Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On 19.08.2016 15:26, Alexander Bokovoy wrote: On Fri, 19 Aug 2016, Martin Basti wrote: On 19.08.2016 11:43, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Right. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. Sounds good to me. FleetCommander (which is one of drivers behind the patches) is targeting F25 as well. Can we get the patch reviewed? ACK However ticket is in future releases, so we have to branch master and ipa 4.4 before push Why? We agreed above to get the patch into 4.4. Moving ticket to 4.4.1 milestone is certainly possible and does not require branching. OK, you agreed but nobody changed milestone of ticket Pushed to master: 7bec8a246d6712f749ec331f5bf066e3357c4ce7 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On Fri, 19 Aug 2016, Martin Basti wrote: On 19.08.2016 11:43, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Right. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. Sounds good to me. FleetCommander (which is one of drivers behind the patches) is targeting F25 as well. Can we get the patch reviewed? ACK However ticket is in future releases, so we have to branch master and ipa 4.4 before push Why? We agreed above to get the patch into 4.4. Moving ticket to 4.4.1 milestone is certainly possible and does not require branching. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On 19.08.2016 11:43, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Right. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. Sounds good to me. FleetCommander (which is one of drivers behind the patches) is targeting F25 as well. Can we get the patch reviewed? ACK However ticket is in future releases, so we have to branch master and ipa 4.4 before push Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On Mon, 08 Aug 2016, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Right. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. Sounds good to me. FleetCommander (which is one of drivers behind the patches) is targeting F25 as well. Can we get the patch reviewed? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On Mon, 08 Aug 2016, Petr Vobornik wrote: On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Right. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. Sounds good to me. FleetCommander (which is one of drivers behind the patches) is targeting F25 as well. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On 08/08/2016 12:26 PM, Alexander Bokovoy wrote: > On Mon, 08 Aug 2016, Alexander Bokovoy wrote: >> Hi! >> >> Attached patch is what is needed to allow external plugins for FreeIPA >> framework to be functional if they need to extend a schema. >> >> The idea is that we would have a separate directory as >> /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from >> it and its subdirectories during install and upgrade stages. >> >> Without the patch only selected schema files from /usr/share/ipa are >> used during install and upgrade. This leads to a failure to install IPA >> server (or upgrade it) if a new plugin is added. If plugin defines >> managed permissions, upgrade tool will generate ACIs which will fail to >> be inserted into LDAP store due to references to missing attributes and >> object classes. >> >> The patch adds a directory to be installed and a helper utility that >> loads files from the directory and adds them to the list of schema files >> used during update of dsinstance and upgrade of the server. >> >> With this patch I'm successfully managed to make FleetCommander >> integration plugin completely independent of FreeIPA. > Patch attached now. ;) > I'll assume that we want to target 4.4.x therefore it can be pushed to master, right? I.e. no need for creating ipa-4-4 branch atm. Reasoning is that currently F24 has 4.3.x. F25 will most likely have 4.4.x because 4.5 is still in planning. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On Mon, 08 Aug 2016, Petr Spacek wrote: On 8.8.2016 11:34, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. 1. I cannot see a patch attached to this e-mail :-) See my other email. ;) 2. Needless to say that ticket in appropriate milestone is going to be required. Sure. Moving ticket from one milestone to another is a simple act. I wanted to show that it is actually an almost trivial patch to enable external plugin development and argue by that fact we could have it added, thus raising the ticket to a better milestone. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On 8.8.2016 11:34, Alexander Bokovoy wrote: > Hi! > > Attached patch is what is needed to allow external plugins for FreeIPA > framework to be functional if they need to extend a schema. > > The idea is that we would have a separate directory as > /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from > it and its subdirectories during install and upgrade stages. > > Without the patch only selected schema files from /usr/share/ipa are > used during install and upgrade. This leads to a failure to install IPA > server (or upgrade it) if a new plugin is added. If plugin defines > managed permissions, upgrade tool will generate ACIs which will fail to > be inserted into LDAP store due to references to missing attributes and > object classes. > > The patch adds a directory to be installed and a helper utility that > loads files from the directory and adds them to the list of schema files > used during update of dsinstance and upgrade of the server. > > With this patch I'm successfully managed to make FleetCommander > integration plugin completely independent of FreeIPA. 1. I cannot see a patch attached to this e-mail :-) 2. Needless to say that ticket in appropriate milestone is going to be required. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins
On Mon, 08 Aug 2016, Alexander Bokovoy wrote: Hi! Attached patch is what is needed to allow external plugins for FreeIPA framework to be functional if they need to extend a schema. The idea is that we would have a separate directory as /usr/share/ipa/schema.d and will allow to use schema (*.ldif) files from it and its subdirectories during install and upgrade stages. Without the patch only selected schema files from /usr/share/ipa are used during install and upgrade. This leads to a failure to install IPA server (or upgrade it) if a new plugin is added. If plugin defines managed permissions, upgrade tool will generate ACIs which will fail to be inserted into LDAP store due to references to missing attributes and object classes. The patch adds a directory to be installed and a helper utility that loads files from the directory and adds them to the list of schema files used during update of dsinstance and upgrade of the server. With this patch I'm successfully managed to make FleetCommander integration plugin completely independent of FreeIPA. Patch attached now. ;) -- / Alexander Bokovoy From 045c7b38c387c362358d1ac2aa19a6fe07d18be5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Aug 2016 13:04:19 +0300 Subject: [PATCH 3/5] support schema files from third-party plugins Allow upgrade process to include schema files from third-party plugins installed in /usr/share/ipa/schema.d/*.schema. The directory /usr/shar/eipa/schema.d is owned by the server-common subpackage and therefore third-party plugins should depend on freeipa-server-common (ipa-server-common) package in their package dependencies. Resolves: https://fedorahosted.org/freeipa/ticket/5864 --- freeipa.spec.in | 5 - install/configure.ac| 1 + install/share/Makefile.am | 1 + install/share/schema.d/Makefile.am | 16 install/share/schema.d/README | 14 ++ ipaplatform/base/paths.py | 1 + ipaserver/install/dsinstance.py | 15 ++- ipaserver/install/server/upgrade.py | 3 +++ 8 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 install/share/schema.d/Makefile.am create mode 100644 install/share/schema.d/README diff --git a/freeipa.spec.in b/freeipa.spec.in index 135e9c9..8acb3fc 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -871,6 +871,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia +mkdir -p %{buildroot}%{_usr}/share/ipa/schema.d + %endif # ONLY_CLIENT @@ -1248,7 +1250,8 @@ fi %ghost %{_localstatedir}/lib/ipa/pki-ca/publish %ghost %{_localstatedir}/named/dyndb-ldap/ipa %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia - +%dir %{_usr}/share/ipa/schema.d +%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README %files server-dns %defattr(-,root,root,-) diff --git a/install/configure.ac b/install/configure.ac index b5f77bf..81f17b9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/advise/Makefile share/advise/legacy/Makefile share/profiles/Makefile +share/schema.d/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index cd1c164..d8845ee 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -3,6 +3,7 @@ NULL = SUBDIRS = \ advise \ profiles\ + schema.d\ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/schema.d/Makefile.am b/install/share/schema.d/Makefile.am new file mode 100644 index 000..0fef87f --- /dev/null +++ b/install/share/schema.d/Makefile.am @@ -0,0 +1,16 @@ +NULL = + +SUBDIRS = \ + $(NULL) + +appdir = $(IPA_DATA_DIR)/schema.d +app_DATA = README \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/schema.d/README b/install/share/schema.d/README new file mode 100644 index 000..19e3e68 --- /dev/null +++ b/install/share/schema.d/README @@ -0,0 +1,14 @@ +This directory is indended to store schema files for 3rd-party plugins. + +Each schema file should be named NN-description.ldif where NN is a number 00..90. + +The schema files from this directory are merged together with the core IPA +schema files during the run of ipa-server-upgrade utility. Therefore, they are +also installed when upgrade happens within the process of ipa-server-install. + +The directory is installed as /usr/share/ipa/schema.d and is owned by a +freeipa-server-common package. Therefore, a 3rd-party plugin would need to +depend on the freeipa-server-common package if it