[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 08/04/2016 11:40 AM, Jakub Hrozek wrote:

On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote:

On 07/12/2016 06:38 PM, Lukas Slebodnik wrote:

On (12/07/16 15:59), Michal Židek wrote:

On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:

On (12/07/16 15:16), Michal Židek wrote:

+# secrets responder
+option = provider
+


I think you need to also update "rule/allowed_sections"

maybe you could run tour tool "sssctl config-check"
before sending patches :-)



What a useful tool it turned out to be :)


And there are another related question to this topic.
Should we add undocumented option to the list?

We already have "command" in schema. Should we add other as well?

IMHO, no.

LS


So far we only added options that we expect users
to use. Options that are for developers are not added to the
schema for now.

Michal



 From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/3] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
---

ACK


 From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 2/3] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
3 files changed, 3 insertions(+)


ACK


 From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 12 Jul 2016 15:05:16 +0200
Subject: [PATCH 3/3] config: Allow 'secrets' section

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow the 'secrets' section in config file
schema.
---
src/config/SSSDConfigTest.py |  6 --
src/config/cfg_rules.ini | 22 ++
src/config/etc/sssd.api.conf |  4 
3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 332d870..4748ecb 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
  'autofs',
  'ssh',
  'pac',
-'ifp']
+'ifp',
+'secrets']
  for section in control_list:
  self.assertTrue(sssdconfig.has_section(section),
  "Section [%s] missing" %
@@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
  'autofs',
  'ssh',
  'pac',
-'ifp']
+'ifp',
+'secrets']
  service_list = sssdconfig.list_services()
  for service in control_list:
  self.assertTrue(service in service_list,
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 635c078..cab25fc 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,6 +8,7 @@ section = autofs
section = ssh
section = pac
section = ifp
+section_re = ^secrets/.*$
section_re = ^domain/.*$

[rule/allowed_sssd_options]
@@ -224,6 +225,27 @@ option = diag_cmd
option = allowed_uids
option = user_attributes

+[rule/allowed_secrets_options]
+validator = ini_allowed_options
+section_re = ^secrets/.*$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# secrets responder
+option = provider
+


There are some options which you didn't include (e.g. forward_headers)
@see
grep confdb_get -A 5 src/responder/secrets/*
grep proxy_get_config_string -A 5 src/responder/secrets/*

LS


It looks like secret uses different set of options completely.
Also there is the service/program specific configuration of
secrets that should work similar to domains (like [secret/apache]
or something like that).

I will not sent this patch until I have better understanding
of how secrets service work and how it can be configured. I think we
should make a ticket for the documentation/design page
enhancement and make the schema change as a subtask for it.


We already have:
 https://fedorahosted.org/sssd/ticket/3053
I would like to work on that next week..


Ah, great.

I will add the need for schema update in the comments of that
ticket and close the one about fixes to initial schema.

Michal
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Jakub Hrozek]

On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote:
> On 07/12/2016 06:38 PM, Lukas Slebodnik wrote:
> > On (12/07/16 15:59), Michal Židek wrote:
> > > On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:
> > > > On (12/07/16 15:16), Michal Židek wrote:
> > > > > +# secrets responder
> > > > > +option = provider
> > > > > +
> > > > 
> > > > I think you need to also update "rule/allowed_sections"
> > > > 
> > > > maybe you could run tour tool "sssctl config-check"
> > > > before sending patches :-)
> > > > 
> > > 
> > > What a useful tool it turned out to be :)
> > > 
> > > > And there are another related question to this topic.
> > > > Should we add undocumented option to the list?
> > > > 
> > > > We already have "command" in schema. Should we add other as well?
> > > > 
> > > > IMHO, no.
> > > > 
> > > > LS
> > > 
> > > So far we only added options that we expect users
> > > to use. Options that are for developers are not added to the
> > > schema for now.
> > > 
> > > Michal
> > 
> > > From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
> > > Date: Mon, 11 Jul 2016 13:03:28 +0200
> > > Subject: [PATCH 1/3] config: Allow timeout for all sevices
> > > 
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > > 
> > > Allow option "timeout" for all sevices.
> > > Also remove unused macro CONFDB_SERVICE_TIMEOUT.
> > > ---
> > ACK
> > 
> > > From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
> > > Date: Mon, 11 Jul 2016 13:34:03 +0200
> > > Subject: [PATCH 2/3] config: Add config_file_version to schema
> > > 
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > > ---
> > > src/config/SSSDConfigTest.py | 1 +
> > > src/config/cfg_rules.ini | 1 +
> > > src/config/etc/sssd.api.conf | 1 +
> > > 3 files changed, 3 insertions(+)
> > > 
> > ACK
> > 
> > > From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
> > > Date: Tue, 12 Jul 2016 15:05:16 +0200
> > > Subject: [PATCH 3/3] config: Allow 'secrets' section
> > > 
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > > 
> > > Allow the 'secrets' section in config file
> > > schema.
> > > ---
> > > src/config/SSSDConfigTest.py |  6 --
> > > src/config/cfg_rules.ini | 22 ++
> > > src/config/etc/sssd.api.conf |  4 
> > > 3 files changed, 30 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
> > > index 332d870..4748ecb 100755
> > > --- a/src/config/SSSDConfigTest.py
> > > +++ b/src/config/SSSDConfigTest.py
> > > @@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> > >  'autofs',
> > >  'ssh',
> > >  'pac',
> > > -'ifp']
> > > +'ifp',
> > > +'secrets']
> > >  for section in control_list:
> > >  self.assertTrue(sssdconfig.has_section(section),
> > >  "Section [%s] missing" %
> > > @@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> > >  'autofs',
> > >  'ssh',
> > >  'pac',
> > > -'ifp']
> > > +'ifp',
> > > +'secrets']
> > >  service_list = sssdconfig.list_services()
> > >  for service in control_list:
> > >  self.assertTrue(service in service_list,
> > > diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
> > > index 635c078..cab25fc 100644
> > > --- a/src/config/cfg_rules.ini
> > > +++ b/src/config/cfg_rules.ini
> > > @@ -8,6 +8,7 @@ section = autofs
> > > section = ssh
> > > section = pac
> > > section = ifp
> > > +section_re = ^secrets/.*$
> > > section_re = ^domain/.*$
> > > 
> > > [rule/allowed_sssd_options]
> > > @@ -224,6 +225,27 @@ option = diag_cmd
> > > option = allowed_uids
> > > option = user_attributes
> > > 
> > > +[rule/allowed_secrets_options]
> > > +validator = ini_allowed_options
> > > +section_re = ^secrets/.*$
> > > +
> > > +option = timeout
> > > +option = debug
> > > +option = debug_level
> > > +option = debug_timestamps
> > > +option = debug_microseconds
> > > +option = debug_to_files
> > > +option = command
> > > +option = reconnection_retries
> > > +option = fd_limit
> > > +option = client_idle_timeout
> > > +option = force_timeout
> > > +option = description
> > > +option = diag_cmd
> > > +
> > > +# secrets responder
> > > +option = provider
> > > +
> > 
> > There are some options which you didn't include (e.g. forward_headers)
> > @see
> >grep confdb_get -A 5 src/responder/secrets/*
> >grep proxy_get_config_string -A 5 src/responder/secrets/*
> > 
> > LS
> 
> It looks like secret uses different set of options completely.
> Also there is the service/program specific configuration of
> secrets that should work similar to domains (like [secret

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 07/12/2016 06:38 PM, Lukas Slebodnik wrote:

On (12/07/16 15:59), Michal Židek wrote:

On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:

On (12/07/16 15:16), Michal Židek wrote:

+# secrets responder
+option = provider
+


I think you need to also update "rule/allowed_sections"

maybe you could run tour tool "sssctl config-check"
before sending patches :-)



What a useful tool it turned out to be :)


And there are another related question to this topic.
Should we add undocumented option to the list?

We already have "command" in schema. Should we add other as well?

IMHO, no.

LS


So far we only added options that we expect users
to use. Options that are for developers are not added to the
schema for now.

Michal



From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/3] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
---

ACK


From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 2/3] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
3 files changed, 3 insertions(+)


ACK


From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 12 Jul 2016 15:05:16 +0200
Subject: [PATCH 3/3] config: Allow 'secrets' section

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow the 'secrets' section in config file
schema.
---
src/config/SSSDConfigTest.py |  6 --
src/config/cfg_rules.ini | 22 ++
src/config/etc/sssd.api.conf |  4 
3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 332d870..4748ecb 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
 'autofs',
 'ssh',
 'pac',
-'ifp']
+'ifp',
+'secrets']
 for section in control_list:
 self.assertTrue(sssdconfig.has_section(section),
 "Section [%s] missing" %
@@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
 'autofs',
 'ssh',
 'pac',
-'ifp']
+'ifp',
+'secrets']
 service_list = sssdconfig.list_services()
 for service in control_list:
 self.assertTrue(service in service_list,
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 635c078..cab25fc 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,6 +8,7 @@ section = autofs
section = ssh
section = pac
section = ifp
+section_re = ^secrets/.*$
section_re = ^domain/.*$

[rule/allowed_sssd_options]
@@ -224,6 +225,27 @@ option = diag_cmd
option = allowed_uids
option = user_attributes

+[rule/allowed_secrets_options]
+validator = ini_allowed_options
+section_re = ^secrets/.*$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# secrets responder
+option = provider
+


There are some options which you didn't include (e.g. forward_headers)
@see
   grep confdb_get -A 5 src/responder/secrets/*
   grep proxy_get_config_string -A 5 src/responder/secrets/*

LS


It looks like secret uses different set of options completely.
Also there is the service/program specific configuration of
secrets that should work similar to domains (like [secret/apache]
or something like that).

I will not sent this patch until I have better understanding
of how secrets service work and how it can be configured. I think we
should make a ticket for the documentation/design page
enhancement and make the schema change as a subtask for it.

Michal
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (12/07/16 18:38), Lukas Slebodnik wrote:
>On (12/07/16 15:59), Michal Židek wrote:
>>On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:
>>> On (12/07/16 15:16), Michal Židek wrote:
>>> > +# secrets responder
>>> > +option = provider
>>> > +
>>> 
>>> I think you need to also update "rule/allowed_sections"
>>> 
>>> maybe you could run tour tool "sssctl config-check"
>>> before sending patches :-)
>>> 
>>
>>What a useful tool it turned out to be :)
>>
>>> And there are another related question to this topic.
>>> Should we add undocumented option to the list?
>>> 
>>> We already have "command" in schema. Should we add other as well?
>>> 
>>> IMHO, no.
>>> 
>>> LS
>>
>>So far we only added options that we expect users
>>to use. Options that are for developers are not added to the
>>schema for now.
>>
>>Michal
>
>>From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:03:28 +0200
>>Subject: [PATCH 1/3] config: Allow timeout for all sevices
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>
>>Allow option "timeout" for all sevices.
>>Also remove unused macro CONFDB_SERVICE_TIMEOUT.
>>---
>ACK
>
>>From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:34:03 +0200
>>Subject: [PATCH 2/3] config: Add config_file_version to schema
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>---
>> src/config/SSSDConfigTest.py | 1 +
>> src/config/cfg_rules.ini | 1 +
>> src/config/etc/sssd.api.conf | 1 +
>> 3 files changed, 3 insertions(+)
>>
>ACK
>
http://sssd-ci.duckdns.org/logs-test/job/2/93/summary.html

1st and 2nd patch pushed to
master:
* aeab20358006d728a284f969f92f3890498cd651
* 1b9b5477027d86a2afb2e72981253d108c5398da

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (12/07/16 15:59), Michal Židek wrote:
>On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:
>> On (12/07/16 15:16), Michal Židek wrote:
>> > +# secrets responder
>> > +option = provider
>> > +
>> 
>> I think you need to also update "rule/allowed_sections"
>> 
>> maybe you could run tour tool "sssctl config-check"
>> before sending patches :-)
>> 
>
>What a useful tool it turned out to be :)
>
>> And there are another related question to this topic.
>> Should we add undocumented option to the list?
>> 
>> We already have "command" in schema. Should we add other as well?
>> 
>> IMHO, no.
>> 
>> LS
>
>So far we only added options that we expect users
>to use. Options that are for developers are not added to the
>schema for now.
>
>Michal

>From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:03:28 +0200
>Subject: [PATCH 1/3] config: Allow timeout for all sevices
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Allow option "timeout" for all sevices.
>Also remove unused macro CONFDB_SERVICE_TIMEOUT.
>---
ACK

>From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:34:03 +0200
>Subject: [PATCH 2/3] config: Add config_file_version to schema
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>---
> src/config/SSSDConfigTest.py | 1 +
> src/config/cfg_rules.ini | 1 +
> src/config/etc/sssd.api.conf | 1 +
> 3 files changed, 3 insertions(+)
>
ACK

>From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Tue, 12 Jul 2016 15:05:16 +0200
>Subject: [PATCH 3/3] config: Allow 'secrets' section
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Allow the 'secrets' section in config file
>schema.
>---
> src/config/SSSDConfigTest.py |  6 --
> src/config/cfg_rules.ini | 22 ++
> src/config/etc/sssd.api.conf |  4 
> 3 files changed, 30 insertions(+), 2 deletions(-)
>
>diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
>index 332d870..4748ecb 100755
>--- a/src/config/SSSDConfigTest.py
>+++ b/src/config/SSSDConfigTest.py
>@@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> 'autofs',
> 'ssh',
> 'pac',
>-'ifp']
>+'ifp',
>+'secrets']
> for section in control_list:
> self.assertTrue(sssdconfig.has_section(section),
> "Section [%s] missing" %
>@@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> 'autofs',
> 'ssh',
> 'pac',
>-'ifp']
>+'ifp',
>+'secrets']
> service_list = sssdconfig.list_services()
> for service in control_list:
> self.assertTrue(service in service_list,
>diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
>index 635c078..cab25fc 100644
>--- a/src/config/cfg_rules.ini
>+++ b/src/config/cfg_rules.ini
>@@ -8,6 +8,7 @@ section = autofs
> section = ssh
> section = pac
> section = ifp
>+section_re = ^secrets/.*$
> section_re = ^domain/.*$
> 
> [rule/allowed_sssd_options]
>@@ -224,6 +225,27 @@ option = diag_cmd
> option = allowed_uids
> option = user_attributes
> 
>+[rule/allowed_secrets_options]
>+validator = ini_allowed_options
>+section_re = ^secrets/.*$
>+
>+option = timeout
>+option = debug
>+option = debug_level
>+option = debug_timestamps
>+option = debug_microseconds
>+option = debug_to_files
>+option = command
>+option = reconnection_retries
>+option = fd_limit
>+option = client_idle_timeout
>+option = force_timeout
>+option = description
>+option = diag_cmd
>+
>+# secrets responder
>+option = provider
>+

There are some options which you didn't include (e.g. forward_headers)
@see
  grep confdb_get -A 5 src/responder/secrets/*
  grep proxy_get_config_string -A 5 src/responder/secrets/*

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:

On (12/07/16 15:16), Michal Židek wrote:

On 07/12/2016 01:28 PM, Lukas Slebodnik wrote:

On (11/07/16 07:44), Michal Zidek wrote:

Ok, I split the patches (one per option).

Michal



 From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/4] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
---
src/config/cfg_rules.ini | 7 +++
src/config/etc/sssd.api.conf | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)


Almost ACK

I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT
Could you remove it in this patch?
This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8
(3+ years)




 From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:11:41 +0200
Subject: [PATCH 2/4] config: override_space is monitor's option

Fixes:
https://fedorahosted.org/sssd/ticket/3068

We read override_space from [sssd] not
[nss] section.
---

ACK


 From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:23:40 +0200
Subject: [PATCH 3/4] config: Fix user_attributes

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option user_attributes is also available in
NSS responder, but not in PAC responder.
---


ACK


 From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 4/4] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/cfg_rules.ini | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5c8d05a..635c078 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -39,6 +39,7 @@ option = user
option = default_domain_suffix
option = certificate_verification
option = override_space
+option = config_file_version

[rule/allowed_nss_options]
validator = ini_allowed_options
--
1.8.3.1



Python API schema is not generated yet
therefore we should add this option also
to src/config/etc/sssd.api.conf.
It was probably removed with the change from default 1 -> 2

BTW. We need to also allow section + add default options for
"secrets" service. So you will need to modify the 1st patch.

I will push acked patches after CI.

LS


Sending the patches that were not acked + patch
that adds the 'secrets' service.

Michal




From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/3] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.

ACK


From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 2/3] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/SSSDConfigTest.py | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
3 files changed, 3 insertions(+)

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 5fa9bce..332d870 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -289,6 +289,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):

 options = service.list_options()
 control_list = [
+'config_file_version',
 'services',
 'domains',
 'timeout',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5c8d05a..635c078 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -39,6 +39,7 @@ option = user
option = default_domain_suffix
option = certificate_verification
option = override_space
+option = config_file_version

[rule/allowed_nss_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index e4011a3..737f0e1 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -19,6 +19,7 @@ diag_cmd = str, None, false

[sssd]
# Monitor service
+config_file_version = int, None, false
services = list, str, true, nss, pam
domains = list, str, true
sbus_timeout = int, None, false
--
2.5.0



LGTM. I haven't tested yet.


From 27964d4eca57972512f145033b253d0dbf29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Tue, 12 Jul 2016 15:05:16 +0200
Subject: [PATCH 3/3] config: Allow 'secrets' section

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow the 'secrets' section in config file
schema.
---
src/config/SSSDConfigTest.py |  6 ++

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (12/07/16 15:16), Michal Židek wrote:
>On 07/12/2016 01:28 PM, Lukas Slebodnik wrote:
>> On (11/07/16 07:44), Michal Zidek wrote:
>> > Ok, I split the patches (one per option).
>> > 
>> > Michal
>> 
>> > From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
>> > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>> > Date: Mon, 11 Jul 2016 13:03:28 +0200
>> > Subject: [PATCH 1/4] config: Allow timeout for all sevices
>> > 
>> > Fixes:
>> > https://fedorahosted.org/sssd/ticket/3068
>> > 
>> > Allow option "timeout" for all sevices.
>> > ---
>> > src/config/cfg_rules.ini | 7 +++
>> > src/config/etc/sssd.api.conf | 2 +-
>> > 2 files changed, 8 insertions(+), 1 deletion(-)
>> > 
>> Almost ACK
>> 
>> I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT
>> Could you remove it in this patch?
>> This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8
>> (3+ years)
>> 
>> 
>> 
>> > From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
>> > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>> > Date: Mon, 11 Jul 2016 13:11:41 +0200
>> > Subject: [PATCH 2/4] config: override_space is monitor's option
>> > 
>> > Fixes:
>> > https://fedorahosted.org/sssd/ticket/3068
>> > 
>> > We read override_space from [sssd] not
>> > [nss] section.
>> > ---
>> ACK
>> 
>> > From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001
>> > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>> > Date: Mon, 11 Jul 2016 13:23:40 +0200
>> > Subject: [PATCH 3/4] config: Fix user_attributes
>> > 
>> > Fixes:
>> > https://fedorahosted.org/sssd/ticket/3068
>> > 
>> > Option user_attributes is also available in
>> > NSS responder, but not in PAC responder.
>> > ---
>> 
>> ACK
>> 
>> > From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001
>> > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>> > Date: Mon, 11 Jul 2016 13:34:03 +0200
>> > Subject: [PATCH 4/4] config: Add config_file_version to schema
>> > 
>> > Fixes:
>> > https://fedorahosted.org/sssd/ticket/3068
>> > ---
>> > src/config/cfg_rules.ini | 1 +
>> > 1 file changed, 1 insertion(+)
>> > 
>> > diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
>> > index 5c8d05a..635c078 100644
>> > --- a/src/config/cfg_rules.ini
>> > +++ b/src/config/cfg_rules.ini
>> > @@ -39,6 +39,7 @@ option = user
>> > option = default_domain_suffix
>> > option = certificate_verification
>> > option = override_space
>> > +option = config_file_version
>> > 
>> > [rule/allowed_nss_options]
>> > validator = ini_allowed_options
>> > --
>> > 1.8.3.1
>> > 
>> 
>> Python API schema is not generated yet
>> therefore we should add this option also
>> to src/config/etc/sssd.api.conf.
>> It was probably removed with the change from default 1 -> 2
>> 
>> BTW. We need to also allow section + add default options for
>> "secrets" service. So you will need to modify the 1st patch.
>> 
>> I will push acked patches after CI.
>> 
>> LS
>
>Sending the patches that were not acked + patch
>that adds the 'secrets' service.
>
>Michal
>

>From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:03:28 +0200
>Subject: [PATCH 1/3] config: Allow timeout for all sevices
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Allow option "timeout" for all sevices.
>Also remove unused macro CONFDB_SERVICE_TIMEOUT.
ACK

>From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:34:03 +0200
>Subject: [PATCH 2/3] config: Add config_file_version to schema
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>---
> src/config/SSSDConfigTest.py | 1 +
> src/config/cfg_rules.ini | 1 +
> src/config/etc/sssd.api.conf | 1 +
> 3 files changed, 3 insertions(+)
>
>diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
>index 5fa9bce..332d870 100755
>--- a/src/config/SSSDConfigTest.py
>+++ b/src/config/SSSDConfigTest.py
>@@ -289,6 +289,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
> 
> options = service.list_options()
> control_list = [
>+'config_file_version',
> 'services',
> 'domains',
> 'timeout',
>diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
>index 5c8d05a..635c078 100644
>--- a/src/config/cfg_rules.ini
>+++ b/src/config/cfg_rules.ini
>@@ -39,6 +39,7 @@ option = user
> option = default_domain_suffix
> option = certificate_verification
> option = override_space
>+option = config_file_version
> 
> [rule/allowed_nss_options]
> validator = ini_allowed_options
>diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
>index e4011a3..737f0e1 100644
>--- a/src/config/etc/sssd.api.conf
>+++ b/src/config/etc/sssd.api.conf
>@@ -19,6 +19,7 @@ diag_cmd = str, None, false
> 
> [sssd]
> # Monitor service
>+config_file_version = int, None, false
> services = list, str, true, nss, pam
> domains = list, str, tr

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (12/07/16 13:28), Lukas Slebodnik wrote:
>On (11/07/16 07:44), Michal Zidek wrote:
>>Ok, I split the patches (one per option).
>>
>>Michal
>
>>From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:03:28 +0200
>>Subject: [PATCH 1/4] config: Allow timeout for all sevices
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>
>>Allow option "timeout" for all sevices.
>>---
>> src/config/cfg_rules.ini | 7 +++
>> src/config/etc/sssd.api.conf | 2 +-
>> 2 files changed, 8 insertions(+), 1 deletion(-)
>>
>Almost ACK
>
>I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT
>Could you remove it in this patch?
>This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8
>(3+ years)
>
>
>
>>From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:11:41 +0200
>>Subject: [PATCH 2/4] config: override_space is monitor's option
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>
>>We read override_space from [sssd] not
>>[nss] section.
>>---
>ACK
>
>>From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:23:40 +0200
>>Subject: [PATCH 3/4] config: Fix user_attributes
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>
>>Option user_attributes is also available in
>>NSS responder, but not in PAC responder.
>>---
>
>ACK
>
>>From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001
>>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>>Date: Mon, 11 Jul 2016 13:34:03 +0200
>>Subject: [PATCH 4/4] config: Add config_file_version to schema
>>
>>Fixes:
>>https://fedorahosted.org/sssd/ticket/3068
>>---
>> src/config/cfg_rules.ini | 1 +
>> 1 file changed, 1 insertion(+)
>>
>>diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
>>index 5c8d05a..635c078 100644
>>--- a/src/config/cfg_rules.ini
>>+++ b/src/config/cfg_rules.ini
>>@@ -39,6 +39,7 @@ option = user
>> option = default_domain_suffix
>> option = certificate_verification
>> option = override_space
>>+option = config_file_version
>> 
>> [rule/allowed_nss_options]
>> validator = ini_allowed_options
>>-- 
>>1.8.3.1
>>
>
>Python API schema is not generated yet
>therefore we should add this option also
>to src/config/etc/sssd.api.conf.
>It was probably removed with the change from default 1 -> 2
>
>BTW. We need to also allow section + add default options for
>"secrets" service. So you will need to modify the 1st patch.
>
>I will push acked patches after CI.
>
http://sssd-ci.duckdns.org/logs-test/job/2/87/summary.html

master:
* 0a172552ec16f3b84d127399551cad786da8fd9d
* fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63

LS
>___
>sssd-devel mailing list
>sssd-devel@lists.fedorahosted.org
>https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 07/12/2016 01:28 PM, Lukas Slebodnik wrote:

On (11/07/16 07:44), Michal Zidek wrote:

Ok, I split the patches (one per option).

Michal



From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/4] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
---
src/config/cfg_rules.ini | 7 +++
src/config/etc/sssd.api.conf | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)


Almost ACK

I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT
Could you remove it in this patch?
This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8
(3+ years)




From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:11:41 +0200
Subject: [PATCH 2/4] config: override_space is monitor's option

Fixes:
https://fedorahosted.org/sssd/ticket/3068

We read override_space from [sssd] not
[nss] section.
---

ACK


From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:23:40 +0200
Subject: [PATCH 3/4] config: Fix user_attributes

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option user_attributes is also available in
NSS responder, but not in PAC responder.
---


ACK


From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:34:03 +0200
Subject: [PATCH 4/4] config: Add config_file_version to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068
---
src/config/cfg_rules.ini | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5c8d05a..635c078 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -39,6 +39,7 @@ option = user
option = default_domain_suffix
option = certificate_verification
option = override_space
+option = config_file_version

[rule/allowed_nss_options]
validator = ini_allowed_options
--
1.8.3.1



Python API schema is not generated yet
therefore we should add this option also
to src/config/etc/sssd.api.conf.
It was probably removed with the change from default 1 -> 2

BTW. We need to also allow section + add default options for
"secrets" service. So you will need to modify the 1st patch.

I will push acked patches after CI.

LS


Sending the patches that were not acked + patch
that adds the 'secrets' service.

Michal

>From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/3] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
---
 src/confdb/confdb.h  | 1 -
 src/config/cfg_rules.ini | 7 +++
 src/config/etc/sssd.api.conf | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 54b1cbc..cc8f66f 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -58,7 +58,6 @@
 #define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps"
 #define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
 #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
-#define CONFDB_SERVICE_TIMEOUT "timeout"
 #define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout"
 #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
 #define CONFDB_SERVICE_FD_LIMIT "fd_limit"
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 85a15be..5c8d05a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -44,6 +44,7 @@ option = override_space
 validator = ini_allowed_options
 section_re = ^nss$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -82,6 +83,7 @@ option = memcache_timeout
 validator = ini_allowed_options
 section_re = ^pam$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -115,6 +117,7 @@ option = p11_child_timeout
 validator = ini_allowed_options
 section_re = ^sudo$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -136,6 +139,7 @@ option = sudo_inverse_order
 validator = ini_allowed_options
 section_re = ^autofs$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -156,6 +160,7 @@ option = autofs_negative_timeout
 validator = ini_allowed_options
 section_re = ^ssh$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -178,6 +183,7 @@ option = ca_db
 validator = ini_allowed_options
 section_re = ^pac$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -199,6 +205,7 @@ option = pac_lifetime
 validator = ini_allowed_options
 section_re = ^ifp$
 
+o

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (11/07/16 07:44), Michal Zidek wrote:
>Ok, I split the patches (one per option).
>
>Michal

>From 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:03:28 +0200
>Subject: [PATCH 1/4] config: Allow timeout for all sevices
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Allow option "timeout" for all sevices.
>---
> src/config/cfg_rules.ini | 7 +++
> src/config/etc/sssd.api.conf | 2 +-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
Almost ACK

I realized that there is an unused macro CONFDB_SERVICE_TIMEOUT
Could you remove it in this patch?
This macro is not used since commit 31d97bce8f113276bf73c7d4349f720cd5edbcb8
(3+ years)



>From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:11:41 +0200
>Subject: [PATCH 2/4] config: override_space is monitor's option
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>We read override_space from [sssd] not
>[nss] section.
>---
ACK

>From c478a9440bb50c56c6004da806c0cdf8e9bbcc56 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:23:40 +0200
>Subject: [PATCH 3/4] config: Fix user_attributes
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Option user_attributes is also available in
>NSS responder, but not in PAC responder.
>---

ACK

>From ee4449c7b5c6154bfb079725e62874948c42124d Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Mon, 11 Jul 2016 13:34:03 +0200
>Subject: [PATCH 4/4] config: Add config_file_version to schema
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>---
> src/config/cfg_rules.ini | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
>index 5c8d05a..635c078 100644
>--- a/src/config/cfg_rules.ini
>+++ b/src/config/cfg_rules.ini
>@@ -39,6 +39,7 @@ option = user
> option = default_domain_suffix
> option = certificate_verification
> option = override_space
>+option = config_file_version
> 
> [rule/allowed_nss_options]
> validator = ini_allowed_options
>-- 
>1.8.3.1
>

Python API schema is not generated yet
therefore we should add this option also
to src/config/etc/sssd.api.conf.
It was probably removed with the change from default 1 -> 2

BTW. We need to also allow section + add default options for
"secrets" service. So you will need to modify the 1st patch.

I will push acked patches after CI.

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Zidek]

Ok, I split the patches (one per option).

MichalFrom 4c11e6cfcfee3cad801d513d75e136e4bd3bd598 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:03:28 +0200
Subject: [PATCH 1/4] config: Allow timeout for all sevices

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Allow option "timeout" for all sevices.
---
 src/config/cfg_rules.ini | 7 +++
 src/config/etc/sssd.api.conf | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index d738ddf..41ff1b9 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -43,6 +43,7 @@ option = certificate_verification
 validator = ini_allowed_options
 section_re = ^nss$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -81,6 +82,7 @@ option = override_space
 validator = ini_allowed_options
 section_re = ^pam$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -114,6 +116,7 @@ option = p11_child_timeout
 validator = ini_allowed_options
 section_re = ^sudo$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -135,6 +138,7 @@ option = sudo_inverse_order
 validator = ini_allowed_options
 section_re = ^autofs$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -155,6 +159,7 @@ option = autofs_negative_timeout
 validator = ini_allowed_options
 section_re = ^ssh$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -177,6 +182,7 @@ option = ca_db
 validator = ini_allowed_options
 section_re = ^pac$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
@@ -199,6 +205,7 @@ option = pac_lifetime
 validator = ini_allowed_options
 section_re = ^ifp$
 
+option = timeout
 option = debug
 option = debug_level
 option = debug_timestamps
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 9114659..013f3ae 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -3,6 +3,7 @@
 
 [service]
 # Options available to all services
+timeout = int, None, false
 debug = int, None, false
 debug_level = int, None, false
 debug_timestamps = bool, None, false
@@ -20,7 +21,6 @@ diag_cmd = str, None, false
 # Monitor service
 services = list, str, true, nss, pam
 domains = list, str, true
-timeout = int, None, false
 sbus_timeout = int, None, false
 re_expression = str, None, false
 full_name_format = str, None, false
-- 
1.8.3.1

From 851e274f5a8067f10b2fd29acc6a3bfc8da49cd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Mon, 11 Jul 2016 13:11:41 +0200
Subject: [PATCH 2/4] config: override_space is monitor's option

Fixes:
https://fedorahosted.org/sssd/ticket/3068

We read override_space from [sssd] not
[nss] section.
---
 src/config/SSSDConfig/__init__.py.in | 2 +-
 src/config/SSSDConfigTest.py | 3 ++-
 src/config/cfg_rules.ini | 2 +-
 src/config/etc/sssd.api.conf | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 52af138..ebdd049 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -63,6 +63,7 @@ option_strings = {
 'default_domain_suffix' : _('Domain to add to names without a domain component.'),
 'user' : _('The user to drop privileges to'),
 'certificate_verification' : _('Tune certificate verification'),
+'override_space': _('All spaces in group or user names will be replaced with this character'),
 
 # [nss]
 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
@@ -81,7 +82,6 @@ option_strings = {
 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
 'default_shell': _('Shell to use if the provider does not list one'),
 'memcache_timeout': _('How long will be in-memory cache records valid'),
-'override_space': _('All spaces in group or user names will be replaced with this character'),
 
 # [pam]
 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6ec3023..5fa9bce 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
 'client_idle_timeout',
 'diag_cmd',
 'description',
-'certificate_verification']
+'certificate_verification',
+'override_space']
 
 self.assertTrue(type(options) == dict,
 "Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 41ff1b9..61efa33 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.i

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (08/07/16 15:14), Michal Židek wrote:
>On 07/08/2016 12:56 PM, Lukas Slebodnik wrote:
>> On (08/07/16 12:17), Michal Židek wrote:
>> > From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001
>> > From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>> > Date: Fri, 8 Jul 2016 11:32:50 +0200
>> > Subject: [PATCH] config: Some fixes to schema
>> > 
>> > Fixes:
>> > https://fedorahosted.org/sssd/ticket/3068
>> > 
>> > Option "timeout" must be allowed for all
>> > responders.
>> > Option "user_attributes" is
>> > also available in NSS responder.
>> > Option override_space is read from monitor
>> > section, not NSS.
>> > ---
>> > src/config/cfg_rules.ini | 10 +-
>> > src/config/etc/sssd.api.conf | 10 +-
>> > 2 files changed, 18 insertions(+), 2 deletions(-)
>> > 
>> > diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
>> > index 9114659..03e5a72 100644
>> > --- a/src/config/etc/sssd.api.conf
>> > +++ b/src/config/etc/sssd.api.conf
>> > @@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false
>> > user = str, None, false
>> > default_domain_suffix = str, None, false
>> > certificate_verification = str, None, false
>> > +override_space = str, None, false
>> // snip
>> > 
>> > [ifp]
>> > # InfoPipe responder
>> > +timeout = int, None, false
>> IMHO, it would be better to add it to the section
>> "[service]" The same as debug_level.
>> We would avoid some duplication
>> 
>> LS
>
>new patch attached. There was one more error
>with the PAC responder and user_attributes
>option.
>

I found another issue with schema.
there are warnings if sssd.conf explicitly
contains "config_file_version = 2"

BTW patch looks like a snow ball.
It might be a good idea to split it (at least partially)

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 07/08/2016 12:56 PM, Lukas Slebodnik wrote:

On (08/07/16 12:17), Michal Židek wrote:

From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Fri, 8 Jul 2016 11:32:50 +0200
Subject: [PATCH] config: Some fixes to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option "timeout" must be allowed for all
responders.
Option "user_attributes" is
also available in NSS responder.
Option override_space is read from monitor
section, not NSS.
---
src/config/cfg_rules.ini | 10 +-
src/config/etc/sssd.api.conf | 10 +-
2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 9114659..03e5a72 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false
user = str, None, false
default_domain_suffix = str, None, false
certificate_verification = str, None, false
+override_space = str, None, false

// snip


[ifp]
# InfoPipe responder
+timeout = int, None, false

IMHO, it would be better to add it to the section
"[service]" The same as debug_level.
We would avoid some duplication

LS


new patch attached. There was one more error
with the PAC responder and user_attributes
option.

Michal

>From 3f1466274d70e3e275b53bab99549c3e0d4f2a30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Fri, 8 Jul 2016 11:32:50 +0200
Subject: [PATCH] config: Some fixes to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option "timeout" must be allowed for all
responders.
Option "user_attributes" is
also available in NSS responder.
Option override_space is read from monitor
section, not NSS.
---
 src/config/SSSDConfig/__init__.py.in |  3 ++-
 src/config/SSSDConfigTest.py |  3 ++-
 src/config/cfg_rules.ini | 11 +--
 src/config/etc/sssd.api.conf |  6 +++---
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 52af138..ea29000 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -63,6 +63,7 @@ option_strings = {
 'default_domain_suffix' : _('Domain to add to names without a domain component.'),
 'user' : _('The user to drop privileges to'),
 'certificate_verification' : _('Tune certificate verification'),
+'override_space': _('All spaces in group or user names will be replaced with this character'),
 
 # [nss]
 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
@@ -81,7 +82,7 @@ option_strings = {
 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
 'default_shell': _('Shell to use if the provider does not list one'),
 'memcache_timeout': _('How long will be in-memory cache records valid'),
-'override_space': _('All spaces in group or user names will be replaced with this character'),
+'user_attributes': _('List of user attributes the NSS is allowed to publish'),
 
 # [pam]
 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6ec3023..5fa9bce 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
 'client_idle_timeout',
 'diag_cmd',
 'description',
-'certificate_verification']
+'certificate_verification',
+'override_space']
 
 self.assertTrue(type(options) == dict,
 "Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index d738ddf..bcc3d2e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -38,6 +38,7 @@ option = krb5_rcache_dir
 option = user
 option = default_domain_suffix
 option = certificate_verification
+option = override_space
 
 [rule/allowed_nss_options]
 validator = ini_allowed_options
@@ -57,6 +58,8 @@ option = description
 option = diag_cmd
 
 # Name service
+option = timeout
+option = user_attributes
 option = enum_cache_timeout
 option = entry_cache_nowait_percentage
 option = entry_negative_timeout
@@ -75,7 +78,6 @@ option = shell_fallback
 option = default_shell
 option = get_domains_timeout
 option = memcache_timeout
-option = override_space
 
 [rule/allowed_pam_options]
 validator = ini_allowed_options
@@ -95,6 +97,7 @@ option = description
 option = diag_cmd
 
 # Authentication service
+option = timeout
 option = offline_credentials_expiration
 option = offline_failed_login_attempts
 option = offline_failed_login_delay
@@ -128,6 +131,7 @@ option = description
 option = diag_cmd
 
 # sudo service
+option = timeout
 option = sudo_timed
 option = sudo_inverse_order
 
@@ -149,6 +153,7

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (08/07/16 12:17), Michal Židek wrote:
>From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Fri, 8 Jul 2016 11:32:50 +0200
>Subject: [PATCH] config: Some fixes to schema
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Option "timeout" must be allowed for all
>responders.
>Option "user_attributes" is
>also available in NSS responder.
>Option override_space is read from monitor
>section, not NSS.
>---
> src/config/cfg_rules.ini | 10 +-
> src/config/etc/sssd.api.conf | 10 +-
> 2 files changed, 18 insertions(+), 2 deletions(-)
>
>diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
>index 9114659..03e5a72 100644
>--- a/src/config/etc/sssd.api.conf
>+++ b/src/config/etc/sssd.api.conf
>@@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false
> user = str, None, false
> default_domain_suffix = str, None, false
> certificate_verification = str, None, false
>+override_space = str, None, false
// snip
> 
> [ifp]
> # InfoPipe responder
>+timeout = int, None, false
IMHO, it would be better to add it to the section
"[service]" The same as debug_level.
We would avoid some duplication

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] config: Some fixes to schema

[Michal Židek]

On 07/08/2016 12:07 PM, Lukas Slebodnik wrote:

On (08/07/16 12:03), Michal Židek wrote:

Hi,

attached is patch for ticket
https://fedorahosted.org/sssd/ticket/3068

The ticket also talks about allowing options
for negative cache timeouts in all responders,
but I did not do that.

We do indeed initialize negative cache in all
responders, but we always read the timeouts
from NSS section. Also in the man pages, we only
document these options for NSS. So it is not
problem with the schema. I do agree that this is
not ideal, but should we fix it? I do not
think it is worth the time, but if someone thinks
otherwise, please open a ticket.

Michal



From 2c41d136c7d43ad089510cc9fb3ae5e870400791 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Fri, 8 Jul 2016 11:32:50 +0200
Subject: [PATCH] config: Some fixes to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option "timeout" must be allowed for all
responders.
Option "user_attributes" is
also available in NSS responder.
Option override_space is read from monitor
section, not NSS.
---
src/config/cfg_rules.ini | 10 +-

This file was created from files in src/config/etc/
Therefore there are missing options in some sections.

Please update these files as well because we still cannot autogenerate them.

LS


Thanks for noticing this.

New patch attached.

Michal

>From 66419775a94768efe8c98ce6e8bbfa4743107eae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= 
Date: Fri, 8 Jul 2016 11:32:50 +0200
Subject: [PATCH] config: Some fixes to schema

Fixes:
https://fedorahosted.org/sssd/ticket/3068

Option "timeout" must be allowed for all
responders.
Option "user_attributes" is
also available in NSS responder.
Option override_space is read from monitor
section, not NSS.
---
 src/config/cfg_rules.ini | 10 +-
 src/config/etc/sssd.api.conf | 10 +-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index d738ddf..6e8258e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -38,6 +38,7 @@ option = krb5_rcache_dir
 option = user
 option = default_domain_suffix
 option = certificate_verification
+option = override_space
 
 [rule/allowed_nss_options]
 validator = ini_allowed_options
@@ -57,6 +58,8 @@ option = description
 option = diag_cmd
 
 # Name service
+option = timeout
+option = user_attributes
 option = enum_cache_timeout
 option = entry_cache_nowait_percentage
 option = entry_negative_timeout
@@ -75,7 +78,6 @@ option = shell_fallback
 option = default_shell
 option = get_domains_timeout
 option = memcache_timeout
-option = override_space
 
 [rule/allowed_pam_options]
 validator = ini_allowed_options
@@ -95,6 +97,7 @@ option = description
 option = diag_cmd
 
 # Authentication service
+option = timeout
 option = offline_credentials_expiration
 option = offline_failed_login_attempts
 option = offline_failed_login_delay
@@ -128,6 +131,7 @@ option = description
 option = diag_cmd
 
 # sudo service
+option = timeout
 option = sudo_timed
 option = sudo_inverse_order
 
@@ -149,6 +153,7 @@ option = description
 option = diag_cmd
 
 # autofs service
+option = timeout
 option = autofs_negative_timeout
 
 [rule/allowed_ssh_options]
@@ -169,6 +174,7 @@ option = description
 option = diag_cmd
 
 # ssh service
+option = timeout
 option = ssh_hash_known_hosts
 option = ssh_known_hosts_timeout
 option = ca_db
@@ -191,6 +197,7 @@ option = description
 option = diag_cmd
 
 # PAC responder
+option = timeout
 option = allowed_uids
 option = user_attributes
 option = pac_lifetime
@@ -213,6 +220,7 @@ option = description
 option = diag_cmd
 
 # InfoPipe responder
+option = timeout
 option = allowed_uids
 option = user_attributes
 
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 9114659..03e5a72 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -28,9 +28,12 @@ krb5_rcache_dir = str, None, false
 user = str, None, false
 default_domain_suffix = str, None, false
 certificate_verification = str, None, false
+override_space = str, None, false
 
 [nss]
 # Name service
+timeout = int, None, false
+user_attributes = str, None, false
 enum_cache_timeout = int, None, false
 entry_cache_nowait_percentage = int, None, false
 entry_negative_timeout = int, None, false
@@ -49,10 +52,10 @@ shell_fallback = str, None, false
 default_shell = str, None, false
 get_domains_timeout = int, None, false
 memcache_timeout = int, None, false
-override_space = str, None, false
 
 [pam]
 # Authentication service
+timeout = int, None, false
 offline_credentials_expiration = int, None, false
 offline_failed_login_attempts = int, None, false
 offline_failed_login_delay = int, None, false
@@ -70,27 +73,32 @@ p11_child_timeout = int, None, false
 
 [sudo]
 # sudo service
+timeout = int, None, false
 sudo_timed = bool, None, false
 sudo_inverse_order = bool, None, false
 
 [autofs]
 # autofs service
+timeout = int,

[SSSD] Re: [PATCH] config: Some fixes to schema

[Lukas Slebodnik]

On (08/07/16 12:03), Michal Židek wrote:
>Hi,
>
>attached is patch for ticket
>https://fedorahosted.org/sssd/ticket/3068
>
>The ticket also talks about allowing options
>for negative cache timeouts in all responders,
>but I did not do that.
>
>We do indeed initialize negative cache in all
>responders, but we always read the timeouts
>from NSS section. Also in the man pages, we only
>document these options for NSS. So it is not
>problem with the schema. I do agree that this is
>not ideal, but should we fix it? I do not
>think it is worth the time, but if someone thinks
>otherwise, please open a ticket.
>
>Michal

>From 2c41d136c7d43ad089510cc9fb3ae5e870400791 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20=C5=BDidek?= 
>Date: Fri, 8 Jul 2016 11:32:50 +0200
>Subject: [PATCH] config: Some fixes to schema
>
>Fixes:
>https://fedorahosted.org/sssd/ticket/3068
>
>Option "timeout" must be allowed for all
>responders.
>Option "user_attributes" is
>also available in NSS responder.
>Option override_space is read from monitor
>section, not NSS.
>---
> src/config/cfg_rules.ini | 10 +-
This file was created from files in src/config/etc/
Therefore there are missing options in some sections.

Please update these files as well because we still cannot autogenerate them.

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org