[Freeipa-devel] [PATCH] External group membership for trusted domains
Martin Kosek
mkosek at redhat.com
Wed Jun 27 11:37:59 UTC 2012
On 06/27/2012 01:34 PM, Petr Viktorin wrote:
> On 06/27/2012 12:36 PM, Sumit Bose wrote:
>> On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote:
>>> On Mon, 25 Jun 2012, Alexander Bokovoy wrote:
>>>> On Mon, 25 Jun 2012, Sumit Bose wrote:
>>>>> Hi Alexander,
>>>>>
>>>>> On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote:
>>>>>> Hi!
>>>>>>
>>>>>> Attached is the patch to support external group membership for trusted
>>>>>> domains. This is needed to get proper group membership with the work
>>>>>> Sumit and Jan are doing on both IPA and SSSD sides.
>>>>>>
>>>>>> We already have ipaExternalGroup class that includes ipaExternalMember
>>>>>> attribute (multivalued case-insensitive string). The group that has
>>>>>> ipaExternalGroup object class will have to be non-POSIX and
>>>>>> ipaExternalMember
>>>>>> attribute will contain security identifiers (SIDs) of members from
>>>>>> trusted domains.
>>>>>>
>>>>>> The patch takes care of three things:
>>>>>> 1. Extends 'ipa group-add' with --external option to add
>>>>>> ipaExternalGroup object class to a new group
>>>>>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument
>>>>>> to specify SIDs
>>>>>> 3. Modifies 'ipa group-del-member' to allow removing external members.
>>>>>
>>>>> thank you for the patch, it works as expected, but I have a few
>>>>> comments:
>>>>>
>>>>> - there is a trailing whitespace at the end of the "This means we can't
>>>>> check the correctness of a trusted domain SIDs" line
>>>>> - when using ipa group-add-member with --external there are still prompt
>>>>> for [member user] and [member group], can those be suppressed?
>>>>> - with ipa group-mod --posix it is possible to add the posxiGroup
>>>>> objectclass together with a GID to the extern group object. This
>>>>> should result in an error and also the other way round, adding
>>>>> --external to Posix groups.
>>>> Updated patch is attached. It fixes whitespace and group-mod.
>>> New revision.
>>
>> Thank you. This version works well in my tests, so ACK.
>>
>> It would be nice if someone can have a short look at the changes to
>> baseldap.py to see if there are any unexpected side effects.
>>
>> bye,
>> Sumit
>>
>
>
> I'm concerned about this:
>
> membername = entry[0].lower()
> member_dn = api.Object[membertype].get_dn(membername)
> if membername not in external_entries and \
> + entry[0] not in external_entries and \
> member_dn not in members:
>
> Do you want to do a case-insensitive compare here? In that case it would be
> better to do:
>
> lowercase_external_entries = set(e.lower() for e in external_entries)
> if membername not in lowercase_external_entries ...
>
> instead of comparing the lowercased entry and the entry itself to the original
> list.
> The `in` operator is also faster on a set.
> You should also update the `elif membername in external_entries` block below
> this one.
> There's a similar situation in remove_external_post_callback.
>
> Anyway, if you ran into a situation where the `entry[0] not in
> external_entries` check is needed, there should be a test for it.
>
>
> I think something is rotten with add_external_post_callback: it's defined as
> add_external_post_callback(... *keys, **options), but invariably called as
> add_external_post_callback(... keys, options). That existed before the patch,
> though, so I guess it warrants a separate ticket.
>
>
> I also have a few obligatory style nitpicks.
>
> For line continuation, instead of backslashes:
>
> if membername not in external_entries and \
> entry[0] not in external_entries and \
> member_dn not in members:
>
> we prefer parentheses:
>
> if (membername not in external_entries and
> entry[0] not in external_entries and
> member_dn not in members):
>
> Instead of:
>
> normalize = True
> if 'external_callback_normalize' in options:
> normalize = options['external_callback_normalize']
>
> you can use:
>
> options.get('external_callback_normalize', True)
>
> And in group.py:
>
> - 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule',
> - 'sudorule'],
> + 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
>
> Our style guide limits lines to 80 characters. Not much of IPA follows that
> rule currently, but I don't see a reason for a change that *only* breaks the rule.
>
I also miss test cases for the new functionality. New exceptions were added,
behavior was changed - we need to cover this in our unit tests.
Martin
More information about the Freeipa-devel
mailing list