Quick summary:
- use jQuery UI and jQuery BBQ libraries
- code restructuring
The patch has so many changes they can't be listed here. Many parts
of the code have been rewritten from scrach.
See freeipa-devel mailing list:
webUI code restructuring [wall of text, diagrams, ... you've been warned!]
2010-09-07
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
The EntityBuilder has been modified to obtain the pkey value by
invoking getPKey(). This function can be overriden for different
entities.
The addOptionsFunction() has been renamed to getOptions() and it
can be overriden for different entities. Each entity that uses this
function has been modified accordingly.
The addEdit(), addAnother(), add_fail() has been moved into the
EntityBuilder class. The global builders is no longer needed because
a reference to the builder object can be obtained via enclosure.
The ServiceForms has been modified to take service name and
hostname and combine them to generate the service principal by
overriding the getPKey().
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
-Refactored the associations code into a set of objects that are configured by the entities
-Added support for associations that can be done in a single rpc
-hostgroup to host and group to user associations working
-Restructed sampledata so that the file is matched automatically by the RPC method name
-The new ipa_cmd/sampledata scheme insists on there being sample data for any commands or the ipa_command fails.
-Added sampledata files for all the calls we make
-renamed several of the sampledata files to match their rpc calls
-Started a pattern of refactoring where all the forms for the entity fall under a single object
We now catch the hashchange event and use that to drive most of the site.
To trigger page transitions, modify location.hash.
Params start with # not ?.
Removed user-group.inc.
converted tabs to spaces
trivial imlementation of add and details for netgroup and hostgroup
lots of bug fixes based on routing problems and the refactorings.
- Add/Remove links are now only available for multivalue
attributes (Param.multivalue = true) and attributes with param
types, that are multivalue by definition (as of now only List).
Single-value attributes with no value are displayed as empty
input elements.
- When updating an attribute, leading and trailing spaces are
stripped
- Context help available in the form of hints, that are extracted
form Param.hint.
to hash params ( starting with # ). User Details are now part of
index.xhtml, ao one more .inc file has been removed.
Updated commit to catch a few things that had been left out, including
sampledata handling and updateing Makefile.am
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
This disables debug output in the Apache log by default. If you want
increased output create /etc/ipa/server.conf and set it to:
[global]
debug=True
If this is too much output you can select verbose output instead:
[global]
debug=False
verbose=True
ticket 60
The problem was that parameters with no values are automatically
set to None by the framework and it wasn't handled properly in
baseldap.py:get_attributes function. Also, there were two logical
bugs in details.js:
1) atttribute callback to update values were called for input elements
instead of dt elements
2) it was always trying to update the primary key
Unfortunately we can't have any javascript in *.inc files, because
the browser will strip them for security reasons. I moved all the
attribute callbacks etc. to the only logical place: user.js.
It's fine for now, but user.js is going to need some serious cleaning
up in the future.
What does it mean?
I removed duplicate code, that was pasted here from the user details page.
ipa_details_init doesn't call ipa_init anymore.
ipa_details_create takes a second optional parameter, that can be set to
a container element if we want to place the definition lists into a specific
element instead of <body>. In our case, we place stuff in <div id="content">
What it means?
Well, first I removed some development control variables from ipa.js.
Namely useSampleData and sizelimit. I moved useSampleData to the top
of index.xhtml. This way we won't forget about it when we don't need
it anymore. sizelimit has nothing to do in ipa.js and be hardcoded
for ALL commands! Some don't have this parameter and could fail.
Since ipa_init now loads meta-data over JSON-RPC, we need to wait for
it to finish its job. That's why I put a second parameter to ipa_init:
on_win. ipa_init will call on_win when all data is loaded properly and
we can start building the page.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
To do this we need to break the link manually on both sides, the user and
the group.
We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.
ticket 75
Hide the search bar when showing the groups listed for a user, and resotre it when doing other searches.
The enroll button is added only on the groups page, and removed along with anything else in the searchButtons div when a new search is started.
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.
ticket #27
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.
Fixed matching rules and some attribute types.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/89
Removed unused password attribute and realigned OIDs.
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.
Ticket #87
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.
After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer
I took some time and fixed up some things pylint complained about too.
Ticket #83
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
