[Freeipa-devel] [PATCHES] 0322-0327 New permissions system

Petr Viktorin pviktori at redhat.com
Sun Dec 1 22:46:46 UTC 2013 

This seems to work now. Please tell me what I missed.

Design: http://www.freeipa.org/page/V3/Permissions_V2
Ticket: https://fedorahosted.org/freeipa/ticket/4034


0322 Allow sets for initialization of frozenset-typed Param keywords
because my OCD compels me to use sets instead of lists when the order 
does not matter.


0323 Allow Declarative test classes to specify the API version
For the next patch, I want to test how the rewrite handles old clients. 
To make that easy I made the default API version a testclass attribute


0324 Add tests for permission plugin with older clients
These tests will not pass yet, but comparing this file with the old 
test_permission_plugin.py will can serve as a nice summary of API 
changes. A summary of the summary:
- Lots of new attributes will be added for output
- The `type` and `subtree` options now interact in a different way: 
setting one affects the other. Same with `type`/`filter` and 
`memberof`/`targetfilter`. (Some change here was necessary for 
https://fedorahosted.org/freeipa/ticket/2355)
- Validation will be stricter (and/or done in different order)
- Some error messages will change (hopefully for the better)
- `subtree` must now point to an existing entry
- Permission names may now contain '.' (this is to allow names of DNS 
permissions that were previously internal)

P.S. a handy command for listing the changes (once this patch is applied):
git diff ipa-3-3:ipatests/test_xmlrpc/test_permission_plugin.py 
ipatests/test_xmlrpc/test_old_permission_plugin.py


0325 Add new permission schema
Introducing the new OIDs


0326 Rewrite the Permission plugin
See the design for what this does.

The new permission plugin does not use aci plugin at all. The plan is to 
retire the aci plugin when the time comes to also refactor delegation & 
selfservice.
It does use ipalib's ACI class, mainly for parsing (needed for 
upgrading/showing old ACIs).

The permission-find command is a bit faster than the old one, but still 
painfully slow (5s instead of 7s on my box). The good news is that it 
now scales with the number of *old* permissions, so as you upgrade it'll 
get faster.

Tests are updated, including privilege and DNS tests that worked with 
permissions.


0327 Verify ACIs are added correctly in tests
Right after saying I want to get rid of it, I found a new use for the 
aci plugin: an tested code path for getting at ACIs (Declaratrive tests 
can only use the API, they don't play well with LDAP connections).
Now we can be sure the ACIs are actually changed when we play with 
permissions.


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0322-Allow-sets-for-initialization-of-frozenset-typed-Par.patch
Type: text/x-patch
Size: 1154 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0323-Allow-Declarative-test-classes-to-specify-the-API-ve.patch
Type: text/x-patch
Size: 1268 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0324-Add-tests-for-permission-plugin-with-older-clients.patch
Type: text/x-patch
Size: 44630 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0325-Add-new-permission-schema.patch
Type: text/x-patch
Size: 4364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0326-Rewrite-the-Permission-plugin.patch
Type: text/x-patch
Size: 136117 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0327-Verify-ACIs-are-added-correctly-in-tests.patch
Type: text/x-patch
Size: 20000 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131201/fd32059f/attachment-0005.bin>

More information about the Freeipa-devel mailing list