[Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb
thierry bordaz
tbordaz at redhat.com
Tue Sep 2 09:40:04 UTC 2014
On 09/01/2014 01:08 PM, Petr Viktorin wrote:
> On 08/08/2014 03:54 PM, thierry bordaz wrote:
>> Hi,
>>
>> The attached patch is related to 'User Life Cycle'
>> (https://fedorahosted.org/freeipa/ticket/3813)
>>
>> It creates a stageuser plugin with a first function stageuser-add. Stage
>> user entries are provisioned under 'cn=staged
>> users,cn=accounts,cn=provisioning,SUFFIX'.
>>
>> Thanks
>> thierry
>
> Avoid `from ipalib.plugins.baseldap import *` in new code; instead
> import the module itself and use e.g. `baseldap.LDAPObject`.
>
> The stageuser help (docstring) is copied from the user plugin, and
> discusses things like account lockout and disabling users. It should
> rather explain what stageuser itself does. (And I don't very much like
> the Note about the interface being badly designed...)
> Also decide if the docs should call it "staged user" or "stage user"
> or "stageuser".
Hello Petr,
Thanks for your review.
I will rewrite the docstring to be only staged user related and I
will adopt 'stage user' and 'stageuser'.
About the interface, that is correct that I was not able to find a
good solution.
I need to add a 'stageuser' I use 'stageuser-add' and '--first' and
'--last' are required.
Now when a user got deleted ('user-del') and is later move to 'stage
user' it also use the command line 'stageuser-add'.
At this time the delete user is know/found by it 'user login'/uid.
So '--first' and '--last' are not required to find it (can be used
to check givenname/sn).
Now I do not expect that 'stageuser-add' will be frequently used to
move a Delete user to Stage user, so it is not a so painful constraint.
>
> A lot of the code is copied and pasted over from the users plugin.
> Don't do that. Either import things (e.g. validate_nsaccountlock) from
> the users plugin, or move the reused code into a shared module.
>
> For the `user` object, since so much is the same, it might be best to
> create a common base class for user and stageuser; and similarly for
> the Command plugins.
I agree that user and stageuser have a lot of code in common. So it
would be beneficial to have a common base class. Is it ok to put
this in a file under freeipa/ipalib ? About the name of this class,
what about 'accounts' or 'user_accounts' ?
What do you mean by 'similarly for Command plugins' ?. If I create,
for example, a freeipa/ipalib/accounts.py containing all the common
code for 'user' and 'stageuser'. Then import it into
freeipa/ipalib/plugins/user and freeipa/ipalib/plugins/stageuser I
believe it will refactore the 'Command plugins'.
>
> The default permissions need different names, and you don't need
> another copy of the 'non_object' ones. Also, run the makeaci script.
Ok. I will update the names. 'non_object' is not clear to me, what does
this exactly mean when a managed_permission has 'non_object' True.
In update_managed_permissions.py it is said that if True, it target a
defaults value. But on the other side, the managed permissions also
define 'ipapermtarget' (like ipauser or UPG)
many thanks Petr
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140902/ae138241/attachment.htm>
More information about the Freeipa-devel
mailing list