<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Petr,<br>
<br>
thanks for the review, your input is, as always, much to the point.<br>
<br>
My responses are inline. Also, I'm attaching a new patchset, rebased
on master, please, have a look at that.<br>
<br>
Most of the patches have at least minor changes, since I rebased
another ~15 patches into this patchset, and there are additional 9
patches on top. Patch 254 was deprecated, as we decided to go with
more explicit way of having two separate commands for user and group
ID overrides.<br>
<br>
Also, the test suite (around 80 tests) for ID views is attached -
patch 270. It depends on patch 269, sent in separate thread.<br>
<br>
Tomas<br>
<br>
<div class="moz-cite-prefix">On 09/10/2014 03:10 PM, Petr Viktorin
wrote:<br>
</div>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">On
08/01/2014 12:30 PM, Tomas Babej wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
the following set of patches implements the ID view creation and
<br>
management of views and ID overrides in IPA.
<br>
<br>
Pending questions:
<br>
1.) The patch 253 implements basic managed permissions for ID
views and
<br>
ID overrides. Do we want to have a separate permission for
assigning ID
<br>
views?
<br>
2.) Performance: idview-apply command takes ~100 seconds for
hostgroups
<br>
with 1000 member hosts. I am able to lower that by 20-30% using
raw ldap
<br>
calls, is bypassing the framework worth the performance gain?
We'll lose
<br>
the possiblity to hook on exception callbacks.
<br>
<br>
The commands also need more helpful documentation, I am working
on that.
<br>
<br>
</blockquote>
<br>
Not tested yet, but here are my comments on the patches:
<br>
<br>
0247:
<br>
The change to copy-schema-to-ca is not necessary. This is only
used for servers installed with Dogtag 9; for such installs new
schema is added online (to 99-user.ldif), so it will be replicated
to the CA DS correctly.
<br>
</blockquote>
<br>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>
Removed.</p>
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
Did you register the new OIDs?
<br>
</blockquote>
<br>
Yep.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0248-0249 look good
<br>
<br>
0250:
<br>
With so many names imported from one module, I find it more
readable to `from ipalib.plugins import baseldap`, and use
qualified names later. Same in the 2 other patches.
<br>
This is personal preference/tip, feel free to disagree :)
<br>
</blockquote>
<br>
I was just trying to be consistent here, rest of the IPA plugins
seem to use non-qualified names for plugins. Even tough the main
reason is probably that thay use evil star imports :) Let's keep it
this way for now.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0521:
<br>
Could you also kill the backslash in _hostname_validator?
<br>
</blockquote>
Done.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0252:
<br>
Typo in __doc__, should be "This functionality is primarily used"…
<br>
<br>
</blockquote>
Done.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">{idview,idoverride}.takes_params:
flags needs to be a set -- here you've specified 11 single-letter
flags. (Don't we all love Python's iterable strings.)
<br>
</blockquote>
<br>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>
No longer applies.</p>
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
Only one `ipa help` topic will be created for idview and
idoverride. Is that intended?
<br>
</blockquote>
<br>
Yes, but the documentation needs to be extended, making a note so
that we don't forget that.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
The pattern_errmsg in idoverride's uid should be expanded to fully
describe the pattern.
<br>
</blockquote>
<br>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>
If we want to expand it, then it should be corrected in user.py
plugin too (I have taken it from there). Still, it's a tradeoff
between conciseness and and exactness, do we really want to
specify that user login may be at most 253 letters long or the $
character may only be used as terminal one? Or the fact that -
can't be used at the beggining? This is probably the way it was
since forever in user plugin.<br>
</p>
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0253 looks good
<br>
<br>
0254:
<br>
The DN refactoring is done; I don't think the asserts in
pre_callbacks are necessary any more.
<br>
</blockquote>
<br>
Fixed in other places. BTW, I killed this patch.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0258:
<br>
idview_apply: typo in hostgroup doc, should be "hosts to apply the
ID view to" and "after running the idview-apply command".
<br>
Typos in output params, should be e.g. "this ID view"
<br>
</blockquote>
<br>
Fixed the second and third complaint ( IMHO this is clear from
context, but I added "this" to be explicit), I'm not so sure about
the first one though. Can we get a native speaker input on that?<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
idview_apply.execute: Is there a reason for calling idview_show
instead of get_dn_if_exists?
<br>
</blockquote>
Fixed.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
idview_apply.execute:
<br>
failed['hostgroup'].append((hostgroup, str(e))) -- str(e) doesn't
include the name of the exception, which is usually important
<br>
</blockquote>
<br>
Fixed.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
Calling a Command (here, host_mod) from another Command is, at the
very least, quite slow, with all the validation and detailed
output. It's also a debugging nightmare when things go wrong. And
the _exc_wrapper is an even worse debugging nightmare.
<br>
If you need some functionality in the host plugin that you need,
put it in a function and call that. Otherwise use ldap directly.
<br>
<br>
Do we have some precedent for the 'No host was affected.' message?
Consumers of the JSON API shouldn't need to cpecial-case this
string.
<br>
</blockquote>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>
I don't think so, this was just me being over user-friendly. I
think we can remove it, and I have done so.</p>
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
By subclassing idview_unapply from idview_apply you're violating
Liskov's substitution principle. Make a common base class for
them.
<br>
</blockquote>
<br>
Done.<br>
<br>
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
0259:
<br>
show_id_overrides: cn is a MUST attribute in ipa*Override; use
view.single_value['cn'] instead of get(). In enumerate_hosts, is
None okay if cn is missing?
<br>
</blockquote>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>
This was actually an error, fixed in updated version of patches.
New code uses 'ipaanchoruuid' (which is a MUST) and converts it
(with your objections addressed.)<br>
</p>
<br>
As for the hosts, the 'cn' attribute is required by the nsHost
objectclass.
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<meta name="Description" content="Copy-Paste Buffer">
<meta name="Generator" content="Zim">
<blockquote cite="mid:54104DE3.2050309@redhat.com" type="cite">
<br>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org </pre>
</body>
</html>