side rules might be fine. Remember, the Hosts side of > integration with FreeIPA is sssd. > > Logstash can be the server side of the audit collection as well, and then it puts fewer demands on the server. > > We need to ensure that the audit data can be sent over a GSSAPI protected pathway. Absolutely - this is something I need to get round to. Concentrated on getting the data back and in a good state for a start. Figured I'd get round to securing stuff at a later point. > On the IPA side, I would think we would register the audit server as a host, and have specific service entires > for the protocols supported. > > Would you see IPA owning the audit server, or just integrating in with an existing one? I've built mine completely separately and then brought them closer together by running Logstash on the IPA server. Not sure if there should be an exclusive ownership going on. IPA could create an initial setup, but there's huge room for creating more complex systems that IPA might want to leave well alone. > I don't think the IPA server itself should be the ELK server for obvious reasons. I would love to see the ELK > server supported along the lines of how we do a replica setup. ELK is trivial to set up as a simple cluster. It gets more complicated to do it "properly", but what I've got going at the moment fits along the trivial lines, but provides an extremely robust database. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From lkrispen at redhat.com Wed Apr 29 09:18:13 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 11:18:13 +0200 Subject: [Freeipa-devel] [PATCH] manage replication topology in the shared tree In-Reply-To: <553DF0C6.30403@redhat.com> References: <552B84C5.80300@redhat.com> <553522A2.9090007@redhat.com> <55360F10.7010804@redhat.com> <553DF0C6.30403@redhat.com> Message-ID: <5540A1D5.2000301@redhat.com> Hi, thanks again, so there is some work to do, but see some answers inline On 04/27/2015 10:18 AM, thierry bordaz wrote: > On 04/21/2015 10:49 AM, Ludwig Krispenz wrote: >> >> On 04/20/2015 06:00 PM, thierry bordaz wrote: >>> On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: >>>> Hi, >>>> >>>> in the attachment you find the latest state of the "topology >>>> plugin", it implements what is defined in the design page: >>>> http://www.freeipa.org/page/V4/Manage_replication_topology (which >>>> is also waiting for a reviewer) >>>> >>>> It contains the plugin itself and a core of ipa commands to manage >>>> a topology. to be really applicable, some work outside is required, >>>> eg the management of the domain level and a decision where the >>>> binddn group should be maintained. >>>> >>>> Thanks, >>>> Ludwig >>>> >>>> >>> Hello Ludwig, >>> >>> Quite long review to do. So far I only looked at the startup phase >>> and I have only few questions and comments. >> Thanks for your time, and I'm looking forward to your review of the >> other parts, you raise some valid points. >> I'll try to answer some of them inline, but will integrate some into >> a next version of the patch >>> >>> In ipa_topo_start, do you need to get argc/argv as you are not using >>> plugin-argxx attributes ? >> no. It was a leftover from a "standard" plugin >>> >>> >>> topo_plugin_conf configuration parameters are not freed when the >>> plugin is closed. Is it closed only at shutdown ? >>> Also I would initiatlize it to {NULL}. >> So far it is not planned to be dynamic, but I will addres the memory >> management >>> >>> In case the config does not contain any >>> nsslapd-topo-plugin-shared-replica-root, I wonder if >>> ipa_topo_apply_shared_config may crash as shared_replica_root will >>> be NULL. >>> or at least in >>> ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf. >>> >>> Also if nsslapd-topo-plugin-shared-replica-root contains an invalid >>> root suffix (typo), topoRepl remains NULL and >>> ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash. >> for the two comments above, I was assuming that plugin conf and >> shared tree would be setup by ipa tools and server setup, so assuming >> only valid data, but you are right, checking for bad data doesn't hurt. >>> >>> In ipa_topo_util_segment_from_entry, if the config entry has no >>> direction/left/right it will crash. Shouldn't it return an error if >>> the config is invalid. >> adding a segment should be done with the ipa command 'ipa >> topologysegment-add ...' and this always provides a direction (param >> or default). If you try to add a segment directly, direction is a >> required attribute of teh segment objectclass, so it should be rejected- >>> >>> The update of domainLevel may start the plugin. If two mods update >>> the domainLevel they could be done in parallele. >> yes :-( >>> >>> >>> In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no >>> segment it deletes the agreement. >>> Is it possible there is a segment but no agmnt ? For example, if the >>> server were stopped or crashed after the segment was created but >>> before the local config was updated. >> then it should be created from the segment >>> >>> >>> Hosts are taken from shared config tree (cn=masters,), is it >>> possible to have a replica agreement to a host that is not under >>> 'cn=masters,' >> yes, it will be ignored by the plugin >>> >>> >>> thanks >>> thierry >>> >> > > > Hi Ludwig, > > I continued the review of the design/topology plugin code. This is > really an interesting plugin but unfortunately I have not yet reviewed > all the parts. > > I went through the design and digging the related parts in the code. > So far I need to review the rest starting at > http://www.freeipa.org/page/V4/Manage_replication_topology#connectivity_management. > > I think I did ~50% design but may be more than 50% of the code. > > Here are additional points: > > > in ipa_topo_set_domain_level, you may record the new Domain level > value as FATAL (it is already recorded in case of oneline import) > this just records the actual domain level, I don't think we need to log it every time, only if it is changed should be sufficient (to verify) > > > ipa_topo_be_state_change is called for any backend going online. > Domain level and start should be done only for a backend mapping a > shared-replica-root. > yes, the comment is already there, but the actual check isn't, so it would be recreated at online init of any backend, think it is not too bad, but will change it > > Also the plugin can be started many times (each online init), > ipa_topo_util_start is not protected by a lock > Some fields will leak (in ipa_topo_init_shared_config) > Also I wonder if you reinit several times the same replica-root, > its previous config will leak. (replica->repl_segments) > you shouldn't :-), but needs to be made safer > > > In ipa_topo_apply_shared_replica_config, > I do not see where replica_config is kept (leak ?) > it is created and set to the shared_conf data, but if it aready exists, it will leak (that's probably the case above), it should be freed when the plugin is stopped > > > ipa_topo_util_start/ipa_topo_apply_shared_config is called at > startup or during online-init. > For online-init, if the plugin was already active, what is the > need of calling ipa_topo_util_start ? > you don't know if the data in the shared tree are teh same as before > > For online-init, It initializes all the replica-root. Could it > init only the reinitialized replic-root ? > yes, it could (sjhould). > > > in > http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_database, > it mentions ipaReplTopoConfigMaster. > Is it implemented ? > it is there as a concept, not completed > > > in > http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_segment, > what happens if a server under cn=masters is removed ? > for all its manages suffixes, the marked segments connecting it are removed, the ldap principal is removed form the binddn groups > > > in > http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_example. > There is a segment cn=111_to_102. For example it was created by > vm-111 when topology plugin starts with 'dc=example,dc=com' . > What prevents vm-102 topology plugins to create the segment > cn=102_to_111 ? > the pre add check should prevent this, but if you do it simultaneously, two segments will be added and one will be ignored when the internal segments are updated (double check) > > > in ipa_topo_post_mod. > Is it 100% that if we have 'cn=replica > example,cn=topology,dc=example,dc=com' then it exists the related > config in topo_shared_conf.replicas. > In ipa_topo_util_get_replica_conf, it is looking like the entry > can exist before the related config is added. > In that case when modifying a segment > ipa_topo_util_get_conf_for_segment will return 'tconf' config that > is not linked in topo_shared_conf.replicas tconf will leak and I > am unsure the post_mod is fully processed. > > In ipa_topo_post_mod > in ipa_topo_util_segment_update if the > segment.ipaReplTopoSegmentDirection was "none" and MOD set it to > "both", segment->right/left are not set but it is said to be > bidirectional > I'm no longer sure if we have a valid scenario, need to think about it again > > > ipaReplTopoSegmentStatus: can not find it in the design > it was forgotten when the method to marjk agreements was last chnged :-) > > > in ipa_topo_util_existing_agmts_update, my understanding is that a > host only updates its local replica agreement. > that's the only agreements it can update with internal ops > > So even if the segment update is replicated, others hosts will not > skip updates where ->origin is not themself. > you mean will skip/ignore ? > > I think you may add a comment about this as it looks an important > thing. > Also I did not find this comment in the design but may be I missed it. > ok > > > in ipa_topo_util_existing_agmts_update, it applies the mods on > left or on right. That means we do not support serveral instance > on the same machine. I also missed that point in the design. > > in ipa_topo_agmt_mod, it does nothing when deleting a managed > attribute ? > > in ipa_topo_agmt_mod, if update of the replica agreement fails > (ipa_topo_agreement_dn or ipa_topo_util_modify) you may log a message > > in ipa_topo_agmt_mod, if the mod is not related to any managed > attribute, there is no replica agreement update but the 'dn' is > not freed. > > in ipa_topo_post_mod, I do not see 'domainLevel' in the schema. Is > it stored in an extensible object ? > the mod of an agreeement via the plugin was a bit neglected in my tests, will check again and answer later > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Wed Apr 29 09:30:34 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Wed, 29 Apr 2015 10:30:34 +0100 Subject: [Freeipa-devel] Suggestion for the A part of IPA In-Reply-To: <55407D25.9030505@redhat.com> References: <56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet> <55407D25.9030505@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478E5A6@EXVS2.nrplc.localnet> -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: 29 April 2015 07:42 To: Innes, Duncan; freeipa-devel at redhat.com Subject: Re: [Freeipa-devel] Suggestion for the A part of IPA > On 04/28/2015 05:58 PM, Innes, Duncan wrote: > > Folks, > > > > The A part of IPA has always been of great interest to me. Our > > current IPA infrastructure works well at the I & P parts, giving us > > great failover abilities and connectivity through hardware firewalls > > without punching too many holes. > > Good to hear :-) We recently also started investigating the Audit > capabilities for (notice I write "for" and not "in") IPA. You can check > my initial nudge to the freeipa-users list, which was unfortunately > with no reply: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html > > For the beginning, I would be interested for your use cases, if you are > only looking for a centralized log store, or you are also looking for > more analytics in the logs (like what API commands were run, user > logins, etc.) or utilization of the server core services > (LDAP/Kerberos/DNS/...) I'm actually interested in both pieces. It started off as generic centralised logging, but when I moved from plain rsyslog data to sending JSON formatted data I started getting richer and richer data. I got the IPA servers sending their dirsrv access and error logs back by using rsyslog's imfile module. http://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/Elas ticSearch/Kibana This isn't too good, however, as imfile polls on an interval with my version of rsyslog7 and IPA logs are written only with HH:MM:SS level accuracy. (I'm sure there was a ticket to increase timestamp resolution, but I can't find it right now) But now I've got a load of the IPA logs back centrally, I'm beyond my own abilities in parsing much good stuff out of it. I haven't even parsed it out into any key:value pairs yet - which would be a big boost to ELK Searching on it. > > Whilst the A part may not be solely about centralised logging, it's > > the thing I've been looking into recently. To do this I've built a > > setup around the ELK stack using a pair of Logstash servers and an > > ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, > > but this is proof of concept still). To expand on this, I've been > > looking at running the Logstash serviceon each of our IPA servers as > > that gives us a failover pair in each part of our network. The > > Logstash servers then connect to the ES cluster as non-data nodes. > > Each client has an > > rsyslog7 (still using RHEL6 at the moment) config that writes sends > > the logs in JSON format with some extra bespoke fields added (such as > > Project, Environment, and Use to help us search better). The sending > > is done in rsyslog's rather clunky failover method to the local pair > > of Logstash servers (with a third failover being to /dev/null). > > Ah, so you are running Logstash service on each IPA service? Isn't that > too heavyweight? In our tests, we mostly simply wanted just configure > rsyslog and get the logs out of the server, to the centralized > ELK/REK/EFK servers which did the heavy lifting. After all, the IPA > servers may be of different environments (Fedora, RHEL, CentOS, ...) > and with different versions of the log processing software. The Logstash servers really don't produce much load on our systems. I expected them to, but it didn't materialise. The load may be a lighter due to me using rsyslog templates to send the logs pre-formatted as JSON? > On the REK server (yes, we did not use logstash at the POC), we are able > to process the logs (make them structured), store and display them. This > allows us do searches like "list of admins which added users in the last > month". > > This if course required adding parsing rules to rsyslog to get the > structure out of the API logs. Are you using logstash for the parsing or > did you not start the parsing part yet? No parsing of the dirsrv logs yet. I've been concentrating on pushing the Whole centralised logging issue from PoC to Production so far. The IPA logs were a side-issue for us, but it's definitely something that would help if could get them properly structured. > > It struck me that this kind of setup might not be too far removed from > > some of the A part of IPA. > > The centralized log processing itself is a too big task for IPA itself, > it is specialized on other things. But some integration should be added > in time, I agree. It may be minimal, from top of my head for example: > > * Support of (rsyslog) configuration in ipa-client-install or > ipa-server-install > * Providing the secure, GSSAPI-based log transfer to the IPA clients and > ELK/REK/EFK server > * Providing parsing templates for rsyslog or base queries for Kibana That sounds the right way to start for sure. I've also been tracking journalctl's ability to send logs to an ELK setup. This is already looking to be a much simpler setup once a few issues are cleared up. > > I'm not good at ASCII flowchart diagrams, so will leave it there for > > now. The main point of this - does any of this idea sound reasonable > > to add in to FreeIPA? To me it sounds like a good fit for getting > > (some) logging data back to a central point. > > > > The Logstash indexers currently have a very low load (perhaps due to > > the incoming data already being JSON) and small memory footprint. > > They run without issue on our IPA servers. The ES nodes are different > > and I won't pretent to be any sort of expert in what they do. They > > load up a bit when I shut 1 of them down, but that's the rebalancing happening. > > > > Apologies if this is off topic, or wide of the mark. > > > > Cheers > > > > Duncan Innes > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From mbasti at redhat.com Wed Apr 29 10:15:45 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 12:15:45 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <55407FC7.1060502@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> Message-ID: <5540AF51.7070906@redhat.com> On 29/04/15 08:52, Jan Cholasta wrote: > Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >> On 04/29/2015 07:34 AM, Jan Cholasta wrote: >>> Dne 27.4.2015 v 18:23 David Kupka napsal(a): >>>> On 04/27/2015 04:45 PM, Martin Basti wrote: >>>>> On 27/04/15 13:38, Martin Basti wrote: >>>>>> On 23/04/15 12:55, Martin Basti wrote: >>>>>>> On 21/04/15 10:31, Martin Basti wrote: >>>>>>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>>>>>> >>>>>>>>>> Patches attached. >>>>>>>>>> >>>>>>>>>> Also ipa-upgradeconfig part is called as a subprocess. This >>>>>>>>>> will be >>>>>>>>>> removed after installer modifications. >>>>>>>>>> >>>>>>>>>> This patch may cause temporal upgrade issues (corner cases), >>>>>>>>>> until >>>>>>>>>> installer part will be finished. >>>>>>>>>> >>>>>>>>>> If somebody will be hit by them, please use >>>>>>>>>> --skip-version-check for >>>>>>>>>> ipactl and ipa-server-upgrade. >>>>>>>>> >>>>>>>>> Regarding that option vs. --force: I think the common >>>>>>>>> assumption is >>>>>>>>> that --force ignores *all* non-fatal errors, but you break that >>>>>>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>>>>>> service startup *and* skip version check, and a new option should >>>>>>>>> be added to just ignore errors in service startup (e.g. >>>>>>>>> --ignore-service-failures). >>>>>>>> Originally I used --force option to skip detection, but there was >>>>>>>> objections against it on list. >>>>>>>> >>>>>>>> However, to have option --force, which set true for both >>>>>>>> --ignore-service-failures and --skip-version-check options, >>>>>>>> might be >>>>>>>> better. >>>>>>>> >>>>>>>>> >>>>>>>>> ipa-server-upgrade should probably also have --force, even if it >>>>>>>>> does the same thing as --skip-version-check, again because >>>>>>>>> --force >>>>>>>>> is common. >>>>>>>>> >>>>>>>>> >>>>>>>>> This is a weird API: >>>>>>>>> >>>>>>>>> + if data_upgrade.badsyntax: >>>>>>>>> + raise admintool.ScriptError( >>>>>>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>>>>>> + elif data_upgrade.upgradefailed: >>>>>>>>> + raise admintool.ScriptError('IPA upgrade >>>>>>>>> failed.', 1) >>>>>>>>> + elif data_upgrade.modified: >>>>>>>>> + self.log.info('Data update complete') >>>>>>>>> + else: >>>>>>>>> + self.log.info('Data update complete, no data were >>>>>>>>> modified') >>>>>>>>> >>>>>>>>> Why does not IPAUpgrade raise errors instead? >>>>>>>>> >>>>>>>> For historical reasons, I can investigate what would break this >>>>>>>> change, I will send it in separate patch. >>>>>>>>> >>>>>>>>> +class IPAVersionError(Exception): >>>>>>>>> + pass >>>>>>>>> + >>>>>>>>> +class PlatformMismatchError(IPAVersionError): >>>>>>>>> + pass >>>>>>>>> + >>>>>>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>>>>>> + pass >>>>>>>>> + >>>>>>>>> +class DataInNewerVersionError(IPAVersionError): >>>>>>>>> + pass >>>>>>>>> >>>>>>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>>>>>> much about what kind of version is that. Also data version errors >>>>>>>>> should only tell you what is wrong, not how you fix it. IMO >>>>>>>>> better >>>>>>>>> names for these would be e.g. "UpgradeVersionError", >>>>>>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>>>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>>>>>> check_ipa_version. >>>>>>>>> >>>>>>>> Ok. >>>>>>>>> >>>>>>>>> Why is it not an error if there is no version in >>>>>>>>> check_ipa_version? >>>>>>>>> IMO it should, even if you then ignore the exception most of the >>>>>>>>> time. >>>>>>>> I can raise error in that case and ignore the exception. >>>>>>>>> >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>> Updated patches attached. >>>>>>> >>>>>>> >>>>>>> >>>>>> Updated patches attached >>>>>> >>>>>> -- >>>>>> Martin Basti >>>>>> >>>>>> >>>>> >>>>> Updated patch attached >>>>> >>>> >>>> Looks good to me and works as expected. Honza, are you OK with the >>>> patches? >>>> >>> >>> Some nitpicks: >>> >>> The command line tool class should be named "ServerUpgrade" rather than >>> "IPAServerUpgrade" for consistency with others. >>> >>> The deprecated --debug option should not be used in new commands. >> >> Why is --debug option deprecated? I thought we wanted to deprecate >> --verbose >> option as --debug is used in most our CLI tools. Well, except >> ipa-ldap-updated >> which for some reasons marks --debug as deprecated. It does not >> matter now, >> given the command is removed/changed. > > AdminTool provides --debug as a deprecated alias for --verbose when a > subclass requests it. It seems the decision to deprecate --debug was > already made back when AdminTool was introduced, so let's trust that > decision. > Yes that is reason. I will update design as well -- Martin Basti From mbasti at redhat.com Wed Apr 29 10:18:54 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 12:18:54 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <55406D5E.8090207@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> Message-ID: <5540B00E.2030700@redhat.com> On 29/04/15 07:34, Jan Cholasta wrote: > Dne 27.4.2015 v 18:23 David Kupka napsal(a): >> On 04/27/2015 04:45 PM, Martin Basti wrote: >>> On 27/04/15 13:38, Martin Basti wrote: >>>> On 23/04/15 12:55, Martin Basti wrote: >>>>> On 21/04/15 10:31, Martin Basti wrote: >>>>>> On 21/04/15 08:12, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Dne 15.4.2015 v 16:26 Martin Basti napsal(a): >>>>>>>> https://fedorahosted.org/freeipa/ticket/4904 >>>>>>>> >>>>>>>> Patches attached. >>>>>>>> >>>>>>>> Also ipa-upgradeconfig part is called as a subprocess. This >>>>>>>> will be >>>>>>>> removed after installer modifications. >>>>>>>> >>>>>>>> This patch may cause temporal upgrade issues (corner cases), until >>>>>>>> installer part will be finished. >>>>>>>> >>>>>>>> If somebody will be hit by them, please use >>>>>>>> --skip-version-check for >>>>>>>> ipactl and ipa-server-upgrade. >>>>>>> >>>>>>> Regarding that option vs. --force: I think the common assumption is >>>>>>> that --force ignores *all* non-fatal errors, but you break that >>>>>>> assumption in ipactl. IMO --force should both ignore errors in >>>>>>> service startup *and* skip version check, and a new option should >>>>>>> be added to just ignore errors in service startup (e.g. >>>>>>> --ignore-service-failures). >>>>>> Originally I used --force option to skip detection, but there was >>>>>> objections against it on list. >>>>>> >>>>>> However, to have option --force, which set true for both >>>>>> --ignore-service-failures and --skip-version-check options, might be >>>>>> better. >>>>>> >>>>>>> >>>>>>> ipa-server-upgrade should probably also have --force, even if it >>>>>>> does the same thing as --skip-version-check, again because --force >>>>>>> is common. >>>>>>> >>>>>>> >>>>>>> This is a weird API: >>>>>>> >>>>>>> + if data_upgrade.badsyntax: >>>>>>> + raise admintool.ScriptError( >>>>>>> + 'Bad syntax detected in upgrade file(s).', 1) >>>>>>> + elif data_upgrade.upgradefailed: >>>>>>> + raise admintool.ScriptError('IPA upgrade failed.', 1) >>>>>>> + elif data_upgrade.modified: >>>>>>> + self.log.info('Data update complete') >>>>>>> + else: >>>>>>> + self.log.info('Data update complete, no data were >>>>>>> modified') >>>>>>> >>>>>>> Why does not IPAUpgrade raise errors instead? >>>>>>> >>>>>> For historical reasons, I can investigate what would break this >>>>>> change, I will send it in separate patch. >>>>>>> >>>>>>> +class IPAVersionError(Exception): >>>>>>> + pass >>>>>>> + >>>>>>> +class PlatformMismatchError(IPAVersionError): >>>>>>> + pass >>>>>>> + >>>>>>> +class DataUpgradeRequiredError(IPAVersionError): >>>>>>> + pass >>>>>>> + >>>>>>> +class DataInNewerVersionError(IPAVersionError): >>>>>>> + pass >>>>>>> >>>>>>> I don't like the "IPA" in "IPAVersionError", it does not tell you >>>>>>> much about what kind of version is that. Also data version errors >>>>>>> should only tell you what is wrong, not how you fix it. IMO better >>>>>>> names for these would be e.g. "UpgradeVersionError", >>>>>>> "UpgradePlatformError", "UpgradeDataOlderVersionError", >>>>>>> "UpgradeDataNewerVersionError". Similar for store_ipa_version and >>>>>>> check_ipa_version. >>>>>>> >>>>>> Ok. >>>>>>> >>>>>>> Why is it not an error if there is no version in check_ipa_version? >>>>>>> IMO it should, even if you then ignore the exception most of the >>>>>>> time. >>>>>> I can raise error in that case and ignore the exception. >>>>>>> >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> Martin^2 >>>>>> >>>>> Updated patches attached. >>>>> >>>>> >>>>> >>>> Updated patches attached >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> >>> Updated patch attached >>> >> >> Looks good to me and works as expected. Honza, are you OK with the >> patches? >> > > Some nitpicks: > > The command line tool class should be named "ServerUpgrade" rather > than "IPAServerUpgrade" for consistency with others. > > The deprecated --debug option should not be used in new commands. > > I would like to see --skip-version-check also in ipa-server-upgrade, > for consistency with ipactl. > > In the spec file ipa-server-upgrade is run with --quiet, so why > redirect stdout to /dev/null? > Because --quiet is not quiet enough. It prints upgrade steps to stdout. ipa-server-upgrade --quiet Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. IPA upgrade failed. -- Martin Basti From tbabej at redhat.com Wed Apr 29 10:28:10 2015 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 29 Apr 2015 12:28:10 +0200 Subject: [Freeipa-devel] [PATCHES 306-316] Automated migration tool from Winsync In-Reply-To: <55005D3C.5090304@redhat.com> References: <54FD8369.10803@redhat.com> <54FF0F46.3010109@redhat.com> <55005D3C.5090304@redhat.com> Message-ID: <5540B23A.9060404@redhat.com> On 03/11/2015 04:20 PM, Jan Cholasta wrote: > Hi, > > Dne 10.3.2015 v 16:35 Tomas Babej napsal(a): >> >> On 03/09/2015 12:26 PM, Tomas Babej wrote: >>> Hi, >>> >>> this couple of patches provides a initial implementation of the >>> winsync migration tool: >>> >>> https://fedorahosted.org/freeipa/ticket/4524 >>> >>> Some parts could use some polishing, but this is a sound foundation. >>> >>> Tomas >>> >>> >>> >> >> Attaching one more patch to the bundle. This one should make the winsync >> tool readily available after install. >> >> Tomas >> >> > > Nitpicks: > > The winsync_migrate module should be in ipaserver.install. Also I > don't see why it has to be a package when there is just one short file > in it. > > By convention, the AdminTool subclass should be named WinsyncMigrate, > or the tool should be named ipa-migrate-winsync. > > Honza > Updated patches attached. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0306-2-winsync-migrate-Add-initial-plumbing.patch Type: text/x-patch Size: 5584 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0307-2-winsync-migrate-Add-a-way-to-find-all-winsync-users.patch Type: text/x-patch Size: 2161 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0308-2-migrate-winsync-Create-user-ID-overrides-in-place-of.patch Type: text/x-patch Size: 2405 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0309-2-migrate-winsync-Add-option-validation-and-handling.patch Type: text/x-patch Size: 2479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0310-2-winsync-migrate-Move-the-api-initalization-and-LDAP-.patch Type: text/x-patch Size: 1929 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0311-2-dcerpc-Change-logging-level-for-debug-information.patch Type: text/x-patch Size: 1300 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0312-2-dcerpc-Add-debugging-message-to-failing-kinit-as-htt.patch Type: text/x-patch Size: 867 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0313-2-winsync-migrate-Require-root-privileges.patch Type: text/x-patch Size: 965 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0314-2-idviews-Do-not-abort-the-find-show-commands-on-conve.patch Type: text/x-patch Size: 1740 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0315-2-winsync-migrate-Require-explicit-specification-of-th.patch Type: text/x-patch Size: 3087 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0316-2-winsync-migrate-Delete-winsync-agreement-prior-to-mi.patch Type: text/x-patch Size: 2808 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0317-2-winsync-migrate-Rename-to-tool-to-achive-consistency.patch Type: text/x-patch Size: 2651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0318-2-winsync-migrate-Move-the-tool-under-ipaserver.instal.patch Type: text/x-patch Size: 1249 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0319-2-winsync-migrate-Include-the-tool-parts-in-Makefile-a.patch Type: text/x-patch Size: 1178 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0320-2-idviews-Fallback-to-AD-DC-LDAP-only-if-specifically-.patch Type: text/x-patch Size: 15625 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0321-2-man-Add-manpage-for-ipa-winsync-migrate.patch Type: text/x-patch Size: 2340 bytes Desc: not available URL: From mkosek at redhat.com Wed Apr 29 10:39:49 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 12:39:49 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5540AF51.7070906@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> <5540AF51.7070906@redhat.com> Message-ID: <5540B4F5.2060801@redhat.com> On 04/29/2015 12:15 PM, Martin Basti wrote: > On 29/04/15 08:52, Jan Cholasta wrote: >> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: ... >>>> The command line tool class should be named "ServerUpgrade" rather than >>>> "IPAServerUpgrade" for consistency with others. >>>> >>>> The deprecated --debug option should not be used in new commands. >>> >>> Why is --debug option deprecated? I thought we wanted to deprecate --verbose >>> option as --debug is used in most our CLI tools. Well, except ipa-ldap-updated >>> which for some reasons marks --debug as deprecated. It does not matter now, >>> given the command is removed/changed. >> >> AdminTool provides --debug as a deprecated alias for --verbose when a >> subclass requests it. It seems the decision to deprecate --debug was already >> made back when AdminTool was introduced, so let's trust that decision. >> > Yes that is reason. No, it's not. I will update design as well Nope. This decision was never made this way, AFAIR. --debug is what all the main tools (ipa-server-install, ipa-replica-install, ipa-client-install) use and we never agreed that we want to change it. In fact, I think I remember some discussion from Devconf.cz time, when we mentioned that the ipa-ldap-updater has it the deprecated status wrong way, that we want --debug. CCing Simo since he may have been in the conversation. From mbasti at redhat.com Wed Apr 29 10:50:18 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 12:50:18 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5540B4F5.2060801@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> <5540AF51.7070906@redhat.com> <5540B4F5.2060801@redhat.com> Message-ID: <5540B76A.9020809@redhat.com> On 29/04/15 12:39, Martin Kosek wrote: > On 04/29/2015 12:15 PM, Martin Basti wrote: >> On 29/04/15 08:52, Jan Cholasta wrote: >>> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: > ... >>>>> The command line tool class should be named "ServerUpgrade" rather than >>>>> "IPAServerUpgrade" for consistency with others. >>>>> >>>>> The deprecated --debug option should not be used in new commands. >>>> Why is --debug option deprecated? I thought we wanted to deprecate --verbose >>>> option as --debug is used in most our CLI tools. Well, except ipa-ldap-updated >>>> which for some reasons marks --debug as deprecated. It does not matter now, >>>> given the command is removed/changed. >>> AdminTool provides --debug as a deprecated alias for --verbose when a >>> subclass requests it. It seems the decision to deprecate --debug was already >>> made back when AdminTool was introduced, so let's trust that decision. >>> >> Yes that is reason. > No, it's not. > > I will update design as well > > Nope. This decision was never made this way, AFAIR. --debug is what all the > main tools (ipa-server-install, ipa-replica-install, ipa-client-install) use > and we never agreed that we want to change it. > > In fact, I think I remember some discussion from Devconf.cz time, when we > mentioned that the ipa-ldap-updater has it the deprecated status wrong way, > that we want --debug. CCing Simo since he may have been in the conversation. http://freeipa.org/page/V3/Logging_and_output "In commands that currently have it, the `-d, --debug` option will become a deprecated alias for --verbose." -- Martin Basti From mkosek at redhat.com Wed Apr 29 10:59:44 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 12:59:44 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5540B76A.9020809@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> <5540AF51.7070906@redhat.com> <5540B4F5.2060801@redhat.com> <5540B76A.9020809@redhat.com> Message-ID: <5540B9A0.2010006@redhat.com> On 04/29/2015 12:50 PM, Martin Basti wrote: > On 29/04/15 12:39, Martin Kosek wrote: >> On 04/29/2015 12:15 PM, Martin Basti wrote: >>> On 29/04/15 08:52, Jan Cholasta wrote: >>>> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>>>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: >> ... >>>>>> The command line tool class should be named "ServerUpgrade" rather than >>>>>> "IPAServerUpgrade" for consistency with others. >>>>>> >>>>>> The deprecated --debug option should not be used in new commands. >>>>> Why is --debug option deprecated? I thought we wanted to deprecate --verbose >>>>> option as --debug is used in most our CLI tools. Well, except >>>>> ipa-ldap-updated >>>>> which for some reasons marks --debug as deprecated. It does not matter now, >>>>> given the command is removed/changed. >>>> AdminTool provides --debug as a deprecated alias for --verbose when a >>>> subclass requests it. It seems the decision to deprecate --debug was already >>>> made back when AdminTool was introduced, so let's trust that decision. >>>> >>> Yes that is reason. >> No, it's not. >> >> I will update design as well >> >> Nope. This decision was never made this way, AFAIR. --debug is what all the >> main tools (ipa-server-install, ipa-replica-install, ipa-client-install) use >> and we never agreed that we want to change it. >> >> In fact, I think I remember some discussion from Devconf.cz time, when we >> mentioned that the ipa-ldap-updater has it the deprecated status wrong way, >> that we want --debug. CCing Simo since he may have been in the conversation. > http://freeipa.org/page/V3/Logging_and_output > > "In commands that currently have it, the `-d, --debug` option will become a > deprecated alias for --verbose." I see, I must somehow missed that aspect of the miniframework. Well, question is - is it really a good decision and thing we should do? I.e. slowly moving towards --verbose option, deprecating --debug, given we use --debug in most commands and people are using it? This could cause lot of unnecessary churn in stable distributions that would wish to rebase to FreeIPA, like CentOS or RHEL - and for what reason? I will be against removing --debug option from the main commands unless there is a very good reason and justification to do so. Martin From mkosek at redhat.com Wed Apr 29 11:22:54 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 13:22:54 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5540B9A0.2010006@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> <5540AF51.7070906@redhat.com> <5540B4F5.2060801@redhat.com> <5540B76A.9020809@redhat.com> <5540B9A0.2010006@redhat.com> Message-ID: <5540BF0E.7060206@redhat.com> On 04/29/2015 12:59 PM, Martin Kosek wrote: > On 04/29/2015 12:50 PM, Martin Basti wrote: >> On 29/04/15 12:39, Martin Kosek wrote: >>> On 04/29/2015 12:15 PM, Martin Basti wrote: >>>> On 29/04/15 08:52, Jan Cholasta wrote: >>>>> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>>>>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: >>> ... >>>>>>> The command line tool class should be named "ServerUpgrade" rather than >>>>>>> "IPAServerUpgrade" for consistency with others. >>>>>>> >>>>>>> The deprecated --debug option should not be used in new commands. >>>>>> Why is --debug option deprecated? I thought we wanted to deprecate --verbose >>>>>> option as --debug is used in most our CLI tools. Well, except >>>>>> ipa-ldap-updated >>>>>> which for some reasons marks --debug as deprecated. It does not matter now, >>>>>> given the command is removed/changed. >>>>> AdminTool provides --debug as a deprecated alias for --verbose when a >>>>> subclass requests it. It seems the decision to deprecate --debug was already >>>>> made back when AdminTool was introduced, so let's trust that decision. >>>>> >>>> Yes that is reason. >>> No, it's not. >>> >>> I will update design as well >>> >>> Nope. This decision was never made this way, AFAIR. --debug is what all the >>> main tools (ipa-server-install, ipa-replica-install, ipa-client-install) use >>> and we never agreed that we want to change it. >>> >>> In fact, I think I remember some discussion from Devconf.cz time, when we >>> mentioned that the ipa-ldap-updater has it the deprecated status wrong way, >>> that we want --debug. CCing Simo since he may have been in the conversation. >> http://freeipa.org/page/V3/Logging_and_output >> >> "In commands that currently have it, the `-d, --debug` option will become a >> deprecated alias for --verbose." > > I see, I must somehow missed that aspect of the miniframework. Well, question > is - is it really a good decision and thing we should do? > > I.e. slowly moving towards --verbose option, deprecating --debug, given we use > --debug in most commands and people are using it? This could cause lot of > unnecessary churn in stable distributions that would wish to rebase to FreeIPA, > like CentOS or RHEL - and for what reason? > > I will be against removing --debug option from the main commands unless there > is a very good reason and justification to do so. > > Martin I talked to Martin in person. If --debug option is not removed and is kept in the old commands and you really want to go with the --verbose option crusade, I can live with it. Martin From pspacek at redhat.com Wed Apr 29 11:32:19 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Apr 2015 13:32:19 +0200 Subject: [Freeipa-devel] bind-dyndb-ldap meta-database design page Message-ID: <5540C143.2050000@redhat.com> Hello, design page for bind-dyndb-ldap ticket #151 "Implement internal meta-database" is now ready for review: https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/MetaDB This feature does not have any user interface. It is just an auxiliary database for internal purposes. The main goal is to have something extensible which can cover all use-cases (listed in the design page). Better ideas what to use instead of RBTDB or linked list (mentioned in Implementation section) are more than welcome. Have a nice day! -- Petr^2 Spacek From pspacek at redhat.com Wed Apr 29 12:27:06 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Apr 2015 14:27:06 +0200 Subject: [Freeipa-devel] behavior change in DNS dynamic updates: #155 Message-ID: <5540CE1A.7080305@redhat.com> Hello, I would like to discuss behavior change which is need for fixing ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/155 "PTR record synchronization for A/AAAA record tuple can fail mysteriously" Current behavior ================ Currently DNS clients receive SERVFAIL error if A/AAAA record is updated but respective reverse zone is not configured on the same IPA server. See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for details. Change proposal =============== It seems to me that #155 is not fixable without following behavior change: Client will *not* receive an error if reverse zone is not configured. Would it be okay to do this change and *do not report an error if respective reverse zone is not configured*? I think that it could be actually less confusing because it might be an intentional configuration, too. E.g. the IPA DNS server might be responsible only for 2 zones: - example.com. - 2.0.192.in-addr.arpa. but it does not mean that the zone 'example.com.' cannot contain A/AAAA records belonging to other reverse zones. Currently any attempt to update A/AAAA record which does not belong to reverse zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and terminates the update prematurely. Technical details ================= BIND internally splits update message with multiple requests (e.g. request to add multiple A/AAAA records) to steps where one step is does 1 change in 1 resource record at a time. Our plugin can see only separate steps and not the whole update message. Failure in any step terminates the update completely, rest of the update message is not processed and error is returned to the client. On the other hand, we have no information beforehand if the currently processed step is the last one or not so it is impossible to reliably implement 'this update is the last one, report the error here' logic. I do not see a way to change this without changes to BIND internals and IMHO it is not worth the effort. Thank you for your time! -- Petr^2 Spacek From ssorce at redhat.com Wed Apr 29 13:14:28 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2015 09:14:28 -0400 Subject: [Freeipa-devel] [PATCHES 0031-0032] set up a dedicated CCache file for Apache during install/upgrade In-Reply-To: <5540886E.4050700@redhat.com> References: <553FAA5D.8030705@redhat.com> <55408393.5060201@redhat.com> <5540886E.4050700@redhat.com> Message-ID: <1430313268.13607.177.camel@willson.usersys.redhat.com> On Wed, 2015-04-29 at 09:29 +0200, Martin Babinsky wrote: > On 04/29/2015 09:09 AM, Martin Kosek wrote: > > On 04/28/2015 05:42 PM, Martin Babinsky wrote: > >> The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and > >> implement the solution proposed in Comment 2. > >> > >> Please review the hell out of them. > > > > Why did you split the work in 2 patches? It looks like you first did the first > > approach of modifying httpd.service and then changed your mind and did the > > ipa-httpd.service approach (which is what we agreed to). > > > I was thinking about it as a two distinct operations (modify existing > httpd.service to use KRB5CCNAME and rename httpd.service to > ipa-httpd.service). But I can merge them if needed. > > Also, shouldn't ipa-httpd.service be contained in the package itself, like > > ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not > > see any daemon-reload, so I am not sure if systemd would pick up the right > > configuration in the first install. > Martin^2 told me that generating service file from template is evil, so > I will put the full service file into init/systemd directory so that it > is already present in /etc/systemd/system after rpm install. > > > > Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service. > > You chose "/tmp/ipa-httpd.ccache", is it the best approach CCACHE type/path we > > should use? This is mostly question to Simo, his mod_auth_gssapi will consume > > the ccache. > > > I will ask Simo if there is some preferred way to name CCache files. After discussing with Martin I think we should have only one patch, which should simply change the service unit name used on systemd systems, then provide the new unit file ready made (and installed by RPMs directly). The new unit file should basically just include the original httpd unit file and set KRB5CCNAME to a default of /var/run/httpd/krb5ccache or similar. We should avoid using /tmp if not necessary, even though in most systemd based system it is easy to have private /tmp and the default on Fedora I prefer avoid counting on it, as I am not sure what is the default in systems like debian/ubuntu/suse etc.. For older sysv/rpm based systems we just need to change /etc/sysconfig/httpd I guess. Let's try to be consistent and use the same cache controlled by us on newer and older systems alike. Simo. From dkupka at redhat.com Wed Apr 29 13:18:45 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Apr 2015 15:18:45 +0200 Subject: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater In-Reply-To: <553F81A5.90800@redhat.com> References: <552FD1C8.8030403@redhat.com> <553E66E7.6010107@redhat.com> <553F81A5.90800@redhat.com> Message-ID: <5540DA35.5090300@redhat.com> On 04/28/2015 02:48 PM, Martin Basti wrote: > On 27/04/15 18:42, David Kupka wrote: >> On 04/16/2015 05:14 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4904 >>> >>> Patch attached >>> >>> >>> >> >> I guess the rest of the comment is also outdated. Can you update it, too? >> > Updated patch attached. > ACK. -- David Kupka From mbasti at redhat.com Wed Apr 29 13:27:54 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 15:27:54 +0200 Subject: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command In-Reply-To: <5540BF0E.7060206@redhat.com> References: <552E7527.9020306@redhat.com> <5535EA59.3060408@redhat.com> <55360AD4.1020703@redhat.com> <5538CFA9.9080700@redhat.com> <553E1FA8.8020503@redhat.com> <553E4B8E.6000103@redhat.com> <553E629B.3090809@redhat.com> <55406D5E.8090207@redhat.com> <55407E1B.5080904@redhat.com> <55407FC7.1060502@redhat.com> <5540AF51.7070906@redhat.com> <5540B4F5.2060801@redhat.com> <5540B76A.9020809@redhat.com> <5540B9A0.2010006@redhat.com> <5540BF0E.7060206@redhat.com> Message-ID: <5540DC5A.8000604@redhat.com> On 29/04/15 13:22, Martin Kosek wrote: > On 04/29/2015 12:59 PM, Martin Kosek wrote: >> On 04/29/2015 12:50 PM, Martin Basti wrote: >>> On 29/04/15 12:39, Martin Kosek wrote: >>>> On 04/29/2015 12:15 PM, Martin Basti wrote: >>>>> On 29/04/15 08:52, Jan Cholasta wrote: >>>>>> Dne 29.4.2015 v 08:45 Martin Kosek napsal(a): >>>>>>> On 04/29/2015 07:34 AM, Jan Cholasta wrote: >>>> ... >>>>>>>> The command line tool class should be named "ServerUpgrade" rather than >>>>>>>> "IPAServerUpgrade" for consistency with others. >>>>>>>> >>>>>>>> The deprecated --debug option should not be used in new commands. >>>>>>> Why is --debug option deprecated? I thought we wanted to deprecate --verbose >>>>>>> option as --debug is used in most our CLI tools. Well, except >>>>>>> ipa-ldap-updated >>>>>>> which for some reasons marks --debug as deprecated. It does not matter now, >>>>>>> given the command is removed/changed. >>>>>> AdminTool provides --debug as a deprecated alias for --verbose when a >>>>>> subclass requests it. It seems the decision to deprecate --debug was already >>>>>> made back when AdminTool was introduced, so let's trust that decision. >>>>>> >>>>> Yes that is reason. >>>> No, it's not. >>>> >>>> I will update design as well >>>> >>>> Nope. This decision was never made this way, AFAIR. --debug is what all the >>>> main tools (ipa-server-install, ipa-replica-install, ipa-client-install) use >>>> and we never agreed that we want to change it. >>>> >>>> In fact, I think I remember some discussion from Devconf.cz time, when we >>>> mentioned that the ipa-ldap-updater has it the deprecated status wrong way, >>>> that we want --debug. CCing Simo since he may have been in the conversation. >>> http://freeipa.org/page/V3/Logging_and_output >>> >>> "In commands that currently have it, the `-d, --debug` option will become a >>> deprecated alias for --verbose." >> I see, I must somehow missed that aspect of the miniframework. Well, question >> is - is it really a good decision and thing we should do? >> >> I.e. slowly moving towards --verbose option, deprecating --debug, given we use >> --debug in most commands and people are using it? This could cause lot of >> unnecessary churn in stable distributions that would wish to rebase to FreeIPA, >> like CentOS or RHEL - and for what reason? >> >> I will be against removing --debug option from the main commands unless there >> is a very good reason and justification to do so. >> >> Martin > I talked to Martin in person. If --debug option is not removed and is kept in > the old commands and you really want to go with the --verbose option crusade, I > can live with it. > > Martin Updated patches attached. * Removed --debug version * I also added log message that version check was skipped -- Martin Basti -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0227.6-Server-Upgrade-ipa-server-upgrade-command.patch Type: text/x-patch Size: 6808 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0228.6-Server-Upgrade-Verify-version-and-platform.patch Type: text/x-patch Size: 18243 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0229.6-Server-Upgrade-use-ipa-server-upgrade-in-RPM-upgrade.patch Type: text/x-patch Size: 996 bytes Desc: not available URL: From dkupka at redhat.com Wed Apr 29 13:40:27 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Apr 2015 15:40:27 +0200 Subject: [Freeipa-devel] behavior change in DNS dynamic updates: #155 In-Reply-To: <5540CE1A.7080305@redhat.com> References: <5540CE1A.7080305@redhat.com> Message-ID: <5540DF4B.6020106@redhat.com> On 04/29/2015 02:27 PM, Petr Spacek wrote: > Hello, > > I would like to discuss behavior change which is need for fixing ticket > https://fedorahosted.org/bind-dyndb-ldap/ticket/155 > "PTR record synchronization for A/AAAA record tuple can fail mysteriously" > > Current behavior > ================ > Currently DNS clients receive SERVFAIL error if A/AAAA record is updated but > respective reverse zone is not configured on the same IPA server. > See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for details. > > > Change proposal > =============== > It seems to me that #155 is not fixable without following behavior change: > Client will *not* receive an error if reverse zone is not configured. > > Would it be okay to do this change and *do not report an error if respective > reverse zone is not configured*? Yes. Client has always chance to check if the reverse records were created or not. Additionally client only tries to add A/AAAA records and doesn't know if there are any reverse zones or not. > > > I think that it could be actually less confusing because it might be an > intentional configuration, too. > > E.g. the IPA DNS server might be responsible only for 2 zones: > - example.com. > - 2.0.192.in-addr.arpa. > but it does not mean that the zone 'example.com.' cannot contain A/AAAA > records belonging to other reverse zones. > > Currently any attempt to update A/AAAA record which does not belong to reverse > zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and terminates the > update prematurely. > > > Technical details > ================= > BIND internally splits update message with multiple requests (e.g. request to > add multiple A/AAAA records) to steps where one step is does 1 change in 1 > resource record at a time. Our plugin can see only separate steps and not the > whole update message. > > Failure in any step terminates the update completely, rest of the update > message is not processed and error is returned to the client. On the other > hand, we have no information beforehand if the currently processed step is the > last one or not so it is impossible to reliably implement 'this update is the > last one, report the error here' logic. > > I do not see a way to change this without changes to BIND internals and IMHO > it is not worth the effort. > > > Thank you for your time! > -- David Kupka From kybaker at redhat.com Wed Apr 29 13:59:27 2015 From: kybaker at redhat.com (Kyle Baker) Date: Wed, 29 Apr 2015 09:59:27 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent In-Reply-To: <553E593B.7040505@redhat.com> References: <553E593B.7040505@redhat.com> Message-ID: <252255323.10008954.1430315967619.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 04/27/2015 03:03 PM, Gabe Alford wrote: > > Hello, > > > > Fix for https://fedorahosted.org/freeipa/ticket/4926 > > > > Thanks, > > > > Gabe > > > > PatternFly has new recommendations for terminology and wording [1]. I'm > not entirely sure if the usage of 'save' here is good. PF defines 'edit' > as the recommended term. The page doesn't say if 'save' is not > recommended, though. Save seems to me as a confirmation of editing. Yes I think save would be best here based on the message given. Thanks for checking out the Terminology screen! > > Kyle, could you advise what is the best term for reflecting user changes > and for confirmation of this action? > > Technical notes: > 1. it would be better to add a new string and then use it in the button > instead of having 'Save' text for '@i18n:buttons.update' definition. > > 2. String changes in internal.py should be also reflected in > install/ui/test/data/ipa_init.json (for static web ui demo). > > 3. optional: in addition to text change, buttons and related actions > could also be renamed (same reasons as in 1). It's more proper but much > more complicated. > > > [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels > -- > Petr Vobornik > From mbasti at redhat.com Wed Apr 29 14:05:45 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 16:05:45 +0200 Subject: [Freeipa-devel] behavior change in DNS dynamic updates: #155 In-Reply-To: <5540DF4B.6020106@redhat.com> References: <5540CE1A.7080305@redhat.com> <5540DF4B.6020106@redhat.com> Message-ID: <5540E539.4030703@redhat.com> On 29/04/15 15:40, David Kupka wrote: > On 04/29/2015 02:27 PM, Petr Spacek wrote: >> Hello, >> >> I would like to discuss behavior change which is need for fixing ticket >> https://fedorahosted.org/bind-dyndb-ldap/ticket/155 >> "PTR record synchronization for A/AAAA record tuple can fail >> mysteriously" >> >> Current behavior >> ================ >> Currently DNS clients receive SERVFAIL error if A/AAAA record is >> updated but >> respective reverse zone is not configured on the same IPA server. >> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for >> details. >> >> >> Change proposal >> =============== >> It seems to me that #155 is not fixable without following behavior >> change: >> Client will *not* receive an error if reverse zone is not configured. >> >> Would it be okay to do this change and *do not report an error if >> respective >> reverse zone is not configured*? Just for clarification: If any A/AAAA record update failed, server will return SERVFAIL and rollback changes If all A/AAAA records were successfully added, just SRV record is not created by dyndb-ldap, server returns NOERROR nsupdate contains A/AAAA/PTR record, if PTR record update failed, server will return SERVFAIL and rollback changes. Right? > > Yes. Client has always chance to check if the reverse records were > created or not. Additionally client only tries to add A/AAAA records > and doesn't know if there are any reverse zones or not. Yes. Client has no information that PTR records should be created too. We can just shown warning, the client has no reverse record (we need to decide if this is right approach) > >> >> >> I think that it could be actually less confusing because it might be an >> intentional configuration, too. >> >> E.g. the IPA DNS server might be responsible only for 2 zones: >> - example.com. >> - 2.0.192.in-addr.arpa. >> but it does not mean that the zone 'example.com.' cannot contain A/AAAA >> records belonging to other reverse zones. >> >> Currently any attempt to update A/AAAA record which does not belong >> to reverse >> zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and >> terminates the >> update prematurely. >> >> >> Technical details >> ================= >> BIND internally splits update message with multiple requests (e.g. >> request to >> add multiple A/AAAA records) to steps where one step is does 1 change >> in 1 >> resource record at a time. Our plugin can see only separate steps and >> not the >> whole update message. >> >> Failure in any step terminates the update completely, rest of the update >> message is not processed and error is returned to the client. On the >> other >> hand, we have no information beforehand if the currently processed >> step is the >> last one or not so it is impossible to reliably implement 'this >> update is the >> last one, report the error here' logic. >> >> I do not see a way to change this without changes to BIND internals >> and IMHO >> it is not worth the effort. >> >> >> Thank you for your time! >> > CCing Jakub as this can hit SSSD. Martin^2 -- Martin Basti From mbasti at redhat.com Wed Apr 29 14:06:43 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Apr 2015 16:06:43 +0200 Subject: [Freeipa-devel] behavior change in DNS dynamic updates: #155 In-Reply-To: <5540E539.4030703@redhat.com> References: <5540CE1A.7080305@redhat.com> <5540DF4B.6020106@redhat.com> <5540E539.4030703@redhat.com> Message-ID: <5540E573.3020207@redhat.com> On 29/04/15 16:05, Martin Basti wrote: > On 29/04/15 15:40, David Kupka wrote: >> On 04/29/2015 02:27 PM, Petr Spacek wrote: >>> Hello, >>> >>> I would like to discuss behavior change which is need for fixing ticket >>> https://fedorahosted.org/bind-dyndb-ldap/ticket/155 >>> "PTR record synchronization for A/AAAA record tuple can fail >>> mysteriously" >>> >>> Current behavior >>> ================ >>> Currently DNS clients receive SERVFAIL error if A/AAAA record is >>> updated but >>> respective reverse zone is not configured on the same IPA server. >>> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for >>> details. >>> >>> >>> Change proposal >>> =============== >>> It seems to me that #155 is not fixable without following behavior >>> change: >>> Client will *not* receive an error if reverse zone is not configured. >>> >>> Would it be okay to do this change and *do not report an error if >>> respective >>> reverse zone is not configured*? > Just for clarification: > If any A/AAAA record update failed, server will return SERVFAIL and > rollback changes > If all A/AAAA records were successfully added, just SRV record is not > created by dyndb-ldap, server returns NOERROR s/SRV/PTR sorry > nsupdate contains A/AAAA/PTR record, if PTR record update failed, > server will return SERVFAIL and rollback changes. > > Right? >> >> Yes. Client has always chance to check if the reverse records were >> created or not. Additionally client only tries to add A/AAAA records >> and doesn't know if there are any reverse zones or not. > Yes. Client has no information that PTR records should be created too. > We can just shown warning, the client has no reverse record (we need > to decide if this is right approach) >> >>> >>> >>> I think that it could be actually less confusing because it might be an >>> intentional configuration, too. >>> >>> E.g. the IPA DNS server might be responsible only for 2 zones: >>> - example.com. >>> - 2.0.192.in-addr.arpa. >>> but it does not mean that the zone 'example.com.' cannot contain A/AAAA >>> records belonging to other reverse zones. >>> >>> Currently any attempt to update A/AAAA record which does not belong >>> to reverse >>> zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and >>> terminates the >>> update prematurely. >>> >>> >>> Technical details >>> ================= >>> BIND internally splits update message with multiple requests (e.g. >>> request to >>> add multiple A/AAAA records) to steps where one step is does 1 >>> change in 1 >>> resource record at a time. Our plugin can see only separate steps >>> and not the >>> whole update message. >>> >>> Failure in any step terminates the update completely, rest of the >>> update >>> message is not processed and error is returned to the client. On the >>> other >>> hand, we have no information beforehand if the currently processed >>> step is the >>> last one or not so it is impossible to reliably implement 'this >>> update is the >>> last one, report the error here' logic. >>> >>> I do not see a way to change this without changes to BIND internals >>> and IMHO >>> it is not worth the effort. >>> >>> >>> Thank you for your time! >>> >> > > CCing Jakub as this can hit SSSD. > Martin^2 > -- Martin Basti From pspacek at redhat.com Wed Apr 29 14:19:43 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Apr 2015 16:19:43 +0200 Subject: [Freeipa-devel] behavior change in DNS dynamic updates: #155 In-Reply-To: <5540E573.3020207@redhat.com> References: <5540CE1A.7080305@redhat.com> <5540DF4B.6020106@redhat.com> <5540E539.4030703@redhat.com> <5540E573.3020207@redhat.com> Message-ID: <5540E87F.7030608@redhat.com> On 29.4.2015 16:06, Martin Basti wrote: > On 29/04/15 16:05, Martin Basti wrote: >> On 29/04/15 15:40, David Kupka wrote: >>> On 04/29/2015 02:27 PM, Petr Spacek wrote: >>>> Hello, >>>> >>>> I would like to discuss behavior change which is need for fixing ticket >>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/155 >>>> "PTR record synchronization for A/AAAA record tuple can fail mysteriously" >>>> >>>> Current behavior >>>> ================ >>>> Currently DNS clients receive SERVFAIL error if A/AAAA record is updated but >>>> respective reverse zone is not configured on the same IPA server. >>>> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for details. >>>> >>>> >>>> Change proposal >>>> =============== >>>> It seems to me that #155 is not fixable without following behavior change: >>>> Client will *not* receive an error if reverse zone is not configured. >>>> >>>> Would it be okay to do this change and *do not report an error if respective >>>> reverse zone is not configured*? >> Just for clarification: >> If any A/AAAA record update failed, server will return SERVFAIL and rollback >> changes >> If all A/AAAA records were successfully added, just SRV record is not >> created by dyndb-ldap, server returns NOERROR > > s/SRV/PTR > sorry Yes, this is correct. It seems like agreement so I will fix #155 as described above. It turned out that #155 is a prerequisite for #151. I really like spaghetti! ;-) Petr^2 Spacek >> nsupdate contains A/AAAA/PTR record, if PTR record update failed, server >> will return SERVFAIL and rollback changes. >> >> Right? >>> >>> Yes. Client has always chance to check if the reverse records were created >>> or not. Additionally client only tries to add A/AAAA records and doesn't >>> know if there are any reverse zones or not. >> Yes. Client has no information that PTR records should be created too. >> We can just shown warning, the client has no reverse record (we need to >> decide if this is right approach) >>> >>>> >>>> >>>> I think that it could be actually less confusing because it might be an >>>> intentional configuration, too. >>>> >>>> E.g. the IPA DNS server might be responsible only for 2 zones: >>>> - example.com. >>>> - 2.0.192.in-addr.arpa. >>>> but it does not mean that the zone 'example.com.' cannot contain A/AAAA >>>> records belonging to other reverse zones. >>>> >>>> Currently any attempt to update A/AAAA record which does not belong to >>>> reverse >>>> zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and terminates the >>>> update prematurely. >>>> >>>> >>>> Technical details >>>> ================= >>>> BIND internally splits update message with multiple requests (e.g. request to >>>> add multiple A/AAAA records) to steps where one step is does 1 change in 1 >>>> resource record at a time. Our plugin can see only separate steps and not the >>>> whole update message. >>>> >>>> Failure in any step terminates the update completely, rest of the update >>>> message is not processed and error is returned to the client. On the other >>>> hand, we have no information beforehand if the currently processed step is >>>> the >>>> last one or not so it is impossible to reliably implement 'this update is the >>>> last one, report the error here' logic. >>>> >>>> I do not see a way to change this without changes to BIND internals and IMHO >>>> it is not worth the effort. >>>> >>>> >>>> Thank you for your time! >>>> >>> >> >> CCing Jakub as this can hit SSSD. >> Martin^2 From jcholast at redhat.com Wed Apr 29 16:25:17 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Apr 2015 18:25:17 +0200 Subject: [Freeipa-devel] [PATCH 424] install: Introduce installer framework ipapython.install In-Reply-To: <553513A7.3070704@redhat.com> References: <552FCB4E.4050402@redhat.com> <5531157F.80106@redhat.com> <5534FBB6.3050001@redhat.com> <553513A7.3070704@redhat.com> Message-ID: <554105ED.90204@redhat.com> Dne 20.4.2015 v 16:56 Jan Cholasta napsal(a): > Dne 20.4.2015 v 15:14 Martin Basti napsal(a): >> On 17/04/15 16:15, Jan Cholasta wrote: >>> Dne 16.4.2015 v 16:46 Jan Cholasta napsal(a): >>>> Hi, >>>> >>>> the attached patch adds the basics of the new installer framework. >>>> >>>> As a next step, I plan to convert the install scripts to use the >>>> framework with their old code (the old code will be gradually ported to >>>> the framework later). >>>> >>>> (Note I didn't manage to write docstrings today, expect update >>>> tomorrow.) >>> >>> Added some docstrings. >>> >>> Also updated the patch to reflect little brainstorming David and I had >>> this morning. >>> >>>> >>>> Honza >>> >>> >>> >> Hello, see comments bellow: >> >> 1) We started using new shorter License header in files: >> # >> # Copyright (C) 2015 FreeIPA Contributors see COPYING for license >> # > > OK. > >> >> 2) IMO this will not work, NoneType has no 'obj' attribute >> + else: >> + if isinstance(value, from_): >> + value = None >> + stack.append(value.obj) >> + continue > > Right. > >> >> 3) Multiple inheritance. I do not like it much. >> +class CompositeInstaller(Installer, CompositeConfigurator): > > I guess you are antagonistic to multiple inheritance because of how > other languages (like C++) do it. In Python it can be pretty elegant and > is basis for e.g. the mixin design pattern. > >> >> Installer and CompositeConfigurator inherites from Configurator class, >> and all of them implements _generator method. > > Both of them call super()._generator(), so it's no problem (same for > other methods). > >> >> If I understand correctly >> (https://www.python.org/download/releases/2.3/mro/) the >> Installer._generator method will be used in this case. >> However in case when CompositeConfigurator has more levels (respectively >> it is more specialized) of inheritance, it could take precedence and its >> _generator method may be used instead. > > The order of precedence is defined by the order of base classes in the > class definition. > >> >> I'm afraid this may suddenly stop working. >> Maybe I'm wrong, please fix me. > > As long as you call the super class, it will work fine. > >> >> And Multiple inheritance is not easily readable, this is even a diamond >> inheritance model. > > Cooperative inheritance is used by design and IMHO is easily readable if > you know how to read it. Every class defines a single bit of behavior. > Without cooperative inheritance, it would have to be hardcoded and/or > hacked around, which I wanted to avoid. > > This blog post explains it nicely: > . > Updated patch attached. Also attached is patch 425 which migrates ipa-server-install to the install framework. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-424.2-install-Introduce-installer-framework-ipapython.inst.patch Type: text/x-patch Size: 21174 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-425-install-Migrate-ipa-server-install-to-the-install-fr.patch Type: text/x-patch Size: 128357 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Apr 29 17:42:19 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 29 Apr 2015 19:42:19 +0200 Subject: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd Message-ID: <554117FB.7070203@redhat.com> The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference). https://fedorahosted.org/freeipa/ticket/4973 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0031.1-provide-dedicated-ccache-file-for-httpd.patch Type: text/x-patch Size: 3219 bytes Desc: not available URL: From ssorce at redhat.com Wed Apr 29 18:32:58 2015 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2015 14:32:58 -0400 Subject: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd In-Reply-To: <554117FB.7070203@redhat.com> References: <554117FB.7070203@redhat.com> Message-ID: <1430332378.22966.21.camel@willson.usersys.redhat.com> On Wed, 2015-04-29 at 19:42 +0200, Martin Babinsky wrote: > # NOTE: systemd specific section > - /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : > + /bin/systemctl try-restart ipa-httpd.service >/dev/null 2>&1 || : > # END > fi Isn't this going to fail on upgrades where you want to move from httpd.service to ipa-httpd.service ? Simo. From jcholast at redhat.com Thu Apr 30 05:07:22 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Apr 2015 07:07:22 +0200 Subject: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd In-Reply-To: <554117FB.7070203@redhat.com> References: <554117FB.7070203@redhat.com> Message-ID: <5541B88A.4080506@redhat.com> Hi, Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): > The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's > and Martin's suggestions (see e.g. > https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html > for reference). > > https://fedorahosted.org/freeipa/ticket/4973 IMHO we should set the environment variable in /etc/systemd/system/httpd.service, instead of providing a new service file, because we are just changing configuration, not creating a new concurrent httpd instance, as is the case with ipa-memcached, and also not using alternative httpd implementation which masks the current one, as is the case with bind-pkcs11. It would simplify the whole thing significantly and it's even recommended in httpd.service to do so: # For example, to pass additional options (for instance, -D definitions) to the # httpd binary at startup, you need to create a file named # "/etc/systemd/system/httpd.service" containing: # .include /lib/systemd/system/httpd.service # [Service] # Environment=OPTIONS=-DMY_DEFINE (BTW I wonder why /etc/sysconfig/httpd support was removed from httpd in Fedora (), it seems like a better place to customize environment variables, rather than having to create a modified service file...) Anyway, I would prefer if we set it in a way that works on non-systemd distros as well. Can't we just set "GssapiCredStore ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in /etc/httpd/conf.d/ipa.conf? Honza -- Jan Cholasta From abokovoy at redhat.com Thu Apr 30 06:23:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Apr 2015 09:23:25 +0300 Subject: [Freeipa-devel] [PATCH 0031] provide a dedicated ccache file to httpd In-Reply-To: <5541B88A.4080506@redhat.com> References: <554117FB.7070203@redhat.com> <5541B88A.4080506@redhat.com> Message-ID: <20150430062325.GG11785@redhat.com> On Thu, 30 Apr 2015, Jan Cholasta wrote: >Hi, > >Dne 29.4.2015 v 19:42 Martin Babinsky napsal(a): >>The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's >>and Martin's suggestions (see e.g. >>https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html >>for reference). >> >>https://fedorahosted.org/freeipa/ticket/4973 > >IMHO we should set the environment variable in >/etc/systemd/system/httpd.service, instead of providing a new service >file, because we are just changing configuration, not creating a new >concurrent httpd instance, as is the case with ipa-memcached, and also >not using alternative httpd implementation which masks the current >one, as is the case with bind-pkcs11. It would simplify the whole >thing significantly and it's even recommended in httpd.service to do I agree. >so: > > # For example, to pass additional options (for instance, -D >definitions) to the > # httpd binary at startup, you need to create a file named > # "/etc/systemd/system/httpd.service" containing: > # .include /lib/systemd/system/httpd.service > # [Service] > # Environment=OPTIONS=-DMY_DEFINE > >(BTW I wonder why /etc/sysconfig/httpd support was removed from httpd >in Fedora (), >it seems like a better place to customize environment variables, >rather than having to create a modified service file...) We had discussion with Joe Orton (httpd maintainer) a while ago and his arguments were following: ---- Hi guys, we made that change to adopt what is considered "best practice" for systemd. The change is not in RHEL7, only Fedora >= 20. I would not say we are strongly wedded to that change, but the use case you provide seems very weak. /etc/sysconfig/httpd is intended to be user-configurable and if users do "rm -f /etc/sysconfig/httpd" then Fedora packages should keep working correctly. Can we find a more robust way to achieve the same results? Why is it required that the environment variable is set globally within /usr/sbin/httpd? ... [and later in dicussion] I'd argue that in this case you should not be using httpd.service as-is; instead it would be correct to create an "httpd-ipa.service" unit file or similar, which can ".include" the system httpd.service, and sets up the appropriate Environment= (or EnvironmentFile=) directly. Also, if the intent is to purely to change mod_auth_kerb's interaction with libkrb5 is there no way to do this via the libkrb API - or mod_auth_kerb's existing use thereof? The use of /etc/sysconfig/httpd has historically been a mild PITA and I'm not seeing a compelling reason to revert the decision to kill it here. ---- >Anyway, I would prefer if we set it in a way that works on non-systemd >distros as well. Can't we just set "GssapiCredStore >ccache:FILE:/var/run/httpd/krbcache/krb5ccache" in >/etc/httpd/conf.d/ipa.conf? It is not just mod_auth_gssapi, it is needed for users of the credentials obtained by mod_auth_gssapi. mod_auth_gssapi only sets KRB5CCNAME value when there is delegation of credentials in use and there is something to delegate. -- / Alexander Bokovoy From pviktori at redhat.com Thu Apr 30 11:09:35 2015 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 30 Apr 2015 13:09:35 +0200 Subject: [Freeipa-devel] [PATCHES] 0689-0691 Move ipapython.dn to ipaldap.dn Message-ID: <55420D6F.7030402@redhat.com> Hello, These patches create a new library called ipaldap. Eventually this should include what's now ipapython.ipaldap, plus dependencies. The first dependency is DNs. 0689 adds the package; 0690 modifies all of IPA to use the new location; 0691 ports DNs and tests to Python 3. Running tests under Python 3 is a bit complicated for now; see the commit message. I did make a Fedora package for python3-ldap [0] if you're interested, but I don't expect IPA developers to maintain Python 3 compatibility until it's bootstrapped a bit more. [0] https://copr.fedoraproject.org/coprs/pviktori/python3-ldap/ -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0689-Make-ipaldap-package-with-the-dn-module.patch Type: text/x-patch Size: 202473 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0690-Use-ipaldap.dn-instead-of-ipapython.dn.patch Type: text/x-patch Size: 79147 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0691-Make-ipaldap.dn-Python-3-compatible.patch Type: text/x-patch Size: 31882 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Apr 30 11:57:53 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Apr 2015 13:57:53 +0200 Subject: [Freeipa-devel] [PATCH] 821 webui: add pwpolicy link to group details page if group has associated pwpolicy In-Reply-To: <55312D8E.8020400@redhat.com> References: <55312D8E.8020400@redhat.com> Message-ID: <554218C1.7090108@redhat.com> On 04/17/2015 05:58 PM, Petr Vobornik wrote: > https://fedorahosted.org/freeipa/ticket/4982 > > ACK -- Martin^3 Babinsky From dkupka at redhat.com Thu Apr 30 13:37:54 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Apr 2015 15:37:54 +0200 Subject: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation In-Reply-To: <553A3D88.6080200@redhat.com> References: <553A3D88.6080200@redhat.com> Message-ID: <55423032.9080505@redhat.com> On 04/24/2015 02:56 PM, Martin Basti wrote: > Patches attached. > > > > Hi, thanks for patches. 1. You changed message in DNSServerNotRespondingWarning class but not the test in ipatest/test_xmlrpc/test_dns_plugin.py nitpick. Please spell 'edns' correctly. I've seen several instances of 'ends'. -- David Kupka From abokovoy at redhat.com Thu Apr 30 13:41:09 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Apr 2015 16:41:09 +0300 Subject: [Freeipa-devel] [WARNING] Trusts are broken in Fedora 22 Message-ID: <20150430134109.GK11785@redhat.com> Hi, If you are eager to try Fedora 22 beta and overall try FreeIPA in Fedora 22, be aware that trusts to Active Directory are currently broken due to Samba 4.2.1 update in Fedora 22. I've pushed build [1] of Samba today that at least allows Samba processes to start properly but establishing trust will fail due to changes in Samba client libraries. I'm investigating the reason for the issues and hope to get them fixed before Fedora 22 final freeze comes. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-7.fc22 -- / Alexander Bokovoy From mbasti at redhat.com Thu Apr 30 13:53:40 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Apr 2015 15:53:40 +0200 Subject: [Freeipa-devel] [PATCH] 814-818 migrate-ds: optimize adding users to default group In-Reply-To: <5527AC09.7060707@redhat.com> References: <5527AC09.7060707@redhat.com> Message-ID: <554233E4.5040608@redhat.com> On 10/04/15 12:55, Petr Vobornik wrote: > The essential patch is 814. > > 815 a proposal for new option. > > 816 and 818 are cleanup patches. > > 817 little optimization. > > == [PATCH] 814 migrate-ds: optimize adding users to default group == > Migrate-ds searches for user without a group and adds them to default > group. There is no point in checking if the user's selected by > previous query are not member of default group because they are not > member of any group. > > The operation is also speeded up by not fetching the default group. > Users are added right away. > > https://fedorahosted.org/freeipa/ticket/4950 > NACK Users haven't been added into ipa default group after migration. Just nitpick 1) too many parentheses api.log.error(('Adding new members to default group failed: %s \n' 'members: %s') % (e, (','.join(member_dns)))) You can use this instead: api.log.error('Adding new members to default group failed: %s \n' 'members: %s', e, ','.join(member_dns)) == [PATCH] 815 migrate-ds: skip default group options == > New option --use-default-group=False could be used to disable adding of > migrated users into default group. > > By default, the default group is no longer POSIX therefore it doesn't > fulfill the original idea of providing GID and therefore it could be > skipped during migration. LGTM > > == [PATCH] 816 migrate-ds: remove unused def_group_gid context > property == > it's no longer used anywhere > 1) You can remove the unused variable 'g_attrs' > == [PATCH] migrate-ds: optimize gid checks by utilizing dictionary > nature of set == > LGTM > == [PATCH] migrate-ds: log migrated group members only on debug level == > It pollutes error_log. > 1) you do not need % formatting in logger api.log.debug('migrating %s group %s' , member_attr, m) > > Martin^2 -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Thu Apr 30 14:52:30 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Apr 2015 16:52:30 +0200 Subject: [Freeipa-devel] [PATCH 0083] Fix a signedness bug in OTP code In-Reply-To: <1430145037.2682.15.camel@redhat.com> References: <1430145037.2682.15.camel@redhat.com> Message-ID: <554241AE.4050207@redhat.com> On 04/27/2015 04:30 PM, Nathaniel McCallum wrote: > This bug caused negative token windows to wrap-around, causing issues > with TOTP authentication and (especially) synchronization. > > https://fedorahosted.org/freeipa/ticket/4990 > > > ACK -- Martin^3 Babinsky From redhatrises at gmail.com Thu Apr 30 17:43:07 2015 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 30 Apr 2015 11:43:07 -0600 Subject: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent In-Reply-To: <252255323.10008954.1430315967619.JavaMail.zimbra@redhat.com> References: <553E593B.7040505@redhat.com> <252255323.10008954.1430315967619.JavaMail.zimbra@redhat.com> Message-ID: Thanks Kyle and Petr. Update patch attached. On Wed, Apr 29, 2015 at 7:59 AM, Kyle Baker wrote: > > ----- Original Message ----- > > On 04/27/2015 03:03 PM, Gabe Alford wrote: > > > Hello, > > > > > > Fix for https://fedorahosted.org/freeipa/ticket/4926 > > > > > > Thanks, > > > > > > Gabe > > > > > > > PatternFly has new recommendations for terminology and wording [1]. I'm > > not entirely sure if the usage of 'save' here is good. PF defines 'edit' > > as the recommended term. The page doesn't say if 'save' is not > > recommended, though. Save seems to me as a confirmation of editing. > > Yes I think save would be best here based on the message given. > > Thanks for checking out the Terminology screen! > > > > > Kyle, could you advise what is the best term for reflecting user changes > > and for confirmation of this action? > > > > Technical notes: > > 1. it would be better to add a new string and then use it in the button > > instead of having 'Save' text for '@i18n:buttons.update' definition. > > > > 2. String changes in internal.py should be also reflected in > > install/ui/test/data/ipa_init.json (for static web ui demo). > > > > 3. optional: in addition to text change, buttons and related actions > > could also be renamed (same reasons as in 1). It's more proper but much > > more complicated. > > > > > > [1] > https://www.patternfly.org/styles/terminology-and-wording/#action-labels > > -- > > Petr Vobornik > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0047-2-Unsaved-changes-dialog-internally-inconsistent.patch Type: text/x-patch Size: 6256 bytes Desc: not available URL: