Re: [Freeipa-devel] [QE] Test categorization into tiers and acceptance testing - tagging proposals

[Martin Kosek]

On 03/31/2015 02:47 PM, Martin Koci wrote:
 Hi all,
 I'd like to open discussion on test categorization into tiers and
 acceptance testing, respectively test tagging which should help us to
 accomplish following goals:
 
 1) Acceptance test - other FreeIPA partner projects (389/DS/PKI) should
 be able to have an Acceptance test that would run basic *stable* test
 suite that would check if anything significant broke. It should be fast
 enough so that the projects can run it in a Jenkins CI after commits.
 
 If we also have tags @dogtag or @sssd, the projects could simply run
 just the tests affecting the projects - faster execution.
 
 2) FreeIPA test run optimization. Currently, all FreeIPA tests are
 running when new commit is pushed. This takes lot of resources. It would
 be nice to at least be able to NOT run Tier 2 tests if Tier1 tests are
 failing. Or it would be nice to not run some very expensive tests after
 each commit, but maybe once per day/week.
 
 *TIERS*
 So after discussions with couple of developers and QE's we have created
 and summarized following proposal for sorting current IPA tests into
 tiers. 
 
 Currently used tests reside in freeipa/ipatests. From these the only
 unit tests (tier 0 candidate) are test_{ipalib,ipapython} with the
 exception of test_ipalib/test_rpc.py which requires kerberos.
 
 The rest of the tests either require ipa/lite-server or are an
 integration test. The rest of the tests (majority XML RPC, UI
 tests, ...) then fall under the definition of Tier 1 test, as they
 require at least running IPA instance and admin TGT.
 
 As for the tagging of the test cases, pytest's capabilities can be used
 [2]. Though pytest.mark currently does not work with declarative tests
 (it marks all of them), when the test is an ordinary function/method the
 marking works as expected. The declarative tests could be rewritten in
 the future to more pytest specific form, e.g.
 test_xmlrpc/test_host_plugin.py
 
 Official guideline for this categorization will be created on the
 upstream wiki once we agree on that. 
 
 
 *ACCEPTANCE TESTING*
 As for the acceptance testing Similar to `Test categorization into
 tiers` (1) proposal, there is a need to define a subset of freeipa tests
 that could be run by other projects or users to find out whether or not
 their changes (e.g. new build, feature) works with IPA.
 
 This run could be composed from tier {0,1} execution followed by a
 subset of integration tests test cases. The proposed mechanism for this
 is the same as in [4], using pytest.mark to select the classes/tests to
 run in this context.
 
 What I'd like to ask you here is to share any ideas on the form of the
 acceptance run as well as to help me identify the areas (and tests) that
 are considered important and should be a part of this test set.
 
 *TAGGING* 
 Tagging the actual tests classes with pytest decorator
 (http://pytest.org/latest/mark.html). would be better than let
 developers manually maintain lists of tests for different projects. The
 benefit for pytest mark kept in the code is that whatever we do with the
 test class (rename, move, merge), the tag goes with it, not extra list
 needs to be maintained.
 
 As for tagging itself, the original idea which Martin Kosek was
 proposing was to use just the acceptance tag for marking the base T2
 tests that would be part of FreeIPA acceptance tests.
 
 However, it seems there is a value in tagging the tests that exercise
 also certain sub-component of FreeIPA - SSSD, Dogtag. As long as we do
 not get too wild with the tags, it should be OK. 
 
 So we could agreed on followings tags:
 - tier0, tier1, tier2
 - acceptance
 - sssd
 - dogtag
 
 This would lead to e.g.
 
 @pytest.mark.dogtag
 @pytest.mark.acceptance
 @pytest.mark.tier2
 class TestExternalCA(IntegrationTest):
 ...
 
 or simpler
 
 @dogtag
 @acceptance
 @tier2
 class TestExternalCA(IntegrationTest):
 
 Hope it's not too long and that it makes sense. 

It makes a lot of sense to me (it should, since I contributed to this proposal
too). So I will be looking forward to other developers thought on this.

If there are no objections, we could start with the actual patches and have
them properly reviewed.

 Can I get your thoughts on this, please?
 Thank you.
 
 Regards,
 /koca
 
 *[1] - https://fedorahosted.org/freeipa/ticket/4922
 *[2] - http://pytest.org/latest/mark.html

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [RFC] COPR drop support for old distribution

[Lukas Slebodnik]

ehlo,

CentOS 7.1 was finally released[1]. Yupi.
Fedora 21 was rewleased[2] few months ago.

People can use FreeIPA 4.1 without any problem.

So there's no more reason to maintain COPR repositories for older
distributions. It will significantly reduce extra dependencies in repositories.

It would be better to focus on backporting FreeIPA 4.2 in COPR.
I know it has not been released yet.

LS

[1] http://lists.centos.org/pipermail/centos-announce/2015-April/021010.html
[2] https://fedoraproject.org/wiki/Releases/21/Schedule

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] webui: use no_members option in entity select search

[Martin Babinsky]

On 03/31/2015 04:16 PM, Petr Vobornik wrote:

Obtaining member information for entity selects is not needed and it
causes unwanted performance hit, especially with larger groups.

This patch removes it.

https://fedorahosted.org/freeipa/ticket/4948




Works as expected and the speedup is substantial (ca 10x faster lookup 
of default group in user group rules for 16 groups with 100 members each).


ACK.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] One-way trust design

[Jakub Hrozek]

Thank you, the design page reads well to me. I had a short chat with
Alexander where we cleared up some confusion.

On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote:
 == New design ==
 In order to support one-way trust to Active Directory, we need to switch
 SSSD in IPA master mode to use TDO credentials when resolving AD users
 and groups. This is a high level description of the design, and majority
 of work to allow the switch will be done by SSSD team. Corresponding
 ticket tracker on SSSD side is
 [https://fedorahosted.org/sssd/ticket/2579 ticket 2579], the text below
 is an overview of the design.
 
 On each IPA master SSSD runs in IPA master mode. This mode means that
 in case of existing trust to AD forest, SSSD will directly resolve AD
 users and groups against Active Directory Domain Controllers. To perform
 user/group resolution, SSSD needs to authenticate against AD LDAP
 servers and it does so using Kerberos authentication based on a
 host/ipa.master@IPA.REALM service ticket. The ticket towards AD LDAP
 services is issued by FreeIPA KDC with the help of cross-realm trust
 credentials.
 
 For one-way trust SSSD cannot use this approach because Active Directory
 Domain Controllers do not trust FreeIPA realm and, therefore, no
 cross-realm trust credentials exist in AD for FreeIPA realm. However,
 SSSD can use TDO object which always exists in AD for the trusting
 domain (cross-forest trust is done by forest root domains' trust). This
 means the ticket SSSD would need to request belongs to a different realm
 (AD forest root realm) rather than to FreeIPA realm.
 
 As FreeIPA supports multiple trusts to separate Active Directory
 forests, a support for multiple separate tickets is required. SSSD will
 need to gain ability to use different credentials caches to store TDO
 tickets and use different keytabs with TDO credentials to obtain the
 ticket from an Active Directory Domain Controllers.
 
 In order to separate privilege access, FreeIPA masters have to provide
 keytabs for SSSD running on IPA masters, one keytab per trusted AD
 forest, so that SSSD could request the keys when required.

I will experiment with retrieving keytabs manually for now to simulate
this part, then I'll write up a more detailed design on how to handle
the one-way trusts.

 
 Additionally, FreeIPA management framework will need to change its
 defaults from producing a two-way trust to a one-way trust. Two-way
 trust will be added back when support for Global Catalog service will be
 added so that Active Directory resources could be properly accessed and
 access to them discretionally granted to FreeIPA users and groups.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0026] ipa-server-install: deprecate manual setting of master KDC password

[Martin Babinsky]

https://fedorahosted.org/freeipa/ticket/4516

--
Martin^3 Babinsky
From 4237d0d11ab6fd34d066dba3f3d72bfa8c8a52d8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Tue, 31 Mar 2015 10:02:52 +0200
Subject: [PATCH] ipa-server-install: deprecate manual setting of master KDC
 password

Option '-P' was used in older version of FreeIPA to set up KDC master password
during server install. This is no longer neccessary or desirable since the
password of sufficient strength can be generated automatically during
installation.

https://fedorahosted.org/freeipa/ticket/4516
---
 install/tools/ipa-server-install   | 8 +++-
 install/tools/man/ipa-server-install.1 | 8 +---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 56a43770d95387762bce09634bd1056ba7f20576..9f237b8fcd9d21604b3ef4e0ada0e5427cd0e162 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -167,7 +167,7 @@ def parse_options():
   sensitive=True, help=Directory Manager password)
 basic_group.add_option(-P, --master-password,
   dest=master_password, sensitive=True,
-  help=kerberos master password (normally autogenerated))
+  help=SUPPRESS_HELP)
 basic_group.add_option(-a, --admin-password,
   sensitive=True, dest=admin_password,
   help=admin user kerberos password)
@@ -697,6 +697,12 @@ def main():
 signal.signal(signal.SIGTERM, signal_handler)
 signal.signal(signal.SIGINT, signal_handler)
 
+if options.master_password:
+msg = (WARNING:\noption '-P/--master-password' is deprecated. 
+   KDC master password of sufficient strength is autogenerated 
+   during IPA server installation and should not be set 
+   manually.)
+print textwrap.fill(msg, width=79, replace_whitespace=False)
 if options.uninstall:
 uninstalling = True
 standard_logging_setup(paths.IPASERVER_UNINSTALL_LOG, debug=options.debug)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index e5224b110b136cbf56bf82887709a46880f22e89..1eaed72119a9cd2f9876d3dc3c4a662782c18a36 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -36,9 +36,6 @@ Your DNS domain name
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
 The password to be used by the Directory Server for the Directory Manager user
 .TP
-\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
-The kerberos master password (normally autogenerated)
-.TP
 \fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
 The password for the IPA admin user
 .TP
@@ -176,6 +173,11 @@ Uninstall an existing IPA installation
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended uninstallation that will never prompt for user input
 
+.SH DEPRECATED OPTIONS
+.TP
+\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
+The kerberos master password (normally autogenerated).
+
 .SH EXIT STATUS
 0 if the (un)installation was successful
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0004 User life cycle: support of MODRDN to a new superior

[thierry bordaz]

Hello,

   In user life cycle, Active entries are moved to Delete container and
   Delete entries can be moved back to Staging container.
   This requires a LDAP modrdn with new superior that is not supported
   in ldap2.

   thanks
   thierry

From 7206c9dd84402c15d7a6a0a64eb404426c5385b5 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Wed, 1 Apr 2015 16:42:43 +0200
Subject: [PATCH 7/7] User life cycle: allows MODRDN from ldap2

MODRDN allows to move an entry to a new superior.
This function is needed from ldap2 class

Reviewed By:

https://fedorahosted.org/freeipa/ticket/3813
---
 ipapython/ipaldap.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index ce07006eb790c80fd42bd6eb611732ce9000db13..a16d0dc839c9e4720cb2b88d2e056be8a7fb9c70 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -581,6 +581,9 @@ class IPASimpleLDAPObject(object):
 dn = str(dn)
 assert isinstance(newrdn, (DN, RDN))
 newrdn = str(newrdn)
+if newsuperior:
+assert isinstance(newsuperior, DN)
+newsuperior = str(newsuperior)
 return self.conn.rename_s(dn, newrdn, newsuperior, delold)
 
 def result(self, msgid=ldap.RES_ANY, all=1, timeout=None):
@@ -1610,6 +1613,29 @@ class LDAPClient(object):
 self.conn.rename_s(dn, new_rdn, delold=int(del_old))
 time.sleep(.3)  # Give memberOf plugin a chance to work
 
+def move_entry_newsuperior(self, dn, new_rdn, new_superior=None, del_old=True):
+
+Move entry to a new superior and update entry's relative distinguished name.
+
+Keyword arguments:
+new_superior -- superior where the entry is moved
+del_old -- delete old RDN value (default True)
+
+:raises:
+errors.NotFound if new_superior doesn't exist
+errors.EmptyModlist if no new_superior and RDN is not changed
+
+assert isinstance(dn, DN)
+assert isinstance(new_rdn, RDN)
+if new_superior:
+assert isinstance(new_superior, DN)
+self.find_entries(filter=None, attrs_list=['dn'], base_dn=new_superior, scope=self.SCOPE_BASE)
+with self.error_handler():
+self.conn.rename_s(dn, new_rdn, newsuperior=new_superior, delold=int(del_old))
+time.sleep(.3)  # Give memberOf plugin a chance to work
+else:
+self.update_entry_rdn(dn, new_rdn, del_old=del_old)
+
 def update_entry(self, entry, entry_attrs=None):
 Update entry's attributes.
 
-- 
1.7.11.7

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation

[Petr Spacek]

On 31.3.2015 12:11, Petr Vobornik wrote:
 The major change is that DN is no longer internally composed  of RDNs and AVAs
 but it rather keeps the data in open ldap format - the same as output of
 str2dn function. Therefore, for immutable DNs, no other transformations are
 required on instantiation.

Note: I guess that this is an python-ldap format rather than OpenLDAP format.

It would be handy to fix commands for further generations to save them some
banging with their heads against a wall of confusion.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0223] Fix ldap2 do not create shared instance by default

[Martin Basti]

Since API is not singleton anymore, ldap2 instance should not be shared 
between all APIs.


Patch attached.

--
Martin Basti

From 5add879b420b6d73a1de63a933073c3659efc9aa Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 25 Mar 2015 15:34:16 +0100
Subject: [PATCH] Fix ldap2 shared instance

Since API is not singleton anymore, ldap2 connections should not be
shared by default.
---
 ipalib/backend.py|  2 +-
 ipaserver/plugins/ldap2.py   |  2 +-
 ipatests/test_ipalib/test_backend.py | 12 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipalib/backend.py b/ipalib/backend.py
index 4c1001d4d47613537b64c314a2d22769a27f4c69..fcbbd254afc797019e9ea63214b1ee034b8c13f8 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -46,7 +46,7 @@ class Connectible(Backend):
 `request.destroy_context()` can properly close all open connections.
 
 
-def __init__(self, shared_instance=True):
+def __init__(self, shared_instance=False):
 Backend.__init__(self)
 if shared_instance:
 self.id = self.name
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 3211b3390fb979f090467445905513d33e537e17..fd4ed29903fb2f3afe0f4b74467bf53df49654fa 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -61,7 +61,7 @@ class ldap2(LDAPClient, CrudBackend):
 LDAP Backend Take 2.
 
 
-def __init__(self, shared_instance=True, ldap_uri=None, base_dn=None,
+def __init__(self, shared_instance=False, ldap_uri=None, base_dn=None,
  schema=None):
 self.__ldap_uri = None
 
diff --git a/ipatests/test_ipalib/test_backend.py b/ipatests/test_ipalib/test_backend.py
index c69757cb3d68ebc12f9c91572d37603738357c4e..121c4745bd1dfebfbeed75ba1b46b4420064fe63 100644
--- a/ipatests/test_ipalib/test_backend.py
+++ b/ipatests/test_ipalib/test_backend.py
@@ -76,7 +76,7 @@ class test_Connectible(ClassChecker):
 object.__setattr__(self, 'args', args)
 object.__setattr__(self, 'kw', kw)
 return 'The connection.'
-o = example()
+o = example(shared_instance=True)
 args = ('Arg1', 'Arg2', 'Arg3')
 kw = dict(key1='Val1', key2='Val2', key3='Val3')
 assert not hasattr(context, 'example')
@@ -104,7 +104,7 @@ class test_Connectible(ClassChecker):
 class example(self.cls):
 pass
 for klass in (self.cls, example):
-o = klass()
+o = klass(shared_instance=True)
 e = raises(NotImplementedError, o.create_connection)
 assert str(e) == '%s.create_connection()' % klass.__name__
 
@@ -114,7 +114,7 @@ class test_Connectible(ClassChecker):
 
 class example(self.cls):
 destroy_connection = Disconnect()
-o = example()
+o = example(shared_instance=True)
 
 m = disconnect: 'context.%s' does not exist in thread %r
 e = raises(StandardError, o.disconnect)
@@ -131,7 +131,7 @@ class test_Connectible(ClassChecker):
 class example(self.cls):
 pass
 for klass in (self.cls, example):
-o = klass()
+o = klass(shared_instance=True)
 e = raises(NotImplementedError, o.destroy_connection)
 assert str(e) == '%s.destroy_connection()' % klass.__name__
 
@@ -142,7 +142,7 @@ class test_Connectible(ClassChecker):
 class example(self.cls):
 pass
 for klass in (self.cls, example):
-o = klass()
+o = klass(shared_instance=True)
 assert o.isconnected() is False
 conn = 'whatever'
 setattr(context, klass.__name__, conn)
@@ -157,7 +157,7 @@ class test_Connectible(ClassChecker):
 class example(self.cls):
 pass
 for klass in (self.cls, example):
-o = klass()
+o = klass(shared_instance=True)
 e = raises(AttributeError, getattr, o, 'conn')
 assert str(e) == msg % (
 klass.__name__, threading.currentThread().getName()
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code