New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basics of 'subid ranges' support for IPA provider #5693
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reviewed the changes and I have found several minor concerns. In any case, the scope of the changes is too big for me so I recommend that you get the feedback from a senior member of the team.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I did not test it yet. See minor comments below and inline in the code.
- Please, provide some description to the first commit message.
- Why conditional build? Why is build disabled by default?
- We don't use two blank lines between function definitions.
- Can the range be set also for trusted domain user? If yes, this implementation doesn't seem to support it.
|
|
||
| /* store range */ | ||
| sysdb_store_subid_range(state->domain, state->name, | ||
| state->domain->user_timeout, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Introduce its own entry_cache_subid_timeout options?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
User's subid range feels and looks like other NSS attributes. Does it really make sense to have different expiration time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subid range may be for user or group, right? We have expiration time for user and for group so it may be confusing that group subid expires with users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, user might have defined a set of subuid and/or subgid ranges(*) (subuid - a range of subordinate UIDs, subgis - a range of subordinate GIDs). Those ranges (both types) can be used by this user for mapping in parent namespace. So both types of subid ranges are kind of user's attribute.
group (as NSS object) can't have any subids defined.
(*) In current implementation FreeIPA supports only two options:
- no subid ranges defined for user
- user has both subuid and subgid defined (with the same fixed size 65k and the same interval start, but this implementation detail doesn't matter much for us)
|
Hi @pbrezina, thank you for the review.
Do you think it makes sense to keep 2 commits? I was going to squash them after review.
This is MVP of experimental feature. So... at the very least it's conditional to allow distributions to avoid installing plugin that they can't use yet. Once shadow-utils upstream release is done and widely used, Podman patches released (containers/storage#882), etc (so it is more or less easy to use), we can change default and build code / install plugin in sssd-ipa, IMO.
And this (monolithic text) makes me sad :) I didn't see such restrictions in https://sssd.io/contrib/coding-style.html
No, FreeIPA doesn't support it in MVP. |
|
|
It's up to you, just make sure it has sufficient description.
Ack. This is something to document in the commit message.
Ok.
:-) Even though something is not explicitly banned, it is not cool to differentiate from the rest of the project.
Code looks good to me. I'm going to test it. |
|
Seems to work fine. Please, do the final touch and I wlll ack it. |
|
Squashed patches, removed excessive new lines, added release notes to the commit message. Should I reference shadow-maint/shadow#154 explicitly in the commit message? |
It might be good for other distro maintainers. Please separate the feature release note with blank line from the rest of description. |
:feature: Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were introduced.
Limitations:
- single subid interval pair (subuid+subgid) per user
- idviews aren't supported
- only forward lookup (user -> subid ranges)
Take a note, this is MVP of experimental feature. Significant changes
might be required later, after initial feedback.
Corresponding support in shadow-utils was merged upstream, but since there
is no upstream release available yet, SSSD feature isn't built by default.
Build can be enabled with `--with-subid` configure option.
Plugin's install path can be configured with `--with-subid-lib-path=`
("${libdir}" by default)
For additional details about support in shadow-utils please see discussion
in shadow-maint/shadow#154 and in related PRs.
:config: New IPA provider's option `ipa_subid_ranges_search_base` allows
configuration of search base for user's subid ranges.
Default: `cn=subids,%basedn`
Resolves: SSSD#5197
Done.
Well, I meant all this text to be included in the notes... |
This is for preliminary review.
Limitations:
Known TODOs:
To test:
shadow-utils-4.8.1-11.fc35]--with-subid)subid: sssnew?idmap)