[SSSD] Re: [PATCH] config: Some fixes to schema
On 08/04/2016 11:40 AM, Jakub Hrozek wrote: On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote: On 07/12/2016 06:38 PM, Lukas Slebodnik wrote: On (12/07/16 15:59), Michal Židek wrote: On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: On (12/07/16 15:16), Michal Židek wrote: +# secrets responder +option = provider + I think you need to also update "rule/allowed_sections" maybe you could run tour tool "sssctl config-check" before sending patches :-) What a useful tool it turned out to be :) And there are another related question to this topic. Should we add undocumented option to the list? We already have "command" in schema. Should we add other as well? IMHO, no. LS So far we only added options that we expect users to use. Options that are for developers are not added to the schema for now. Michal From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/3] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. --- ACK From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:34:03 +0200 Subject: [PATCH 2/3] config: Add config_file_version to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 --- src/config/SSSDConfigTest.py | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + 3 files changed, 3 insertions(+) ACK From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Tue, 12 Jul 2016 15:05:16 +0200 Subject: [PATCH 3/3] config: Allow 'secrets' section Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow the 'secrets' section in config file schema. --- src/config/SSSDConfigTest.py | 6 -- src/config/cfg_rules.ini | 22 ++ src/config/etc/sssd.api.conf | 4 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 332d870..4748ecb 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): 'autofs', 'ssh', 'pac', -'ifp'] +'ifp', +'secrets'] for section in control_list: self.assertTrue(sssdconfig.has_section(section), "Section [%s] missing" % @@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): 'autofs', 'ssh', 'pac', -'ifp'] +'ifp', +'secrets'] service_list = sssdconfig.list_services() for service in control_list: self.assertTrue(service in service_list, diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 635c078..cab25fc 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -8,6 +8,7 @@ section = autofs section = ssh section = pac section = ifp +section_re = ^secrets/.*$ section_re = ^domain/.*$ [rule/allowed_sssd_options] @@ -224,6 +225,27 @@ option = diag_cmd option = allowed_uids option = user_attributes +[rule/allowed_secrets_options] +validator = ini_allowed_options +section_re = ^secrets/.*$ + +option = timeout +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# secrets responder +option = provider + There are some options which you didn't include (e.g. forward_headers) @see grep confdb_get -A 5 src/responder/secrets/* grep proxy_get_config_string -A 5 src/responder/secrets/* LS It looks like secret uses different set of options completely. Also there is the service/program specific configuration of secrets that should work similar to domains (like [secret/apache] or something like that). I will not sent this patch until I have better understanding of how secrets service work and how it can be configured. I think we should make a ticket for the documentation/design page enhancement and make the schema change as a subtask for it. We already have: https://fedorahosted.org/sssd/ticket/3053 I would like to work on that next week.. Ah, great. I will add the need for schema update in the comments of that ticket and close the one about fixes to initial schema. Michal ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote: > On 07/12/2016 06:38 PM, Lukas Slebodnik wrote: > > On (12/07/16 15:59), Michal Židek wrote: > > > On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: > > > > On (12/07/16 15:16), Michal Židek wrote: > > > > > +# secrets responder > > > > > +option = provider > > > > > + > > > > > > > > I think you need to also update "rule/allowed_sections" > > > > > > > > maybe you could run tour tool "sssctl config-check" > > > > before sending patches :-) > > > > > > > > > > What a useful tool it turned out to be :) > > > > > > > And there are another related question to this topic. > > > > Should we add undocumented option to the list? > > > > > > > > We already have "command" in schema. Should we add other as well? > > > > > > > > IMHO, no. > > > > > > > > LS > > > > > > So far we only added options that we expect users > > > to use. Options that are for developers are not added to the > > > schema for now. > > > > > > Michal > > > > > From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 > > > From: =?UTF-8?q?Michal=20=C5=BDidek?= > > > Date: Mon, 11 Jul 2016 13:03:28 +0200 > > > Subject: [PATCH 1/3] config: Allow timeout for all sevices > > > > > > Fixes: > > > https://fedorahosted.org/sssd/ticket/3068 > > > > > > Allow option "timeout" for all sevices. > > > Also remove unused macro CONFDB_SERVICE_TIMEOUT. > > > --- > > ACK > > > > > From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 > > > From: =?UTF-8?q?Michal=20=C5=BDidek?= > > > Date: Mon, 11 Jul 2016 13:34:03 +0200 > > > Subject: [PATCH 2/3] config: Add config_file_version to schema > > > > > > Fixes: > > > https://fedorahosted.org/sssd/ticket/3068 > > > --- > > > src/config/SSSDConfigTest.py | 1 + > > > src/config/cfg_rules.ini | 1 + > > > src/config/etc/sssd.api.conf | 1 + > > > 3 files changed, 3 insertions(+) > > > > > ACK > > > > > From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001 > > > From: =?UTF-8?q?Michal=20=C5=BDidek?= > > > Date: Tue, 12 Jul 2016 15:05:16 +0200 > > > Subject: [PATCH 3/3] config: Allow 'secrets' section > > > > > > Fixes: > > > https://fedorahosted.org/sssd/ticket/3068 > > > > > > Allow the 'secrets' section in config file > > > schema. > > > --- > > > src/config/SSSDConfigTest.py | 6 -- > > > src/config/cfg_rules.ini | 22 ++ > > > src/config/etc/sssd.api.conf | 4 > > > 3 files changed, 30 insertions(+), 2 deletions(-) > > > > > > diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py > > > index 332d870..4748ecb 100755 > > > --- a/src/config/SSSDConfigTest.py > > > +++ b/src/config/SSSDConfigTest.py > > > @@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): > > > 'autofs', > > > 'ssh', > > > 'pac', > > > -'ifp'] > > > +'ifp', > > > +'secrets'] > > > for section in control_list: > > > self.assertTrue(sssdconfig.has_section(section), > > > "Section [%s] missing" % > > > @@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): > > > 'autofs', > > > 'ssh', > > > 'pac', > > > -'ifp'] > > > +'ifp', > > > +'secrets'] > > > service_list = sssdconfig.list_services() > > > for service in control_list: > > > self.assertTrue(service in service_list, > > > diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini > > > index 635c078..cab25fc 100644 > > > --- a/src/config/cfg_rules.ini > > > +++ b/src/config/cfg_rules.ini > > > @@ -8,6 +8,7 @@ section = autofs > > > section = ssh > > > section = pac > > > section = ifp > > > +section_re = ^secrets/.*$ > > > section_re = ^domain/.*$ > > > > > > [rule/allowed_sssd_options] > > > @@ -224,6 +225,27 @@ option = diag_cmd > > > option = allowed_uids > > > option = user_attributes > > > > > > +[rule/allowed_secrets_options] > > > +validator = ini_allowed_options > > > +section_re = ^secrets/.*$ > > > + > > > +option = timeout > > > +option = debug > > > +option = debug_level > > > +option = debug_timestamps > > > +option = debug_microseconds > > > +option = debug_to_files > > > +option = command > > > +option = reconnection_retries > > > +option = fd_limit > > > +option = client_idle_timeout > > > +option = force_timeout > > > +option = description > > > +option = diag_cmd > > > + > > > +# secrets responder > > > +option = provider > > > + > > > > There are some options which you didn't include (e.g. forward_headers) > > @see > >grep confdb_get -A 5 src/responder/secrets/* > >grep proxy_get_config_string -A 5 src/responder/secrets/* > > > > LS > > It looks like secret uses different set of options completely. > Also there is the service/program specific configuration of > secrets that should work similar to domains (like [secret
[SSSD] Re: [PATCH] config: Some fixes to schema
On 07/12/2016 06:38 PM, Lukas Slebodnik wrote: On (12/07/16 15:59), Michal Židek wrote: On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: On (12/07/16 15:16), Michal Židek wrote: +# secrets responder +option = provider + I think you need to also update "rule/allowed_sections" maybe you could run tour tool "sssctl config-check" before sending patches :-) What a useful tool it turned out to be :) And there are another related question to this topic. Should we add undocumented option to the list? We already have "command" in schema. Should we add other as well? IMHO, no. LS So far we only added options that we expect users to use. Options that are for developers are not added to the schema for now. Michal From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/3] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. --- ACK From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:34:03 +0200 Subject: [PATCH 2/3] config: Add config_file_version to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 --- src/config/SSSDConfigTest.py | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + 3 files changed, 3 insertions(+) ACK From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Tue, 12 Jul 2016 15:05:16 +0200 Subject: [PATCH 3/3] config: Allow 'secrets' section Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow the 'secrets' section in config file schema. --- src/config/SSSDConfigTest.py | 6 -- src/config/cfg_rules.ini | 22 ++ src/config/etc/sssd.api.conf | 4 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 332d870..4748ecb 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): 'autofs', 'ssh', 'pac', -'ifp'] +'ifp', +'secrets'] for section in control_list: self.assertTrue(sssdconfig.has_section(section), "Section [%s] missing" % @@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): 'autofs', 'ssh', 'pac', -'ifp'] +'ifp', +'secrets'] service_list = sssdconfig.list_services() for service in control_list: self.assertTrue(service in service_list, diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 635c078..cab25fc 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -8,6 +8,7 @@ section = autofs section = ssh section = pac section = ifp +section_re = ^secrets/.*$ section_re = ^domain/.*$ [rule/allowed_sssd_options] @@ -224,6 +225,27 @@ option = diag_cmd option = allowed_uids option = user_attributes +[rule/allowed_secrets_options] +validator = ini_allowed_options +section_re = ^secrets/.*$ + +option = timeout +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# secrets responder +option = provider + There are some options which you didn't include (e.g. forward_headers) @see grep confdb_get -A 5 src/responder/secrets/* grep proxy_get_config_string -A 5 src/responder/secrets/* LS It looks like secret uses different set of options completely. Also there is the service/program specific configuration of secrets that should work similar to domains (like [secret/apache] or something like that). I will not sent this patch until I have better understanding of how secrets service work and how it can be configured. I think we should make a ticket for the documentation/design page enhancement and make the schema change as a subtask for it. Michal ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On (12/07/16 18:38), Lukas Slebodnik wrote: >On (12/07/16 15:59), Michal Židek wrote: >>On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: >>> On (12/07/16 15:16), Michal Židek wrote: >>> > +# secrets responder >>> > +option = provider >>> > + >>> >>> I think you need to also update "rule/allowed_sections" >>> >>> maybe you could run tour tool "sssctl config-check" >>> before sending patches :-) >>> >> >>What a useful tool it turned out to be :) >> >>> And there are another related question to this topic. >>> Should we add undocumented option to the list? >>> >>> We already have "command" in schema. Should we add other as well? >>> >>> IMHO, no. >>> >>> LS >> >>So far we only added options that we expect users >>to use. Options that are for developers are not added to the >>schema for now. >> >>Michal > >>From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:03:28 +0200 >>Subject: [PATCH 1/3] config: Allow timeout for all sevices >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >> >>Allow option "timeout" for all sevices. >>Also remove unused macro CONFDB_SERVICE_TIMEOUT. >>--- >ACK > >>From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:34:03 +0200 >>Subject: [PATCH 2/3] config: Add config_file_version to schema >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >>--- >> src/config/SSSDConfigTest.py | 1 + >> src/config/cfg_rules.ini | 1 + >> src/config/etc/sssd.api.conf | 1 + >> 3 files changed, 3 insertions(+) >> >ACK > http://sssd-ci.duckdns.org/logs-test/job/2/93/summary.html 1st and 2nd patch pushed to master: * aeab20358006d728a284f969f92f3890498cd651 * 1b9b5477027d86a2afb2e72981253d108c5398da LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On (12/07/16 15:59), Michal Židek wrote: >On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: >> On (12/07/16 15:16), Michal Židek wrote: >> > +# secrets responder >> > +option = provider >> > + >> >> I think you need to also update "rule/allowed_sections" >> >> maybe you could run tour tool "sssctl config-check" >> before sending patches :-) >> > >What a useful tool it turned out to be :) > >> And there are another related question to this topic. >> Should we add undocumented option to the list? >> >> We already have "command" in schema. Should we add other as well? >> >> IMHO, no. >> >> LS > >So far we only added options that we expect users >to use. Options that are for developers are not added to the >schema for now. > >Michal >From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:03:28 +0200 >Subject: [PATCH 1/3] config: Allow timeout for all sevices > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Allow option "timeout" for all sevices. >Also remove unused macro CONFDB_SERVICE_TIMEOUT. >--- ACK >From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:34:03 +0200 >Subject: [PATCH 2/3] config: Add config_file_version to schema > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 >--- > src/config/SSSDConfigTest.py | 1 + > src/config/cfg_rules.ini | 1 + > src/config/etc/sssd.api.conf | 1 + > 3 files changed, 3 insertions(+) > ACK >From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Tue, 12 Jul 2016 15:05:16 +0200 >Subject: [PATCH 3/3] config: Allow 'secrets' section > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Allow the 'secrets' section in config file >schema. >--- > src/config/SSSDConfigTest.py | 6 -- > src/config/cfg_rules.ini | 22 ++ > src/config/etc/sssd.api.conf | 4 > 3 files changed, 30 insertions(+), 2 deletions(-) > >diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py >index 332d870..4748ecb 100755 >--- a/src/config/SSSDConfigTest.py >+++ b/src/config/SSSDConfigTest.py >@@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): > 'autofs', > 'ssh', > 'pac', >-'ifp'] >+'ifp', >+'secrets'] > for section in control_list: > self.assertTrue(sssdconfig.has_section(section), > "Section [%s] missing" % >@@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase): > 'autofs', > 'ssh', > 'pac', >-'ifp'] >+'ifp', >+'secrets'] > service_list = sssdconfig.list_services() > for service in control_list: > self.assertTrue(service in service_list, >diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini >index 635c078..cab25fc 100644 >--- a/src/config/cfg_rules.ini >+++ b/src/config/cfg_rules.ini >@@ -8,6 +8,7 @@ section = autofs > section = ssh > section = pac > section = ifp >+section_re = ^secrets/.*$ > section_re = ^domain/.*$ > > [rule/allowed_sssd_options] >@@ -224,6 +225,27 @@ option = diag_cmd > option = allowed_uids > option = user_attributes > >+[rule/allowed_secrets_options] >+validator = ini_allowed_options >+section_re = ^secrets/.*$ >+ >+option = timeout >+option = debug >+option = debug_level >+option = debug_timestamps >+option = debug_microseconds >+option = debug_to_files >+option = command >+option = reconnection_retries >+option = fd_limit >+option = client_idle_timeout >+option = force_timeout >+option = description >+option = diag_cmd >+ >+# secrets responder >+option = provider >+ There are some options which you didn't include (e.g. forward_headers) @see grep confdb_get -A 5 src/responder/secrets/* grep proxy_get_config_string -A 5 src/responder/secrets/* LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On 07/12/2016 03:36 PM, Lukas Slebodnik wrote: On (12/07/16 15:16), Michal Židek wrote: On 07/12/2016 01:28 PM, Lukas Slebodnik wrote: On (11/07/16 07:44), Michal Zidek wrote: Ok, I split the patches (one per option). Michal From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/4] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. --- src/config/cfg_rules.ini | 7 +++ src/config/etc/sssd.api.conf | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) Almost ACK I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT Could you remove it in this patch? This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8 (3+ years) From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:11:41 +0200 Subject: [PATCH 2/4] config: override_space is monitor's option Fixes: https://fedorahosted.org/sssd/ticket/3068 We read override_space from [sssd] not [nss] section. --- ACK From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:23:40 +0200 Subject: [PATCH 3/4] config: Fix user_attributes Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. --- ACK From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:34:03 +0200 Subject: [PATCH 4/4] config: Add config_file_version to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 --- src/config/cfg_rules.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5c8d05a..635c078 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -39,6 +39,7 @@ option = user option = default_domain_suffix option = certificate_verification option = override_space +option = config_file_version [rule/allowed_nss_options] validator = ini_allowed_options -- 1.8.3.1 Python API schema is not generated yet therefore we should add this option also to src/config/etc/sssd.api.conf. It was probably removed with the change from default 1 -> 2 BTW. We need to also allow section + add default options for "secrets" service. So you will need to modify the 1st patch. I will push acked patches after CI. LS Sending the patches that were not acked + patch that adds the 'secrets' service. Michal From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/3] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. ACK From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:34:03 +0200 Subject: [PATCH 2/3] config: Add config_file_version to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 --- src/config/SSSDConfigTest.py | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + 3 files changed, 3 insertions(+) diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 5fa9bce..332d870 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -289,6 +289,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): options = service.list_options() control_list = [ +'config_file_version', 'services', 'domains', 'timeout', diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5c8d05a..635c078 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -39,6 +39,7 @@ option = user option = default_domain_suffix option = certificate_verification option = override_space +option = config_file_version [rule/allowed_nss_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index e4011a3..737f0e1 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -19,6 +19,7 @@ diag_cmd = str, None, false [sssd] # Monitor service +config_file_version = int, None, false services = list, str, true, nss, pam domains = list, str, true sbus_timeout = int, None, false -- 2.5.0 LGTM. I haven't tested yet. From 27964d4eca57972512f145033b253d0dbf29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Tue, 12 Jul 2016 15:05:16 +0200 Subject: [PATCH 3/3] config: Allow 'secrets' section Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow the 'secrets' section in config file schema. --- src/config/SSSDConfigTest.py | 6 ++
[SSSD] Re: [PATCH] config: Some fixes to schema
On (12/07/16 15:16), Michal Židek wrote: >On 07/12/2016 01:28 PM, Lukas Slebodnik wrote: >> On (11/07/16 07:44), Michal Zidek wrote: >> > Ok, I split the patches (one per option). >> > >> > Michal >> >> > From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 >> > From: =?UTF-8?q?Michal=20=C5=BDidek?= >> > Date: Mon, 11 Jul 2016 13:03:28 +0200 >> > Subject: [PATCH 1/4] config: Allow timeout for all sevices >> > >> > Fixes: >> > https://fedorahosted.org/sssd/ticket/3068 >> > >> > Allow option "timeout" for all sevices. >> > --- >> > src/config/cfg_rules.ini | 7 +++ >> > src/config/etc/sssd.api.conf | 2 +- >> > 2 files changed, 8 insertions(+), 1 deletion(-) >> > >> Almost ACK >> >> I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT >> Could you remove it in this patch? >> This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8 >> (3+ years) >> >> >> >> > From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 >> > From: =?UTF-8?q?Michal=20=C5=BDidek?= >> > Date: Mon, 11 Jul 2016 13:11:41 +0200 >> > Subject: [PATCH 2/4] config: override_space is monitor's option >> > >> > Fixes: >> > https://fedorahosted.org/sssd/ticket/3068 >> > >> > We read override_space from [sssd] not >> > [nss] section. >> > --- >> ACK >> >> > From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001 >> > From: =?UTF-8?q?Michal=20=C5=BDidek?= >> > Date: Mon, 11 Jul 2016 13:23:40 +0200 >> > Subject: [PATCH 3/4] config: Fix user_attributes >> > >> > Fixes: >> > https://fedorahosted.org/sssd/ticket/3068 >> > >> > Option user_attributes is also available in >> > NSS responder, but not in PAC responder. >> > --- >> >> ACK >> >> > From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001 >> > From: =?UTF-8?q?Michal=20=C5=BDidek?= >> > Date: Mon, 11 Jul 2016 13:34:03 +0200 >> > Subject: [PATCH 4/4] config: Add config_file_version to schema >> > >> > Fixes: >> > https://fedorahosted.org/sssd/ticket/3068 >> > --- >> > src/config/cfg_rules.ini | 1 + >> > 1 file changed, 1 insertion(+) >> > >> > diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini >> > index 5c8d05a..635c078 100644 >> > --- a/src/config/cfg_rules.ini >> > +++ b/src/config/cfg_rules.ini >> > @@ -39,6 +39,7 @@ option = user >> > option = default_domain_suffix >> > option = certificate_verification >> > option = override_space >> > +option = config_file_version >> > >> > [rule/allowed_nss_options] >> > validator = ini_allowed_options >> > -- >> > 1.8.3.1 >> > >> >> Python API schema is not generated yet >> therefore we should add this option also >> to src/config/etc/sssd.api.conf. >> It was probably removed with the change from default 1 -> 2 >> >> BTW. We need to also allow section + add default options for >> "secrets" service. So you will need to modify the 1st patch. >> >> I will push acked patches after CI. >> >> LS > >Sending the patches that were not acked + patch >that adds the 'secrets' service. > >Michal > >From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:03:28 +0200 >Subject: [PATCH 1/3] config: Allow timeout for all sevices > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Allow option "timeout" for all sevices. >Also remove unused macro CONFDB_SERVICE_TIMEOUT. ACK >From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:34:03 +0200 >Subject: [PATCH 2/3] config: Add config_file_version to schema > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 >--- > src/config/SSSDConfigTest.py | 1 + > src/config/cfg_rules.ini | 1 + > src/config/etc/sssd.api.conf | 1 + > 3 files changed, 3 insertions(+) > >diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py >index 5fa9bce..332d870 100755 >--- a/src/config/SSSDConfigTest.py >+++ b/src/config/SSSDConfigTest.py >@@ -289,6 +289,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): > > options = service.list_options() > control_list = [ >+'config_file_version', > 'services', > 'domains', > 'timeout', >diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini >index 5c8d05a..635c078 100644 >--- a/src/config/cfg_rules.ini >+++ b/src/config/cfg_rules.ini >@@ -39,6 +39,7 @@ option = user > option = default_domain_suffix > option = certificate_verification > option = override_space >+option = config_file_version > > [rule/allowed_nss_options] > validator = ini_allowed_options >diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf >index e4011a3..737f0e1 100644 >--- a/src/config/etc/sssd.api.conf >+++ b/src/config/etc/sssd.api.conf >@@ -19,6 +19,7 @@ diag_cmd = str, None, false > > [sssd] > # Monitor service >+config_file_version = int, None, false > services = list, str, true, nss, pam > domains = list, str, tr
[SSSD] Re: [PATCH] config: Some fixes to schema
On (12/07/16 13:28), Lukas Slebodnik wrote: >On (11/07/16 07:44), Michal Zidek wrote: >>Ok, I split the patches (one per option). >> >>Michal > >>From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:03:28 +0200 >>Subject: [PATCH 1/4] config: Allow timeout for all sevices >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >> >>Allow option "timeout" for all sevices. >>--- >> src/config/cfg_rules.ini | 7 +++ >> src/config/etc/sssd.api.conf | 2 +- >> 2 files changed, 8 insertions(+), 1 deletion(-) >> >Almost ACK > >I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT >Could you remove it in this patch? >This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8 >(3+ years) > > > >>From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:11:41 +0200 >>Subject: [PATCH 2/4] config: override_space is monitor's option >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >> >>We read override_space from [sssd] not >>[nss] section. >>--- >ACK > >>From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:23:40 +0200 >>Subject: [PATCH 3/4] config: Fix user_attributes >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >> >>Option user_attributes is also available in >>NSS responder, but not in PAC responder. >>--- > >ACK > >>From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001 >>From: =?UTF-8?q?Michal=20=C5=BDidek?= >>Date: Mon, 11 Jul 2016 13:34:03 +0200 >>Subject: [PATCH 4/4] config: Add config_file_version to schema >> >>Fixes: >>https://fedorahosted.org/sssd/ticket/3068 >>--- >> src/config/cfg_rules.ini | 1 + >> 1 file changed, 1 insertion(+) >> >>diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini >>index 5c8d05a..635c078 100644 >>--- a/src/config/cfg_rules.ini >>+++ b/src/config/cfg_rules.ini >>@@ -39,6 +39,7 @@ option = user >> option = default_domain_suffix >> option = certificate_verification >> option = override_space >>+option = config_file_version >> >> [rule/allowed_nss_options] >> validator = ini_allowed_options >>-- >>1.8.3.1 >> > >Python API schema is not generated yet >therefore we should add this option also >to src/config/etc/sssd.api.conf. >It was probably removed with the change from default 1 -> 2 > >BTW. We need to also allow section + add default options for >"secrets" service. So you will need to modify the 1st patch. > >I will push acked patches after CI. > http://sssd-ci.duckdns.org/logs-test/job/2/87/summary.html master: * 0a172552ec16f3b84d127399551cad786da8fd9d * fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63 LS >___ >sssd-devel mailing list >sssd-devel@lists.fedorahosted.org >https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On 07/12/2016 01:28 PM, Lukas Slebodnik wrote: On (11/07/16 07:44), Michal Zidek wrote: Ok, I split the patches (one per option). Michal From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/4] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. --- src/config/cfg_rules.ini | 7 +++ src/config/etc/sssd.api.conf | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) Almost ACK I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT Could you remove it in this patch? This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8 (3+ years) From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:11:41 +0200 Subject: [PATCH 2/4] config: override_space is monitor's option Fixes: https://fedorahosted.org/sssd/ticket/3068 We read override_space from [sssd] not [nss] section. --- ACK From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:23:40 +0200 Subject: [PATCH 3/4] config: Fix user_attributes Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. --- ACK From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:34:03 +0200 Subject: [PATCH 4/4] config: Add config_file_version to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 --- src/config/cfg_rules.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5c8d05a..635c078 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -39,6 +39,7 @@ option = user option = default_domain_suffix option = certificate_verification option = override_space +option = config_file_version [rule/allowed_nss_options] validator = ini_allowed_options -- 1.8.3.1 Python API schema is not generated yet therefore we should add this option also to src/config/etc/sssd.api.conf. It was probably removed with the change from default 1 -> 2 BTW. We need to also allow section + add default options for "secrets" service. So you will need to modify the 1st patch. I will push acked patches after CI. LS Sending the patches that were not acked + patch that adds the 'secrets' service. Michal >From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/3] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. --- src/confdb/confdb.h | 1 - src/config/cfg_rules.ini | 7 +++ src/config/etc/sssd.api.conf | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 54b1cbc..cc8f66f 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -58,7 +58,6 @@ #define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps" #define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds" #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files" -#define CONFDB_SERVICE_TIMEOUT "timeout" #define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout" #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries" #define CONFDB_SERVICE_FD_LIMIT "fd_limit" diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 85a15be..5c8d05a 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -44,6 +44,7 @@ option = override_space validator = ini_allowed_options section_re = ^nss$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -82,6 +83,7 @@ option = memcache_timeout validator = ini_allowed_options section_re = ^pam$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -115,6 +117,7 @@ option = p11_child_timeout validator = ini_allowed_options section_re = ^sudo$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -136,6 +139,7 @@ option = sudo_inverse_order validator = ini_allowed_options section_re = ^autofs$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -156,6 +160,7 @@ option = autofs_negative_timeout validator = ini_allowed_options section_re = ^ssh$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -178,6 +183,7 @@ option = ca_db validator = ini_allowed_options section_re = ^pac$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -199,6 +205,7 @@ option = pac_lifetime validator = ini_allowed_options section_re = ^ifp$ +o
[SSSD] Re: [PATCH] config: Some fixes to schema
On (11/07/16 07:44), Michal Zidek wrote: >Ok, I split the patches (one per option). > >Michal >From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:03:28 +0200 >Subject: [PATCH 1/4] config: Allow timeout for all sevices > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Allow option "timeout" for all sevices. >--- > src/config/cfg_rules.ini | 7 +++ > src/config/etc/sssd.api.conf | 2 +- > 2 files changed, 8 insertions(+), 1 deletion(-) > Almost ACK I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT Could you remove it in this patch? This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8 (3+ years) >From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:11:41 +0200 >Subject: [PATCH 2/4] config: override_space is monitor's option > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >We read override_space from [sssd] not >[nss] section. >--- ACK >From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:23:40 +0200 >Subject: [PATCH 3/4] config: Fix user_attributes > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Option user_attributes is also available in >NSS responder, but not in PAC responder. >--- ACK >From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Mon, 11 Jul 2016 13:34:03 +0200 >Subject: [PATCH 4/4] config: Add config_file_version to schema > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 >--- > src/config/cfg_rules.ini | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini >index 5c8d05a..635c078 100644 >--- a/src/config/cfg_rules.ini >+++ b/src/config/cfg_rules.ini >@@ -39,6 +39,7 @@ option = user > option = default_domain_suffix > option = certificate_verification > option = override_space >+option = config_file_version > > [rule/allowed_nss_options] > validator = ini_allowed_options >-- >1.8.3.1 > Python API schema is not generated yet therefore we should add this option also to src/config/etc/sssd.api.conf. It was probably removed with the change from default 1 -> 2 BTW. We need to also allow section + add default options for "secrets" service. So you will need to modify the 1st patch. I will push acked patches after CI. LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
Ok, I split the patches (one per option). MichalFrom 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:03:28 +0200 Subject: [PATCH 1/4] config: Allow timeout for all sevices Fixes: https://fedorahosted.org/sssd/ticket/3068 Allow option "timeout" for all sevices. --- src/config/cfg_rules.ini | 7 +++ src/config/etc/sssd.api.conf | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index d738ddf..41ff1b9 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -43,6 +43,7 @@ option = certificate_verification validator = ini_allowed_options section_re = ^nss$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -81,6 +82,7 @@ option = override_space validator = ini_allowed_options section_re = ^pam$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -114,6 +116,7 @@ option = p11_child_timeout validator = ini_allowed_options section_re = ^sudo$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -135,6 +138,7 @@ option = sudo_inverse_order validator = ini_allowed_options section_re = ^autofs$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -155,6 +159,7 @@ option = autofs_negative_timeout validator = ini_allowed_options section_re = ^ssh$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -177,6 +182,7 @@ option = ca_db validator = ini_allowed_options section_re = ^pac$ +option = timeout option = debug option = debug_level option = debug_timestamps @@ -199,6 +205,7 @@ option = pac_lifetime validator = ini_allowed_options section_re = ^ifp$ +option = timeout option = debug option = debug_level option = debug_timestamps diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 9114659..013f3ae 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -3,6 +3,7 @@ [service] # Options available to all services +timeout = int, None, false debug = int, None, false debug_level = int, None, false debug_timestamps = bool, None, false @@ -20,7 +21,6 @@ diag_cmd = str, None, false # Monitor service services = list, str, true, nss, pam domains = list, str, true -timeout = int, None, false sbus_timeout = int, None, false re_expression = str, None, false full_name_format = str, None, false -- 1.8.3.1 From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 11 Jul 2016 13:11:41 +0200 Subject: [PATCH 2/4] config: override_space is monitor's option Fixes: https://fedorahosted.org/sssd/ticket/3068 We read override_space from [sssd] not [nss] section. --- src/config/SSSDConfig/__init__.py.in | 2 +- src/config/SSSDConfigTest.py | 3 ++- src/config/cfg_rules.ini | 2 +- src/config/etc/sssd.api.conf | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 52af138..ebdd049 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -63,6 +63,7 @@ option_strings = { 'default_domain_suffix' : _('Domain to add to names without a domain component.'), 'user' : _('The user to drop privileges to'), 'certificate_verification' : _('Tune certificate verification'), +'override_space': _('All spaces in group or user names will be replaced with this character'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), @@ -81,7 +82,6 @@ option_strings = { 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), 'default_shell': _('Shell to use if the provider does not list one'), 'memcache_timeout': _('How long will be in-memory cache records valid'), -'override_space': _('All spaces in group or user names will be replaced with this character'), # [pam] 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6ec3023..5fa9bce 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'client_idle_timeout', 'diag_cmd', 'description', -'certificate_verification'] +'certificate_verification', +'override_space'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 41ff1b9..61efa33 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.i
[SSSD] Re: [PATCH] config: Some fixes to schema
On (08/07/16 15:14), Michal Židek wrote: >On 07/08/2016 12:56 PM, Lukas Slebodnik wrote: >> On (08/07/16 12:17), Michal Židek wrote: >> > From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001 >> > From: =?UTF-8?q?Michal=20=C5=BDidek?= >> > Date: Fri, 8 Jul 2016 11:32:50 +0200 >> > Subject: [PATCH] config: Some fixes to schema >> > >> > Fixes: >> > https://fedorahosted.org/sssd/ticket/3068 >> > >> > Option "timeout" must be allowed for all >> > responders. >> > Option "user_attributes" is >> > also available in NSS responder. >> > Option override_space is read from monitor >> > section, not NSS. >> > --- >> > src/config/cfg_rules.ini | 10 +- >> > src/config/etc/sssd.api.conf | 10 +- >> > 2 files changed, 18 insertions(+), 2 deletions(-) >> > >> > diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf >> > index 9114659..03e5a72 100644 >> > --- a/src/config/etc/sssd.api.conf >> > +++ b/src/config/etc/sssd.api.conf >> > @@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false >> > user = str, None, false >> > default_domain_suffix = str, None, false >> > certificate_verification = str, None, false >> > +override_space = str, None, false >> // snip >> > >> > [ifp] >> > # InfoPipe responder >> > +timeout = int, None, false >> IMHO, it would be better to add it to the section >> "[service]" The same as debug_level. >> We would avoid some duplication >> >> LS > >new patch attached. There was one more error >with the PAC responder and user_attributes >option. > I found another issue with schema. there are warnings if sssd.conf explicitly contains "config_file_version = 2" BTW patch looks like a snow ball. It might be a good idea to split it (at least partially) LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On 07/08/2016 12:56 PM, Lukas Slebodnik wrote: On (08/07/16 12:17), Michal Židek wrote: From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Fri, 8 Jul 2016 11:32:50 +0200 Subject: [PATCH] config: Some fixes to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 Option "timeout" must be allowed for all responders. Option "user_attributes" is also available in NSS responder. Option override_space is read from monitor section, not NSS. --- src/config/cfg_rules.ini | 10 +- src/config/etc/sssd.api.conf | 10 +- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 9114659..03e5a72 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false user = str, None, false default_domain_suffix = str, None, false certificate_verification = str, None, false +override_space = str, None, false // snip [ifp] # InfoPipe responder +timeout = int, None, false IMHO, it would be better to add it to the section "[service]" The same as debug_level. We would avoid some duplication LS new patch attached. There was one more error with the PAC responder and user_attributes option. Michal >From 3f1466274d70e3e275b53bab99549c3e0d4f2a30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Fri, 8 Jul 2016 11:32:50 +0200 Subject: [PATCH] config: Some fixes to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 Option "timeout" must be allowed for all responders. Option "user_attributes" is also available in NSS responder. Option override_space is read from monitor section, not NSS. --- src/config/SSSDConfig/__init__.py.in | 3 ++- src/config/SSSDConfigTest.py | 3 ++- src/config/cfg_rules.ini | 11 +-- src/config/etc/sssd.api.conf | 6 +++--- 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 52af138..ea29000 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -63,6 +63,7 @@ option_strings = { 'default_domain_suffix' : _('Domain to add to names without a domain component.'), 'user' : _('The user to drop privileges to'), 'certificate_verification' : _('Tune certificate verification'), +'override_space': _('All spaces in group or user names will be replaced with this character'), # [nss] 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), @@ -81,7 +82,7 @@ option_strings = { 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), 'default_shell': _('Shell to use if the provider does not list one'), 'memcache_timeout': _('How long will be in-memory cache records valid'), -'override_space': _('All spaces in group or user names will be replaced with this character'), +'user_attributes': _('List of user attributes the NSS is allowed to publish'), # [pam] 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6ec3023..5fa9bce 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'client_idle_timeout', 'diag_cmd', 'description', -'certificate_verification'] +'certificate_verification', +'override_space'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index d738ddf..bcc3d2e 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -38,6 +38,7 @@ option = krb5_rcache_dir option = user option = default_domain_suffix option = certificate_verification +option = override_space [rule/allowed_nss_options] validator = ini_allowed_options @@ -57,6 +58,8 @@ option = description option = diag_cmd # Name service +option = timeout +option = user_attributes option = enum_cache_timeout option = entry_cache_nowait_percentage option = entry_negative_timeout @@ -75,7 +78,6 @@ option = shell_fallback option = default_shell option = get_domains_timeout option = memcache_timeout -option = override_space [rule/allowed_pam_options] validator = ini_allowed_options @@ -95,6 +97,7 @@ option = description option = diag_cmd # Authentication service +option = timeout option = offline_credentials_expiration option = offline_failed_login_attempts option = offline_failed_login_delay @@ -128,6 +131,7 @@ option = description option = diag_cmd # sudo service +option = timeout option = sudo_timed option = sudo_inverse_order @@ -149,6 +153,7
[SSSD] Re: [PATCH] config: Some fixes to schema
On (08/07/16 12:17), Michal Židek wrote: >From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Fri, 8 Jul 2016 11:32:50 +0200 >Subject: [PATCH] config: Some fixes to schema > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Option "timeout" must be allowed for all >responders. >Option "user_attributes" is >also available in NSS responder. >Option override_space is read from monitor >section, not NSS. >--- > src/config/cfg_rules.ini | 10 +- > src/config/etc/sssd.api.conf | 10 +- > 2 files changed, 18 insertions(+), 2 deletions(-) > >diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf >index 9114659..03e5a72 100644 >--- a/src/config/etc/sssd.api.conf >+++ b/src/config/etc/sssd.api.conf >@@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false > user = str, None, false > default_domain_suffix = str, None, false > certificate_verification = str, None, false >+override_space = str, None, false // snip > > [ifp] > # InfoPipe responder >+timeout = int, None, false IMHO, it would be better to add it to the section "[service]" The same as debug_level. We would avoid some duplication LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCH] config: Some fixes to schema
On 07/08/2016 12:07 PM, Lukas Slebodnik wrote: On (08/07/16 12:03), Michal Židek wrote: Hi, attached is patch for ticket https://fedorahosted.org/sssd/ticket/3068 The ticket also talks about allowing options for negative cache timeouts in all responders, but I did not do that. We do indeed initialize negative cache in all responders, but we always read the timeouts from NSS section. Also in the man pages, we only document these options for NSS. So it is not problem with the schema. I do agree that this is not ideal, but should we fix it? I do not think it is worth the time, but if someone thinks otherwise, please open a ticket. Michal From 2c41d136c7d43ad089510cc9fb3ae5e870400791 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Fri, 8 Jul 2016 11:32:50 +0200 Subject: [PATCH] config: Some fixes to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 Option "timeout" must be allowed for all responders. Option "user_attributes" is also available in NSS responder. Option override_space is read from monitor section, not NSS. --- src/config/cfg_rules.ini | 10 +- This file was created from files in src/config/etc/ Therefore there are missing options in some sections. Please update these files as well because we still cannot autogenerate them. LS Thanks for noticing this. New patch attached. Michal >From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Fri, 8 Jul 2016 11:32:50 +0200 Subject: [PATCH] config: Some fixes to schema Fixes: https://fedorahosted.org/sssd/ticket/3068 Option "timeout" must be allowed for all responders. Option "user_attributes" is also available in NSS responder. Option override_space is read from monitor section, not NSS. --- src/config/cfg_rules.ini | 10 +- src/config/etc/sssd.api.conf | 10 +- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index d738ddf..6e8258e 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -38,6 +38,7 @@ option = krb5_rcache_dir option = user option = default_domain_suffix option = certificate_verification +option = override_space [rule/allowed_nss_options] validator = ini_allowed_options @@ -57,6 +58,8 @@ option = description option = diag_cmd # Name service +option = timeout +option = user_attributes option = enum_cache_timeout option = entry_cache_nowait_percentage option = entry_negative_timeout @@ -75,7 +78,6 @@ option = shell_fallback option = default_shell option = get_domains_timeout option = memcache_timeout -option = override_space [rule/allowed_pam_options] validator = ini_allowed_options @@ -95,6 +97,7 @@ option = description option = diag_cmd # Authentication service +option = timeout option = offline_credentials_expiration option = offline_failed_login_attempts option = offline_failed_login_delay @@ -128,6 +131,7 @@ option = description option = diag_cmd # sudo service +option = timeout option = sudo_timed option = sudo_inverse_order @@ -149,6 +153,7 @@ option = description option = diag_cmd # autofs service +option = timeout option = autofs_negative_timeout [rule/allowed_ssh_options] @@ -169,6 +174,7 @@ option = description option = diag_cmd # ssh service +option = timeout option = ssh_hash_known_hosts option = ssh_known_hosts_timeout option = ca_db @@ -191,6 +197,7 @@ option = description option = diag_cmd # PAC responder +option = timeout option = allowed_uids option = user_attributes option = pac_lifetime @@ -213,6 +220,7 @@ option = description option = diag_cmd # InfoPipe responder +option = timeout option = allowed_uids option = user_attributes diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 9114659..03e5a72 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false user = str, None, false default_domain_suffix = str, None, false certificate_verification = str, None, false +override_space = str, None, false [nss] # Name service +timeout = int, None, false +user_attributes = str, None, false enum_cache_timeout = int, None, false entry_cache_nowait_percentage = int, None, false entry_negative_timeout = int, None, false @@ -49,10 +52,10 @@ shell_fallback = str, None, false default_shell = str, None, false get_domains_timeout = int, None, false memcache_timeout = int, None, false -override_space = str, None, false [pam] # Authentication service +timeout = int, None, false offline_credentials_expiration = int, None, false offline_failed_login_attempts = int, None, false offline_failed_login_delay = int, None, false @@ -70,27 +73,32 @@ p11_child_timeout = int, None, false [sudo] # sudo service +timeout = int, None, false sudo_timed = bool, None, false sudo_inverse_order = bool, None, false [autofs] # autofs service +timeout = int,
[SSSD] Re: [PATCH] config: Some fixes to schema
On (08/07/16 12:03), Michal Židek wrote: >Hi, > >attached is patch for ticket >https://fedorahosted.org/sssd/ticket/3068 > >The ticket also talks about allowing options >for negative cache timeouts in all responders, >but I did not do that. > >We do indeed initialize negative cache in all >responders, but we always read the timeouts >from NSS section. Also in the man pages, we only >document these options for NSS. So it is not >problem with the schema. I do agree that this is >not ideal, but should we fix it? I do not >think it is worth the time, but if someone thinks >otherwise, please open a ticket. > >Michal >From 2c41d136c7d43ad089510cc9fb3ae5e870400791 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Michal=20=C5=BDidek?= >Date: Fri, 8 Jul 2016 11:32:50 +0200 >Subject: [PATCH] config: Some fixes to schema > >Fixes: >https://fedorahosted.org/sssd/ticket/3068 > >Option "timeout" must be allowed for all >responders. >Option "user_attributes" is >also available in NSS responder. >Option override_space is read from monitor >section, not NSS. >--- > src/config/cfg_rules.ini | 10 +- This file was created from files in src/config/etc/ Therefore there are missing options in some sections. Please update these files as well because we still cannot autogenerate them. LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org