Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. -- Martin Basti From f3c19b3719b9e9e25e8f45a1787de8e46ed5e1b7 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 7 Nov 2014 13:28:01 +0100 Subject: [PATCH] Fix upgrade referint plugin Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 --- install/updates/25-referint.update | 13 +--- ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_referint.py | 90 3 files changed, 92 insertions(+), 12 deletions(-) create mode 100644 ipaserver/install/plugins/update_referint.py diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index c4bff5dac4956eb0ef4b132a2ce5dafdb53e286e..2cb8782263a51caf99c3b33d94bbb3f76372de2c 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -1,19 +1,8 @@ # Expand attributes checked by Referential Integrity plugin # pres and eq indexes defined in 20-indices.update must be set for all these # attributes +# NOTE: migration to new style is done in update_referint.py dn: cn=referential integrity postoperation,cn=plugins,cn=config -remove: nsslapd-pluginArg7: manager -remove: nsslapd-pluginArg8: secretary -remove: nsslapd-pluginArg9: memberuser -remove: nsslapd-pluginArg10: memberhost -remove: nsslapd-pluginArg11: sourcehost -remove: nsslapd-pluginArg12: memberservice -remove: nsslapd-pluginArg13: managedby -remove: nsslapd-pluginArg14: memberallowcmd -remove: nsslapd-pluginArg15: memberdenycmd -remove: nsslapd-pluginArg16: ipasudorunas -remove: nsslapd-pluginArg17: ipasudorunasgroup -remove: nsslapd-pluginArg18: ipatokenradiusconfiglink add: referint-membership-attr: manager add: referint-membership-attr: secretary add: referint-membership-attr: memberuser diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 7cf0495131b2108ee78a79758cee42ec344652c7..90c59b3caf4f6e1c92563f7750051ee255b79c5b 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + update_referint.py \ ca_renewal_master.py \ $(NULL) diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py new file mode 100644 index ..1b7411035b27ebba04246a7ee6f220d470b46688 --- /dev/null +++ b/ipaserver/install/plugins/update_referint.py @@ -0,0 +1,90 @@ +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PreUpdate +from ipalib import api, errors +from ipapython.dn import DN +from ipapython.ipa_log_manager import root_logger + +class update_referint(PreUpdate): + +Update referential integrity configuration to new style +http://directory.fedoraproject.org/docs/389ds/design/ri-plugin-configuration.html + +old attr - new attr +nsslapd-pluginArg0- referint-update-delay +nsslapd-pluginArg1- referint-logfile +nsslapd-pluginArg2- referint-logchanges +nsslapd-pluginArg3..N - referint-membership-attr [3..N] + +Old and new style cannot be mixed, all nslapd-pluginArg* attrs have to be removed + + +order = MIDDLE + +referint_dn = DN(('cn', 'referential integrity postoperation'), + ('cn', 'plugins'), ('cn', 'config')) + +def execute(self, **options): + +root_logger.debug(Upgrading referential integrity plugin configuration) +ldap = self.obj.backend +try: +entry = ldap.get_entry(self.referint_dn) +except errors.NotFound: +root_logger.error(Referential integrity configuration not found) +return False, False, [] + +referint_membership_attrs = [] + +root_logger.debug(Initial value: %s, repr(entry)) + +# nsslapd-pluginArg0- referint-update-delay +update_delay = entry.get('nsslapd-pluginArg0') +if update_delay: +root_logger.debug(add: referint-update-delay: %s, update_delay) +entry['referint-update-delay'] = update_delay +entry['nsslapd-pluginArg0'] = None +else: +root_logger.info(Plugin already uses new style, skipping) +return False, False, []
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 11/13/2014 10:18 AM, Martin Basti wrote: On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, Just a novice question. If the RI config entry was something like: dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... nsslapd-pluginArg0: xxx nsslapd-pluginArg1: yyy nsslapd-pluginArg2: zzz nsslapd-pluginArg3: +++ Will it create an entry like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ or like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ nsslapd-pluginArg0: nsslapd-pluginArg1: nsslapd-pluginArg2: nsslapd-pluginArg3: Thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 13/11/14 12:02, thierry bordaz wrote: On 11/13/2014 10:18 AM, Martin Basti wrote: On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, Just a novice question. If the RI config entry was something like: dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... nsslapd-pluginArg0: xxx nsslapd-pluginArg1: yyy nsslapd-pluginArg2: zzz nsslapd-pluginArg3: +++ Will it create an entry like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ or like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ nsslapd-pluginArg0: nsslapd-pluginArg1: nsslapd-pluginArg2: nsslapd-pluginArg3: Thanks thierry Hello, It removes all nsslapd-pluginArg* referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ But I can check it again if you have any doubts. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 11/13/2014 10:18 AM, Martin Basti wrote: On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. Thanks, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 11/13/2014 12:16 PM, Martin Basti wrote: On 13/11/14 12:02, thierry bordaz wrote: On 11/13/2014 10:18 AM, Martin Basti wrote: On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hello, Just a novice question. If the RI config entry was something like: dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... nsslapd-pluginArg0: xxx nsslapd-pluginArg1: yyy nsslapd-pluginArg2: zzz nsslapd-pluginArg3: +++ Will it create an entry like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ or like dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top ... referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ nsslapd-pluginArg0: nsslapd-pluginArg1: nsslapd-pluginArg2: nsslapd-pluginArg3: Thanks thierry Hello, It removes all nsslapd-pluginArg* referint-update-delay: xxx referint-logfile: yyy referint-logchanges: zzz referint-membership-attr: +++ But I can check it again if you have any doubts. Martin^2 -- Martin Basti Hi Martin, Thanks for the explanation. Reading generate_modlist(), I realize that it will do a mod/del on each 'nsslapd-pluginarg*' so they will be clearly removed. Thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 13.11.2014 13:08, David Kupka wrote: On 11/13/2014 10:18 AM, Martin Basti wrote: On 12/11/14 16:55, David Kupka wrote: On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. LGTM, please rebase to ipa-4-0. Thanks. Rebased patch for 4.0 attached. Original patch for 4.1 and master attached. Thanks, ACK. Pushed to: ipa-4-0: * 9a9eccb94bcade97edb8aa877aedc35c191745e5 Fix upgrade referint plugin ipa-4-1: * 65624c9d61ba0bf8a1e5e040357406712dd42245 Fix upgrade referint plugin master: * f62c7843ffeda1e841719cb35f9f773f186780a6 Fix upgrade referint plugin -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
On 11/07/2014 03:22 PM, Martin Basti wrote: Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel LGTM, please rebase to ipa-4-0. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0158] FIX: upgrade refential integrity plugin configuration
Ticket: https://fedorahosted.org/freeipa/ticket/4622 Patch attached. -- Martin Basti From 524c486c5cfcfbe24a801a5ca58d6faa5a6f6e22 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 7 Nov 2014 13:28:01 +0100 Subject: [PATCH] Fix upgrade referint plugin Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 --- install/updates/25-referint.update | 13 +--- ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_referint.py | 90 3 files changed, 92 insertions(+), 12 deletions(-) create mode 100644 ipaserver/install/plugins/update_referint.py diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index a43d21ad5152358cb939c3545f0eef9d251e7fe0..609eaba74f0fcde6ce875093587315681fbd4584 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -1,19 +1,8 @@ # Expand attributes checked by Referential Integrity plugin # pres and eq indexes defined in 20-indices.update must be set for all these # attributes +# NOTE: migration to new style is done in update_referint.py dn: cn=referential integrity postoperation,cn=plugins,cn=config -remove: nsslapd-pluginArg7: manager -remove: nsslapd-pluginArg8: secretary -remove: nsslapd-pluginArg9: memberuser -remove: nsslapd-pluginArg10: memberhost -remove: nsslapd-pluginArg11: sourcehost -remove: nsslapd-pluginArg12: memberservice -remove: nsslapd-pluginArg13: managedby -remove: nsslapd-pluginArg14: memberallowcmd -remove: nsslapd-pluginArg15: memberdenycmd -remove: nsslapd-pluginArg16: ipasudorunas -remove: nsslapd-pluginArg17: ipasudorunasgroup -remove: nsslapd-pluginArg18: ipatokenradiusconfiglink add: referint-membership-attr: manager add: referint-membership-attr: secretary add: referint-membership-attr: memberuser diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 635877d8c2160a91208276498cdb4cd9bc82d56b..d651297ac141b0f05831e7fabbb9b561cdd239c7 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + update_referint.py \ ca_renewal_master.py \ update_uniqueness.py \ $(NULL) diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py new file mode 100644 index ..1b7411035b27ebba04246a7ee6f220d470b46688 --- /dev/null +++ b/ipaserver/install/plugins/update_referint.py @@ -0,0 +1,90 @@ +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +from ipaserver.install.plugins import MIDDLE +from ipaserver.install.plugins.baseupdate import PreUpdate +from ipalib import api, errors +from ipapython.dn import DN +from ipapython.ipa_log_manager import root_logger + +class update_referint(PreUpdate): + +Update referential integrity configuration to new style +http://directory.fedoraproject.org/docs/389ds/design/ri-plugin-configuration.html + +old attr - new attr +nsslapd-pluginArg0- referint-update-delay +nsslapd-pluginArg1- referint-logfile +nsslapd-pluginArg2- referint-logchanges +nsslapd-pluginArg3..N - referint-membership-attr [3..N] + +Old and new style cannot be mixed, all nslapd-pluginArg* attrs have to be removed + + +order = MIDDLE + +referint_dn = DN(('cn', 'referential integrity postoperation'), + ('cn', 'plugins'), ('cn', 'config')) + +def execute(self, **options): + +root_logger.debug(Upgrading referential integrity plugin configuration) +ldap = self.obj.backend +try: +entry = ldap.get_entry(self.referint_dn) +except errors.NotFound: +root_logger.error(Referential integrity configuration not found) +return False, False, [] + +referint_membership_attrs = [] + +root_logger.debug(Initial value: %s, repr(entry)) + +# nsslapd-pluginArg0- referint-update-delay +update_delay = entry.get('nsslapd-pluginArg0') +if update_delay: +root_logger.debug(add: referint-update-delay: %s, update_delay) +entry['referint-update-delay'] = update_delay +entry['nsslapd-pluginArg0'] = None +else: +root_logger.info(Plugin already uses new style, skipping) +return False, False, [] + +# nsslapd-pluginArg1- referint-logfile +logfile = entry.get('nsslapd-pluginArg1') +if logfile: +root_logger.debug(add: referint-logfile: %s, logfile) +entry['referint-logfile'] = logfile +entry['nsslapd-pluginArg1'] = None + +# nsslapd-pluginArg2-