On Thu, Aug 04, 2016 at 11:35:30AM +0200, Michal Židek wrote:
> On 07/12/2016 06:38 PM, Lukas Slebodnik wrote:
> > On (12/07/16 15:59), Michal Židek wrote:
> > > On 07/12/2016 03:36 PM, Lukas Slebodnik wrote:
> > > > On (12/07/16 15:16), Michal Židek wrote:
> > > > > +# secrets responder
> > > > > +option = provider
> > > > > +
> > > >
> > > > I think you need to also update "rule/allowed_sections"
> > > >
> > > > maybe you could run tour tool "sssctl config-check"
> > > > before sending patches :-)
> > > >
> > >
> > > What a useful tool it turned out to be :)
> > >
> > > > And there are another related question to this topic.
> > > > Should we add undocumented option to the list?
> > > >
> > > > We already have "command" in schema. Should we add other as well?
> > > >
> > > > IMHO, no.
> > > >
> > > > LS
> > >
> > > So far we only added options that we expect users
> > > to use. Options that are for developers are not added to the
> > > schema for now.
> > >
> > > Michal
> >
> > > From 42a3038b68452cf92b2f87ae0875f4e3b8b1f051 Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
> > > Date: Mon, 11 Jul 2016 13:03:28 +0200
> > > Subject: [PATCH 1/3] config: Allow timeout for all sevices
> > >
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > >
> > > Allow option "timeout" for all sevices.
> > > Also remove unused macro CONFDB_SERVICE_TIMEOUT.
> > > ---
> > ACK
> >
> > > From cacd9f84e702c2aa7f5c41d0d257eb5ce8c77a12 Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
> > > Date: Mon, 11 Jul 2016 13:34:03 +0200
> > > Subject: [PATCH 2/3] config: Add config_file_version to schema
> > >
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > > ---
> > > src/config/SSSDConfigTest.py | 1 +
> > > src/config/cfg_rules.ini | 1 +
> > > src/config/etc/sssd.api.conf | 1 +
> > > 3 files changed, 3 insertions(+)
> > >
> > ACK
> >
> > > From f292235689986eae02fec9a91fb8af151b553eab Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
> > > Date: Tue, 12 Jul 2016 15:05:16 +0200
> > > Subject: [PATCH 3/3] config: Allow 'secrets' section
> > >
> > > Fixes:
> > > https://fedorahosted.org/sssd/ticket/3068
> > >
> > > Allow the 'secrets' section in config file
> > > schema.
> > > ---
> > > src/config/SSSDConfigTest.py | 6 ++++--
> > > src/config/cfg_rules.ini | 22 ++++++++++++++++++++++
> > > src/config/etc/sssd.api.conf | 4 ++++
> > > 3 files changed, 30 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
> > > index 332d870..4748ecb 100755
> > > --- a/src/config/SSSDConfigTest.py
> > > +++ b/src/config/SSSDConfigTest.py
> > > @@ -1351,7 +1351,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> > > 'autofs',
> > > 'ssh',
> > > 'pac',
> > > - 'ifp']
> > > + 'ifp',
> > > + 'secrets']
> > > for section in control_list:
> > > self.assertTrue(sssdconfig.has_section(section),
> > > "Section [%s] missing" %
> > > @@ -1444,7 +1445,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
> > > 'autofs',
> > > 'ssh',
> > > 'pac',
> > > - 'ifp']
> > > + 'ifp',
> > > + 'secrets']
> > > service_list = sssdconfig.list_services()
> > > for service in control_list:
> > > self.assertTrue(service in service_list,
> > > diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
> > > index 635c078..cab25fc 100644
> > > --- a/src/config/cfg_rules.ini
> > > +++ b/src/config/cfg_rules.ini
> > > @@ -8,6 +8,7 @@ section = autofs
> > > section = ssh
> > > section = pac
> > > section = ifp
> > > +section_re = ^secrets/.*$
> > > section_re = ^domain/.*$
> > >
> > > [rule/allowed_sssd_options]
> > > @@ -224,6 +225,27 @@ option = diag_cmd
> > > option = allowed_uids
> > > option = user_attributes
> > >
> > > +[rule/allowed_secrets_options]
> > > +validator = ini_allowed_options
> > > +section_re = ^secrets/.*$
> > > +
> > > +option = timeout
> > > +option = debug
> > > +option = debug_level
> > > +option = debug_timestamps
> > > +option = debug_microseconds
> > > +option = debug_to_files
> > > +option = command
> > > +option = reconnection_retries
> > > +option = fd_limit
> > > +option = client_idle_timeout
> > > +option = force_timeout
> > > +option = description
> > > +option = diag_cmd
> > > +
> > > +# secrets responder
> > > +option = provider
> > > +
> >
> > There are some options which you didn't include (e.g. forward_headers)
> > @see
> > grep confdb_get -A 5 src/responder/secrets/*
> > grep proxy_get_config_string -A 5 src/responder/secrets/*
> >
> > LS
>
> It looks like secret uses different set of options completely.
> Also there is the service/program specific configuration of
> secrets that should work similar to domains (like [secret/apache]
> or something like that).
>
> I will not sent this patch until I have better understanding
> of how secrets service work and how it can be configured. I think we
> should make a ticket for the documentation/design page
> enhancement and make the schema change as a subtask for it.
We already have:
https://fedorahosted.org/sssd/ticket/3053
I would like to work on that next week..
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
