Bug 44203 – pass ldap connection to udm hooks

Bug 44203 - pass ldap connection to udm hooks


Summary:	pass ldap connection to udm hooks

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UDM - Extended Attributes
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Daniel Tröder
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:	44196 44197 44552 44660 51000
	Show dependency tree / graph

Reported:	2017-03-31 16:59 CEST by Daniel Tröder
Modified:	2020-03-23 12:50 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	API change
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2017-03-31 16:59:11 CEST

When a UDM hook is called (creation for example here: univention/admin/modules.py:297) the existing UDM-LDAP connection is not passed to it. If it needs LDAP/UDM acces, it must then get those credentials itself - often involving Administator or root access.

Change univention.admin.hook.simpleHook in a way, that the current UDM-LDAP connection is usable in classes inheriting from it.

As univention.admin.hook.simpleHook currently has no __init__(), the API change can probably be done backwards compatible there. All existing hooks have to be checked first.

Comment 1 Daniel Tröder

2017-05-04 17:50:51 CEST

r79089: pass LDAP connection to UDM hooks, doesn't change simpleHook API

This allows running UDM hooks without root privileges (no need to get {ldap,machine}.secret).

Package: univention-directory-manager-modules
Version: 12.0.17-4A~4.2.0.201705041749
Branch: ucs_4.2-0
Scope: errata4.2-0

Comment 2 Florian Best

2017-05-05 13:48:59 CEST

Hmmm. Why is it a private class member?

Comment 3 Daniel Tröder

2017-05-05 14:29:10 CEST

I didn't dare to add a class attribute with a common name such as "lo" and "po", as I haven't researched all existing UDM hooks.

I doesn't need to be private at all, I just want to prevent accidentally breaking someone else' derived class' code.

Comment 4 Florian Best

2017-05-08 12:57:02 CEST

I'm not satisfied with this solution. Using _lo / _po as API is no good style which will cause more trouble in the future than it solves.

Please change it to the following pattern:

register_ldap_connection = getattr(propertyHook, 'hook_ldap_connection', None)
if register_ldap_connection:
    register_ldap_connection(lo, po)

So that each hook is as powerful and flexible as possible.

Comment 5 Daniel Tröder

2017-05-08 13:41:32 CEST

r79179: API change: added simpleHook.register_ldap_connection() to pass LDAP connection to UDM hook
r79180: advisory update

univention-directory-manager-modules 12.0.17-5A~4.2.0.201705081340

Created Bug #44552 to update the documentation of "Extended Attribute Hooks".

Comment 6 Florian Best

2017-05-09 15:31:43 CEST

OK: the new method is working
Nevertheless, this change wasn't really required because you could simply access module/object.lo and module/object.po which is passed to every hook.
The new API just adds extra complexity.

Comment 7 Florian Best

2017-05-10 17:52:04 CEST

I think it's better to revert this, as we don't need to maintain and document this unneeded code. As in the use of it also can be seen, that it adds unneeded extra complexity (attachment 8837 [details]).

The ldap connection of the user is available at object.{lo,position}. We could document this instead in the developer documentation.

Comment 8 Daniel Tröder

2017-05-11 16:51:31 CEST

r79300: code change was reverted, comment added.
r79302: advisory update

Package: univention-directory-manager-modules
Version: 12.0.17-6A~4.2.0.201705111649
Branch: ucs_4.2-0
Scope: errata4.2-0

Comment 9 Florian Best

2017-05-11 16:59:04 CEST

OK: revert
OK: YAML revert

Comment 10 Florian Best

2017-05-11 16:59:52 CEST

Nothing to release.