[Freeipa-devel] [PATCH] Resolve SIDs in Web UI

Martin Kosek mkosek at redhat.com
Mon May 6 15:55:35 UTC 2013 

On 05/06/2013 01:28 PM, Martin Kosek wrote:
> On 05/04/2013 07:13 AM, Alexander Bokovoy wrote:
>> On Fri, 03 May 2013, Sumit Bose wrote:
>>> On Fri, May 03, 2013 at 09:46:47PM +0300, Alexander Bokovoy wrote:
>>>> Hi!
>>>>
>>>> Attached are patches to allow resolving SIDs in Web UI in external
>>>> membership panel for groups. Please see more detailed description in the
>>>> main patch.
>>>>
>>>> I haven't rebased it yet on top of Petr's Web UI rework, hopefully it
>>>> should be simple.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3302
>>>>
>>>> Since framework doesn't allow to hide commands from CLI, underlying
>>>> command is usable from CLI too:
>>>> # ipa trust-resolve
>>>> --sids=S-1-5-21-3502988750-125904550-3683905862-{500,512,498}
>>>>  Name: enterprise read-only domain controllers at ad.lan
>>>>  SID: S-1-5-21-3502988750-125904550-3683905862-498
>>>>
>>>>  Name: administrator at ad.lan
>>>>  SID: S-1-5-21-3502988750-125904550-3683905862-500
>>>>
>>>>  Name: domain admins at ad.lan
>>>>  SID: S-1-5-21-3502988750-125904550-3683905862-512
>>>>
>>>> -- 
>>>> / Alexander Bokovoy
>>>> +        try:
>>>> +            sids = map(lambda x: str(x), options['sids'])
>>>> +            xlate = pysss_nss_idmap.getnamebysid(sids)
>>>
>>> The latest version, which is already committed to sssd, return a dict.
>>> The output of ipa trust-resolve now look like:
>>>
>>> [root at ipa18-devel ~]# ipa trust-resolve
>>> --sids=S-1-5-21-3090815309-2627318493-3395719201-{498,500,513}
>>>  Name: {'type': 3, 'name': u'administrator at ad18.ipa18.devel'}
>>>  SID: S-1-5-21-3090815309-2627318493-3395719201-500
>>>
>>>  Name: {'type': 2, 'name': u'enterprise read-only domain
>>> controllers at ad18.ipa18.devel'}
>>>  SID: S-1-5-21-3090815309-2627318493-3395719201-498
>>>
>>>  Name: {'type': 2, 'name': u'domain users at ad18.ipa18.devel'}
>>>  SID: S-1-5-21-3090815309-2627318493-3395719201-513
>>>
>>>> +            for sid in xlate:
>>>> +           entry = dict()
>>>> +               entry['sid'] = [unicode(sid)]
>>>> +               entry['name'] = [unicode(xlate[sid])]
>>>
>>> I think you need  entry['name'] =
>>> [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
>>> here.
>> Fixed, thanks!
>> I also added type conversion to a text (user, group, both). The type is not
>> shown by default
>> in CLI but is available through --all option. We might consider using it
>> in Web UI for visual hint about the name nature.
>>
>>> I tried with firefox, but the SIDs of the external members are not
>>> resolved. Do I have to clean any firefox cache?
>> No, you do not. When picking up changes from my development VM, I
>> omitted one chunk in group.js where sid_facet was actually taken in use.
>> Without that one nothing is used.
>>
>> Updated patch 0103 is attached, tested against sssd in ipa-devel repo
>> which already includes your patches.
>>
> 
> Thanks for the patch! Still, I have few comments:
> 
> 1) Exception should be raised instead of returning empty result:
> 
> +        if not _nss_idmap_installed:
> +            return dict(result=result)
> 
> Otherwise people will be confused what's wrong.
> 
> 2) Why do we hide error raised in SID processing code?
> 
> ...
> +        except ValueError, e:
> +            pass
> ...
> 
> I think that the try-catch should be as localized possible, ideally in the FOR
> loop. If processing of the second SID out of 10 fails, just one SID would be
> return, with no additional error. People will be confused what's wrong:
> 
> # ipa trust-resolve --sids S-1-5-21-3035198329-144811719-1378114514-500
> #
> 
> This does not really tell me what's wrong.
> 
> Could we rather return all requested SIDs either with a proper result or with a
> respective error? This is how I would image the translation to look like:
> 
> ...
> try:
>     sids = map(lambda x: str(x), options['sids'])
>     xlate = pysss_nss_idmap.getnamebysid(sids)
> except SomeError, e:
>     raise SomeException(e)
> 
> for sid in xlate:
>     entry = dict()
>     entry['sid'] = ...
>     try:
>         name = ...
>         type = ...
>         entry['name'], entry['type'] = name, type
>     except SomeError, e:
>         entry['failedtranslation'] = unicode(e)
>     results.append(entry)
> ...
> 
> 
> I filed ticket for SSSD part of the issue:
> https://fedorahosted.org/sssd/ticket/1911
> 
> 3) Tab/Space indentation mix:
> 
> +            for sid in xlate:
> +	       entry = dict()
> +               entry['sid'] = [unicode(sid)]
> 
> 
> 4) Unneeded import:
>  from ipalib import api, Str, StrEnum, Password, DefaultFrom, _, ngettext, Object
> +from types import NoneType
>  from ipalib.parameters import Enu
> 
> 
> Martin
> 

As Alexander is not here ATM, sending updated patch based on current master
branch (with Web UI refactoring) which also includes few squashes:
- fix for my point 3)
- fix for my point 4)
- squashed Petr Vobornik's Web UI cleanups

I tested it and it worked fine. As for the points 1) and 2) I will file a
ticket, these are not critical.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-abbra-0103-2-Resolve-SIDs-in-Web-UI.patch
Type: text/x-patch
Size: 9928 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130506/700a9227/attachment.bin>

More information about the Freeipa-devel mailing list