[Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
Martin Basti
mbasti at redhat.com
Thu Jun 2 15:43:27 UTC 2016
On 02.06.2016 15:03, Jan Cholasta wrote:
> On 2.6.2016 14:39, Petr Spacek wrote:
>> On 2.6.2016 14:20, Jan Cholasta wrote:
>>> On 2.6.2016 14:06, Petr Spacek wrote:
>>>> On 1.6.2016 18:00, Martin Basti wrote:
>>>>> <snip>
>>>>>
>>>>> updated patches attached
>>>>>
>>>>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch
>>>>>
>>>>>
>>>>>
>>>>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>> Date: Wed, 4 May 2016 17:33:52 +0200
>>>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related
>>>>> privileges
>>>>>
>>>>> DNS privileges are important for handling DNS locations which can be
>>>>> created without DNS servers in IPA topology. We will also need this
>>>>> privileges presented for future feature 'External DNS support'
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>> ---
>>>>> install/share/delegation.ldif | 16 ++++++++++++++++
>>>>> install/share/dns.ldif | 16 ----------------
>>>>> install/updates/37-locations.update | 0
>>>>> install/updates/40-delegation.update | 16 ++++++++++++++++
>>>>> 4 files changed, 32 insertions(+), 16 deletions(-)
>>>>> create mode 100644 install/updates/37-locations.update
>>>>>
>>>>> diff --git a/install/share/delegation.ldif
>>>>> b/install/share/delegation.ldif
>>>>> index
>>>>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8
>>>>>
>>>>> 100644
>>>>> --- a/install/share/delegation.ldif
>>>>> +++ b/install/share/delegation.ldif
>>>>> @@ -80,6 +80,22 @@ objectClass: nestedgroup
>>>>> cn: Delegation Administrator
>>>>> description: Role administration
>>>>>
>>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
>>>>> +changetype: add
>>>>> +objectClass: top
>>>>> +objectClass: groupofnames
>>>>> +objectClass: nestedgroup
>>>>> +cn: DNS Administrators
>>>>> +description: DNS Administrators
>>>>> +
>>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
>>>>> +changetype: add
>>>>> +objectClass: top
>>>>> +objectClass: groupofnames
>>>>> +objectClass: nestedgroup
>>>>> +cn: DNS Servers
>>>>> +description: DNS Servers
>>>>> +
>>>>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
>>>>> changetype: add
>>>>> objectClass: top
>>>>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif
>>>>> index
>>>>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e
>>>>>
>>>>> 100644
>>>>> --- a/install/share/dns.ldif
>>>>> +++ b/install/share/dns.ldif
>>>>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow
>>>>> read
>>>>> access"; allow (read,search
>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version
>>>>> 3.0;acl "Add
>>>>> DNS entries in a zone";allow (add) userattr =
>>>>> "parent[1].managedby#GROUPDN";)
>>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
>>>>> "Remove DNS entries from a zone";allow (delete) userattr =
>>>>> "parent[1].managedby#GROUPDN";)
>>>>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord ||
>>>>> aplrecord ||
>>>>> arecord || certrecord || cn || cnamerecord || dhcidrecord ||
>>>>> dlvrecord ||
>>>>> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord ||
>>>>> hiprecord
>>>>> || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr ||
>>>>> idnsallowtransfer || idnsforwarders || idnsforwardpolicy ||
>>>>> idnsname ||
>>>>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum ||
>>>>> idnssoamname ||
>>>>> idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
>>>>> idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord ||
>>>>> kxrecord || locrecord || mdrecord || minforecord || mxrecord ||
>>>>> naptrrecord
>>>>> || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord ||
>>>>> ptrrecord ||
>>>>> rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord ||
>>>>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target =
>>>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS
>>>>> entries in
>>>>> a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
>>>>> -
>>>>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
>>>>> -changetype: add
>>>>> -objectClass: top
>>>>> -objectClass: groupofnames
>>>>> -objectClass: nestedgroup
>>>>> -cn: DNS Administrators
>>>>> -description: DNS Administrators
>>>>> -
>>>>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
>>>>> -changetype: add
>>>>> -objectClass: top
>>>>> -objectClass: groupofnames
>>>>> -objectClass: nestedgroup
>>>>> -cn: DNS Servers
>>>>> -description: DNS Servers
>>>>> diff --git a/install/updates/37-locations.update
>>>>> b/install/updates/37-locations.update
>>>>> new file mode 100644
>>>>> index
>>>>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
>>>>>
>>>>>
>>>>> diff --git a/install/updates/40-delegation.update
>>>>> b/install/updates/40-delegation.update
>>>>> index
>>>>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66
>>>>>
>>>>> 100644
>>>>> --- a/install/updates/40-delegation.update
>>>>> +++ b/install/updates/40-delegation.update
>>>>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames
>>>>> default:objectClass: top
>>>>> default:cn: Vault Administrators
>>>>> default:description: Vault Administrators
>>>>> +
>>>>> +
>>>>> +# Locations - always create DNS related privileges
>>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
>>>>> +default:objectClass: top
>>>>> +default:objectClass: groupofnames
>>>>> +default:objectClass: nestedgroup
>>>>> +default:cn: DNS Administrators
>>>>> +default:description: DNS Administrators
>>>>> +
>>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
>>>>> +default:objectClass: top
>>>>> +default:objectClass: groupofnames
>>>>> +default:objectClass: nestedgroup
>>>>> +default:cn: DNS Servers
>>>>> +default:description: DNS Servers
>>>>> -- 2.5.5
>>>>>
>>>>>
>>>>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch
>>>>>
>>>>>
>>>>>
>>>>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>> Date: Thu, 12 May 2016 10:53:37 +0200
>>>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and
>>>>> objectclasses
>>>>>
>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>> ---
>>>>> install/share/60ipadns.ldif | 4 ++++
>>>>> 1 file changed, 4 insertions(+)
>>>>>
>>>>> diff --git a/install/share/60ipadns.ldif
>>>>> b/install/share/60ipadns.ldif
>>>>> index
>>>>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943
>>>>>
>>>>> 100644
>>>>> --- a/install/share/60ipadns.ldif
>>>>> +++ b/install/share/60ipadns.ldif
>>>>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME
>>>>> 'idnsSecKeySep' DESC 'DNSKEY S
>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME
>>>>> 'idnsSecAlgorithm' DESC
>>>>> 'DNSKEY algorithm: string used as mnemonic' EQUALITY
>>>>> caseIgnoreIA5Match
>>>>> SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
>>>>> 1.3.6.1.4.1.1466.115.121.1.26
>>>>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef'
>>>>> DESC
>>>>> 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX
>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME
>>>>> 'ipaDNSVersion' DESC
>>>>> 'IPA DNS data version' EQUALITY integerMatch ORDERING
>>>>> integerOrderingMatch
>>>>> SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA
>>>>> v4.3' )
>>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC
>>>>> 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX
>>>>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' )
>>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME
>>>>> 'ipaLocationWeight' DESC
>>>>> 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX
>>>>> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' )
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC
>>>>> 'dns
>>>>> Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $
>>>>> idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $
>>>>> a6Record $
>>>>> nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $
>>>>> mXRecord $
>>>>> mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $
>>>>> KeyRecord
>>>>> $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $
>>>>> dNameRecord
>>>>> $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $
>>>>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $
>>>>> DHCIDRecord $ HIPRecord $ SPFRecord ) )
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC
>>>>> 'Zone
>>>>> class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $
>>>>> idnsSOAmName $
>>>>> idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $
>>>>> idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $
>>>>> idnsAllowQuery $
>>>>> idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $
>>>>> idnsForwarders $
>>>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) )
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME
>>>>> 'idnsConfigObject' DESC
>>>>> 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $
>>>>> idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $
>>>>> idnsPersistentSearch ) )
>>>>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME
>>>>> 'ipaDNSZone' SUP top AUXILIARY
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone'
>>>>> DESC
>>>>> 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $
>>>>> idnsZoneActive )
>>>>> MAY ( idnsForwarders $ idnsForwardPolicy ) )
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC
>>>>> 'DNSSEC
>>>>> key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $
>>>>> idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $
>>>>> idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $
>>>>> idnsSecKeyRevoke $
>>>>> idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
>>>>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME
>>>>> 'ipaDNSContainer' DESC
>>>>> 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA
>>>>> v4.3' )
>>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME
>>>>> 'ipaLocationObject' DESC
>>>>> 'Object for storing IPA server location' STRUCTURAL MUST (
>>>>> idnsName ) MAY (
>>>>> description ) X-ORIGIN 'IPA v4.4' )
>>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME
>>>>> 'ipaLocationMember' DESC
>>>>> 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $
>>>>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' )
>>>>> -- 2.5.5
>>>>>
>>>>>
>>>>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch
>>>>>
>>>>>
>>>>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>> Date: Thu, 12 May 2016 10:54:20 +0200
>>>>> Subject: [PATCH 3/4] DNS Locations: location-* commands
>>>>>
>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>> ---
>>>>> ACI.txt | 8 ++
>>>>> API.txt | 59 ++++++++++++++
>>>>> VERSION | 4 +-
>>>>> install/share/bootstrap-template.ldif | 6 ++
>>>>> install/updates/37-locations.update | 4 +
>>>>> install/updates/Makefile.am | 1 +
>>>>> ipalib/constants.py | 1 +
>>>>> ipalib/plugins/location.py | 149
>>>>> ++++++++++++++++++++++++++++++++++
>>>>> 8 files changed, 230 insertions(+), 2 deletions(-)
>>>>> create mode 100644 ipalib/plugins/location.py
>>>>>
>>>>> diff --git a/ACI.txt b/ACI.txt
>>>>> index
>>>>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146
>>>>>
>>>>> 100644
>>>>> --- a/ACI.txt
>>>>> +++ b/ACI.txt
>>>>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
>>>>> aci: (targetattr = "createtimestamp || entryusn ||
>>>>> krbdefaultencsalttypes
>>>>> || krbmaxrenewableage || krbmaxticketlife ||
>>>>> krbsupportedencsalttypes ||
>>>>> modifytimestamp || objectclass")(targetfilter =
>>>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl
>>>>> "permission:System:
>>>>> Read Default Kerberos Ticket Policy";allow (compare,read,search)
>>>>> groupdn =
>>>>> "ldap:///cn=System: Read Default Kerberos Ticket
>>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> dn: cn=users,cn=accounts,dc=ipa,dc=example
>>>>> aci: (targetattr = "krbmaxrenewableage ||
>>>>> krbmaxticketlife")(targetfilter
>>>>> = "(objectclass=krbticketpolicyaux)")(version 3.0;acl
>>>>> "permission:System:
>>>>> Read User Kerberos Ticket Policy";allow (compare,read,search)
>>>>> groupdn =
>>>>> "ldap:///cn=System: Read User Kerberos Ticket
>>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example
>>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
>>>>> 3.0;acl
>>>>> "permission:System: Add IPA Locations";allow (add) groupdn =
>>>>> "ldap:///cn=System: Add IPA
>>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example
>>>>> +aci: (targetattr = "description")(targetfilter =
>>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl
>>>>> "permission:System:
>>>>> Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System:
>>>>> Modify
>>>>> IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example
>>>>> +aci: (targetattr = "createtimestamp || description || entryusn ||
>>>>> idnsname
>>>>> || modifytimestamp || objectclass")(targetfilter =
>>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl
>>>>> "permission:System: Read
>>>>> IPA Locations";allow (compare,read,search) groupdn =
>>>>> "ldap:///cn=System:
>>>>> Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example
>>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version
>>>>> 3.0;acl
>>>>> "permission:System: Remove IPA Locations";allow (delete) groupdn =
>>>>> "ldap:///cn=System: Remove IPA
>>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example
>>>>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl
>>>>> "permission:System: Add Netgroups";allow (add) groupdn =
>>>>> "ldap:///cn=System: Add
>>>>> Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example
>>>>> diff --git a/API.txt b/API.txt
>>>>> index
>>>>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758
>>>>>
>>>>> 100644
>>>>> --- a/API.txt
>>>>> +++ b/API.txt
>>>>> @@ -2759,6 +2759,65 @@ option: Str('version?')
>>>>> output: Entry('result')
>>>>> output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> output: PrimaryKey('value')
>>>>> +command: location_add
>>>>> +args: 1,6,3
>>>>> +arg: DNSNameParam('idnsname', cli_name='name')
>>>>> +option: Str('addattr*', cli_name='addattr')
>>>>> +option: Flag('all', autofill=True, cli_name='all', default=False)
>>>>> +option: Str('description?')
>>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False)
>>>>> +option: Str('setattr*', cli_name='setattr')
>>>>> +option: Str('version?')
>>>>> +output: Entry('result')
>>>>> +output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> +output: PrimaryKey('value')
>>>>> +command: location_del
>>>>> +args: 1,2,3
>>>>> +arg: DNSNameParam('idnsname+', cli_name='name')
>>>>> +option: Flag('continue', autofill=True, cli_name='continue',
>>>>> default=False)
>>>>> +option: Str('version?')
>>>>> +output: Output('result', type=[<type 'dict'>])
>>>>> +output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> +output: ListOfPrimaryKeys('value')
>>>>> +command: location_find
>>>>> +args: 1,8,4
>>>>> +arg: Str('criteria?')
>>>>> +option: Flag('all', autofill=True, cli_name='all', default=False)
>>>>> +option: Str('description?', autofill=False)
>>>>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name')
>>>>> +option: Flag('pkey_only?', autofill=True, default=False)
>>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False)
>>>>> +option: Int('sizelimit?', autofill=False)
>>>>> +option: Int('timelimit?', autofill=False)
>>>>> +option: Str('version?')
>>>>> +output: Output('count', type=[<type 'int'>])
>>>>> +output: ListOfEntries('result')
>>>>> +output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> +output: Output('truncated', type=[<type 'bool'>])
>>>>> +command: location_mod
>>>>> +args: 1,8,3
>>>>> +arg: DNSNameParam('idnsname', cli_name='name')
>>>>> +option: Str('addattr*', cli_name='addattr')
>>>>> +option: Flag('all', autofill=True, cli_name='all', default=False)
>>>>> +option: Str('delattr*', cli_name='delattr')
>>>>> +option: Str('description?', autofill=False)
>>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False)
>>>>> +option: Flag('rights', autofill=True, default=False)
>>>>> +option: Str('setattr*', cli_name='setattr')
>>>>> +option: Str('version?')
>>>>> +output: Entry('result')
>>>>> +output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> +output: PrimaryKey('value')
>>>>> +command: location_show
>>>>> +args: 1,4,3
>>>>> +arg: DNSNameParam('idnsname', cli_name='name')
>>>>> +option: Flag('all', autofill=True, cli_name='all', default=False)
>>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False)
>>>>> +option: Flag('rights', autofill=True, default=False)
>>>>> +option: Str('version?')
>>>>> +output: Entry('result')
>>>>> +output: Output('summary', type=[<type 'unicode'>, <type
>>>>> 'NoneType'>])
>>>>> +output: PrimaryKey('value')
>>>>> command: migrate_ds
>>>>> args: 2,20,4
>>>>> arg: Str('ldapuri', cli_name='ldap_uri')
>>>>> diff --git a/VERSION b/VERSION
>>>>> index
>>>>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095
>>>>>
>>>>> 100644
>>>>> --- a/VERSION
>>>>> +++ b/VERSION
>>>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
>>>>> # #
>>>>> ########################################################
>>>>> IPA_API_VERSION_MAJOR=2
>>>>> -IPA_API_VERSION_MINOR=170
>>>>> -# Last change: mbasti - *-find: do not search for members by default
>>>>> +IPA_API_VERSION_MINOR=171
>>>>> +# Last change: mbasti - location-* commands
>>>>> diff --git a/install/share/bootstrap-template.ldif
>>>>> b/install/share/bootstrap-template.ldif
>>>>> index
>>>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661
>>>>>
>>>>> 100644
>>>>> --- a/install/share/bootstrap-template.ldif
>>>>> +++ b/install/share/bootstrap-template.ldif
>>>>> @@ -119,6 +119,12 @@ objectClass: nsContainer
>>>>> objectClass: top
>>>>> cn: etc
>>>>>
>>>>> +dn: cn=locations,cn=etc,$SUFFIX
>>>>> +changetype: add
>>>>> +objectClass: nsContainer
>>>>> +objectClass: top
>>>>> +cn: locations
>>>>> +
>>>>> dn: cn=sysaccounts,cn=etc,$SUFFIX
>>>>> changetype: add
>>>>> objectClass: nsContainer
>>>>> diff --git a/install/updates/37-locations.update
>>>>> b/install/updates/37-locations.update
>>>>> index
>>>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1
>>>>>
>>>>> 100644
>>>>> --- a/install/updates/37-locations.update
>>>>> +++ b/install/updates/37-locations.update
>>>>> @@ -0,0 +1,4 @@
>>>>> +dn: cn=locations,cn=etc,$SUFFIX
>>>>> +default: objectClass: nsContainer
>>>>> +default: objectClass: top
>>>>> +default: cn: locations
>>>>> diff --git a/install/updates/Makefile.am
>>>>> b/install/updates/Makefile.am
>>>>> index
>>>>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710
>>>>>
>>>>> 100644
>>>>> --- a/install/updates/Makefile.am
>>>>> +++ b/install/updates/Makefile.am
>>>>> @@ -28,6 +28,7 @@ app_DATA = \
>>>>> 25-referint.update \
>>>>> 30-provisioning.update \
>>>>> 30-s4u2proxy.update \
>>>>> + 37-locations.update \
>>>>> 40-delegation.update \
>>>>> 40-realm_domains.update \
>>>>> 40-replication.update \
>>>>> diff --git a/ipalib/constants.py b/ipalib/constants.py
>>>>> index
>>>>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09
>>>>>
>>>>> 100644
>>>>> --- a/ipalib/constants.py
>>>>> +++ b/ipalib/constants.py
>>>>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = (
>>>>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn',
>>>>> 'ca'))),
>>>>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'),
>>>>> ('cn',
>>>>> 'etc'))),
>>>>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))),
>>>>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))),
>>>>>
>>>>> # Ports, hosts, and URIs:
>>>>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),
>>>>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py
>>>>> new file mode 100644
>>>>> index
>>>>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc
>>>>>
>>>>>
>>>>> --- /dev/null
>>>>> +++ b/ipalib/plugins/location.py
>>>>> @@ -0,0 +1,149 @@
>>>>> +#
>>>>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
>>>>> +#
>>>>> +
>>>>> +from __future__ import absolute_import
>>>>> +
>>>>> +from ipalib import (
>>>>> + _,
>>>>> + ngettext,
>>>>> + api,
>>>>> + Str,
>>>>> + DNSNameParam
>>>>> +)
>>>>> +from ipalib.plugable import Registry
>>>>> +from ipalib.plugins.baseldap import (
>>>>> + LDAPCreate,
>>>>> + LDAPSearch,
>>>>> + LDAPRetrieve,
>>>>> + LDAPDelete,
>>>>> + LDAPObject,
>>>>> + LDAPUpdate,
>>>>> +)
>>>>> +from ipapython.dnsutil import DNSName
>>>>> +
>>>>> +__doc__ = _("""
>>>>> +IPA locations
>>>>> +""") + _("""
>>>>> +Manipulate DNS locations
>>>>> +""") + _("""
>>>>> +EXAMPLES:
>>>>> +""") + _("""
>>>>> + Find all locations:
>>>>> + ipa location-find
>>>>> +""") + _("""
>>>>> + Show specific location:
>>>>> + ipa location-show location
>>>>> +""") + _("""
>>>>> + Add location:
>>>>> + ipa location-add location --description 'My location'
>>>>> +""") + _("""
>>>>> + Delete location:
>>>>> + ipa location-del location
>>>>> +""")
>>>>> +
>>>>> +register = Registry()
>>>>> +
>>>>> +
>>>>> + at register()
>>>>> +class location(LDAPObject):
>>>>> + """
>>>>> + IPA locations
>>>>> + """
>>>>> + container_dn = api.env.container_locations
>>>>> + object_name = _('location')
>>>>> + object_name_plural = _('locations')
>>>>> + object_class = ['ipaLocationObject']
>>>>> + search_attributes = ['idnsName']
>>>>> + default_attributes = [
>>>>> + 'idnsname', 'description'
>>>>> + ]
>>>>> + label = _('IPA Locations')
>>>>> + label_singular = _('IPA Location')
>>>>> +
>>>>> + permission_filter_objectclasses = ['ipaLocationObject']
>>>>> + managed_permissions = {
>>>>> + 'System: Read IPA Locations': {
>>>>> + 'ipapermright': {'read', 'search', 'compare'},
>>>>> + 'ipapermdefaultattr': {
>>>>> + 'objectclass', 'idnsname', 'description',
>>>>> + },
>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>> + },
>>>>> + 'System: Add IPA Locations': {
>>>>> + 'ipapermright': {'add'},
>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>> + },
>>>>> + 'System: Remove IPA Locations': {
>>>>> + 'ipapermright': {'delete'},
>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>> + },
>>>>> + 'System: Modify IPA Locations': {
>>>>> + 'ipapermright': {'write'},
>>>>> + 'ipapermdefaultattr': {
>>>>> + 'description',
>>>>> + },
>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>> + },
>>>>> + }
>>>>> +
>>>>> + takes_params = (
>>>>> + DNSNameParam(
>>>>> + 'idnsname',
>>>>> + cli_name='name',
>>>>> + primary_key=True,
>>>>> + label=_('Location name'),
>>>>> + doc=_('IPA location name'),
>>>>> + # dns name must be relative, we will put it into
>>>>> middle of
>>>>> + # location domain name for location records
>>>>> + only_relative=True,
>>>>> + ),
>>>>> + Str(
>>>>> + 'description?',
>>>>> + label=_('Description'),
>>>>> + doc=_('IPA Location description'),
>>>>> + ),
>>>>> + )
>>>>> +
>>>>> + def get_dn(self, *keys, **options):
>>>>> + loc = keys[-1]
>>>>> + assert isinstance(loc, DNSName)
>>>>> + loc_a = loc.ToASCII()
>>>>> +
>>>>> + return super(location, self).get_dn(loc_a, **options)
>>>>> +
>>>>> +
>>>>> + at register()
>>>>> +class location_add(LDAPCreate):
>>>>> + __doc__ = _('Add a new IPA location.')
>>>>> +
>>>>> + msg_summary = _('Added IPA location "%(value)s"')
>>>>> +
>>>>> +
>>>>> + at register()
>>>>> +class location_del(LDAPDelete):
>>>>> + __doc__ = _('Delete an IPA location.')
>>>>> +
>>>>> + msg_summary = _('Deleted IPA location "%(value)s"')
>>>>> +
>>>>> +
>>>>> + at register()
>>>>> +class location_mod(LDAPUpdate):
>>>>> + __doc__ = _('Modify information about an IPA location .')
>>>>
>>>> Typo - redundant ' ' at the end.
>>>>
>>>>
>>>> Conditional NACK, warnings mentioned in
>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI
>>>> are not there.
>>>>
>>>> I'm open to changing this to ACK if you open a separate ticket for
>>>> this
>>>> omission so we do not forget to add them later on.
>>>
>>> +1
>>>
Done
>>>
>>> Patch 480:
>>>
>>> 1) The code in location_show.execute() looks like it could be moved to
>>> location_show.post_callback()
>>>
I had to add it to execute because I modifies result entry not just
entry_attrs
>>>
>>> 2) Before calling super().output_for_cli(), pop 'servers' from
>>> result, so that
>>> it is not displayed with --all.
>>>
>>>
Done
>>> Patch 481:
>>>
>>> 1) Could we rename --force to --nonempty (or something better)? I
>>> would like
>>> to reserve --force for "ignore NotFound when deleting the entry",
>>> which is not
>>> the case here.
>>
>> IMHO option is unnecessary. Just delete the location (and unset
>> location from
>> all member servers). The design does not contain --force anyway :-)
>
> OK, that's even better :-)
>
Done
Updated patches attached
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0473.7-DNS-Locations-Always-create-DNS-related-privileges.patch
Type: text/x-patch
Size: 4774 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0474.7-DNS-Locations-add-new-attributes-and-objectclasses.patch
Type: text/x-patch
Size: 4186 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0475.7-DNS-Locations-location-commands.patch
Type: text/x-patch
Size: 12814 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0476.7-DNS-Locations-API-tests.patch
Type: text/x-patch
Size: 9339 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0478.7-Allow-to-use-non-Str-attributes-as-keys-for-members.patch
Type: text/x-patch
Size: 2147 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0479.7-DNS-Locations-extend-server-command-with-locations.patch
Type: text/x-patch
Size: 9387 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0480.7-DNS-Location-location-show-return-list-of-servers-in.patch
Type: text/x-patch
Size: 8590 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0481.7-DNS-Locations-when-removing-location-remove-it-from-.patch
Type: text/x-patch
Size: 1859 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0482.7-DNS-Locations-extend-tests-with-server-commands.patch
Type: text/x-patch
Size: 13761 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160602/8ff4b10f/attachment-0008.bin>
More information about the Freeipa-devel
mailing list