[Freeipa-devel] [PATCH 0297] ULC: add user-stage command
thierry bordaz
tbordaz at redhat.com
Tue Aug 18 14:13:21 UTC 2015
On 08/18/2015 04:04 PM, Martin Basti wrote:
>
>
> On 08/18/2015 03:49 PM, thierry bordaz wrote:
>> On 08/18/2015 03:06 PM, Martin Basti wrote:
>>>
>>>
>>> On 08/18/2015 11:32 AM, thierry bordaz wrote:
>>>> On 08/18/2015 10:02 AM, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 08/18/2015 09:59 AM, thierry bordaz wrote:
>>>>>> On 08/18/2015 09:55 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 08/18/2015 09:50 AM, thierry bordaz wrote:
>>>>>>>> On 08/17/2015 08:33 PM, Martin Basti wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> the 'user-stage' command replaces 'stageuser-add
>>>>>>>>> --from-delete' command.
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5041
>>>>>>>>>
>>>>>>>>> Thierry can you check If I don't break everything, it works
>>>>>>>>> for me, but the one never knows.
>>>>>>>>>
>>>>>>>>> Honza can you please check the framework side? I use
>>>>>>>>> self.api.Object.stageuser.add.* in user command, I'm not sure
>>>>>>>>> if this is right way, but it works.
>>>>>>>>>
>>>>>>>>> Patch attached. I created it in hurry, I'm expecting NACK :D
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Just question at the end: should I implement way Active user
>>>>>>>>> -> stageuser? IMHO it would be implemented internally by
>>>>>>>>> calling 'user-del --preserve' inside 'user-stage'.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Hi Martin,
>>>>>>>>
>>>>>>>> There is a small failure with VERSION (edewata pushed his patch
>>>>>>>> first ;-) )
>>>>>>>>
>>>>>>>> git apply -v
>>>>>>>> /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch
>>>>>>>> Checking patch API.txt...
>>>>>>>> Checking patch VERSION...
>>>>>>>> error: while searching for:
>>>>>>>> # #
>>>>>>>> ########################################################
>>>>>>>> IPA_API_VERSION_MAJOR=2
>>>>>>>> IPA_API_VERSION_MINOR=148
>>>>>>>> # Last change: ftweedal - add --out option to user-show
>>>>>>>>
>>>>>>>> error: patch failed: VERSION:90
>>>>>>>> error: VERSION: patch does not apply
>>>>>>>> Checking patch ipalib/plugins/stageuser.py...
>>>>>>>> Checking patch ipalib/plugins/user.py...
>>>>>>>>
>>>>>>>>
>>>>>>> There is many pending patches that may change VERSION number, I
>>>>>>> will change it to right one before push.
>>>>>>>
>>>>>>> Does code looks good for you?
>>>>>> Hi Martin,
>>>>>>
>>>>>> Just a question, there is no additional permission. Did you test
>>>>>> being 'admin' ?
>>>>>>
>>>>>> thanks
>>>>>> theirry
>>>>> No I didn't,.
>>>>>
>>>>> I preserver all permission, the original permissions should work.
>>>>>
>>>>> Martin
>>>> Hi Martin,
>>>>
>>>> Running a test script, I have an issue with
>>>>
>>>> ipa stageuser-add --first=t --last=b tb1
>>>> ipa: ERROR: an internal error has occurred
>>>>
>>>>
>>>> [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa:
>>>> INFO: [jsonserver_kerb]
>>>> stageadm at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: stageuser_add(u'tb1',
>>>> givenname=u't', sn=u'b', cn=u't b', displayname=u't b',
>>>> initials=u'tb', gecos=u't b',
>>>> krbprincipalname=u'tb1 at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM',
>>>> random=False, all=False, raw=False, version=u'2.149',
>>>> no_members=False): AttributeError
>>>> [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa:
>>>> ERROR: non-public: AttributeError: 'DN' object has no attribute
>>>> 'setdefault'
>>>> [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485]
>>>> Traceback (most recent call last):
>>>> [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485]
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py",
>>>> line 347, in wsgi_execute
>>>> [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485]
>>>> result = self.Command[name](*args, **options)
>>>> [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485]
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py",
>>>> line 443, in __call__
>>>> [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485]
>>>> ret = self.run(*args, **options)
>>>> [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485]
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py",
>>>> line 760, in run
>>>> [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485]
>>>> return self.execute(*args, **options)
>>>> [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485]
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>>>> line 1227, in execute
>>>> [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485]
>>>> *keys, **options)
>>>> [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485]
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
>>>> line 373, in pre_callback
>>>> [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485]
>>>> attrs_list, *keys, **options)
>>>> [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485]
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py",
>>>> line 277, in set_default_values_pre_callback
>>>> [Tue Aug 18 11:21:25.198159 2015] [wsgi:error] [pid 10485]
>>>> entry_attrs.setdefault('description', [])
>>>> [Tue Aug 18 11:21:25.198163 2015] [wsgi:error] [pid 10485]
>>>> AttributeError: 'DN' object has no attribute 'setdefault'
>>>> [Tue Aug 18 11:21:25.199276 2015] [wsgi:error] [pid 10485] ipa:
>>>> INFO: [jsonserver_session]
>>>> stageadm at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: stageuser_add(u'tb1',
>>>> givenname=u't', sn=u'b', cn=u't b', displayname=u't b',
>>>> initials=u'tb', gecos=u't b',
>>>> krbprincipalname=u'tb1 at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM',
>>>> random=False, all=False, raw=False, version=u'2.149',
>>>> no_members=False): AttributeError
>>>>
>>>>
>>>> The new set_default_values_pre_callback, can not use the
>>>> set_default function. It is not clear why. entry_attrs is one of
>>>> pre_callback parameter.
>>>> Should set_default_values_pre_callback be a subfonction of
>>>> pre_callback ?
>>>>
>>>>
>>>> thanks
>>>> thierry
>>>
>>> Thank you,
>>>
>>> updated patch attached.
>>
>> So far, tests are ok.
>> Just one comment, the 'user-stage' command description is wrong, as
>> it moves an active user into the staged area
>>
>> user-stage Move deleted user into staged area
> No, it's not doing that.
>
> user-stage is replacement of stageuser-add --from-delete, it doesn't
> work for active users.
> The support to move active user to staged area is RFE, I did not
> implemented it yet, and I dont know if this will fit IPA 4.2 timeframe
Ok. thanks.
Sure user-stage (active->stage) will not fit into IPA 4.2 timeframe.
Running the tests being admin, there is no problem.
I have a permission issue, when running as 'Stage administrator'. The
'delete' entry being moved to 'stage' container, we need the a special
permission for it.
[root at vm-141 ~]# ipa user-del ttest1 --preserve
---------------------
Deleted user "ttest1"
---------------------
[root at vm-141 ~]# ipa user-stage ttest1
ipa: ERROR: Insufficient access: Insufficient 'moddn' privilege to move
an entry to 'cn=staged
users,cn=accounts,cn=provisioning,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'.
[root at vm-141 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_hw3P667
Default principal: stageadm at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Valid starting Expires Service principal
08/18/2015 15:45:43 08/19/2015 15:45:42
ldap/vm-141.abc.idm.lab.eng.brq.redhat.com at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
08/18/2015 15:45:42 08/19/2015 15:45:42
krbtgt/ABC.IDM.LAB.ENG.BRQ.REDHAT.COM at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
[root at vm-141 ~]# kinit admin
Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
[root at vm-141 ~]# ipa user-stage ttest1
----------------------------
Staged user account "ttest1"
----------------------------
[root at vm-141 ~]# ipa stageuser-find ttest1
--------------
1 user matched
--------------
User login: ttest1
First name: t
Last name: test1
Home directory: /home/ttest1
Login shell: /bin/sh
Email address: ttest1 at abc.idm.lab.eng.brq.redhat.com
UID: 1814000011
GID: 1814000011
Password: False
Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150818/cf53a370/attachment.htm>
More information about the Freeipa-devel
mailing list