Univention Bugzilla – Bug 52880
Validation does not honor group prefix settings
Last modified: 2021-03-25 08:12:40 CET
The ucsschool.lib.models.validation module does not honor the UCRVs ucsschool/ldap/default/groupprefix/*. This produces GBs of logfile at a customer. Honor UCRVs in the calculation of the expected groups / positions / etc. At least schoolldap.SchoolSearchBase.students_group() is wrong. It should not use "_containerStudents" but "group_prefix_students".
The support team would like to see a possibility to disable the logging via UCR. A full /var/log/ partition (or even root partition) has serious consequences. The current case (ticket 2021030921000604) has shown that a lot of log data can accumulate in a very short time. Bending the log file to /dev/null (when executing the ASM upload) resulted in these tracebacks: Logged from file validator.py, line 498 Traceback (most recent call last): File "/usr/lib/python2.7/logging/__init__.py", line 885, in emit self.flush() File "/usr/lib/python2.7/logging/__init__.py", line 845, in flush self.stream.flush() IOError: [Errno 28] No space left on device Logged from file validator.py, line 495 and is then probably not an alternative.
(In reply to Dirk Schnick from comment #1) > The support team would like to see a possibility to disable the logging via > UCR. A full /var/log/ partition (or even root partition) has serious > consequences. Handled in separate bug 52884.
I'm very sorry for this. The group prefix of teachers, staff & admins were not honored, either. I added a test for this. [twenzel/4.4/52880_group_prefix] a6a78ec06 Bug #52880: add test [twenzel/4.4/52880_group_prefix] 23c4e4ffb Bug #52880: honor group prefix
> admins were not honored → I was misled, this is not the case. We do not validate admins, because the is no udm option for that. I added a group_admins in schooldap nevertheless, because I think that's useful and hope that's OK. [twenzel/4.4/52880_group_prefix] 645baa50d Bug #52880: add school admin group [twenzel/4.4/52880_group_prefix] 067d8bf5d Bug #52880: add test [twenzel/4.4/52880_group_prefix] 23c4e4ffb Bug #52880: honor group prefix The commits in feature/kelvin [twenzel/kelvin/52880_group_prefix] 7edc6ee28 Bug #52880: add mkdir to docker file [twenzel/kelvin/52880_group_prefix] 888021e56 Bug #52880: add test [twenzel/kelvin/52880_group_prefix] f0d594612 Bug #52880: honor group prefixes
... and I had to add RUN /var/cache/univention-config to be able to set the ucr-v in the test.
I fixed the test and added a few comments to gitlab.
Thanks for the QA! I also added the group prefix for teachers/ staff. [twenzel/4.4/52880_group_prefix] 20503b979 fixup! fixup! fixup! Bug #52880: add test [twenzel/4.4/52880_group_prefix] 8ff267b20 fixup! fixup! Bug #52880: add test [twenzel/kelvin/52880_group_prefix] 35a2ed6ea fixup! Bug #52880: add mkdir to docker file [twenzel/kelvin/52880_group_prefix] d514ece09 fixup! Bug #52880: add test
OK: student, staff and teacher group DNs correct (4.4 and kelvin) OK: automated test (4.4 and kelvin) OK: manual test (4.4 and kelvin) REOPEN: The DN from admins_group() is wrong. "admins-OU" is a global group: cn=admins-demoschool,cn=ouadmins,cn=groups,ldap_base REOPEN: test_altered_group_prefix() does not test admins_group() (an "admin_user") Not important, but when at it, please also: - handler_set(["{}={}".format("ucsschool/ldap/default/groupprefix/{}".format(role), new_value)]) + handler_set(["ucsschool/ldap/default/groupprefix/{}={}".format(role, new_value)]) Remove extra newline at end of Dockerfile.
Thanks for the QA! I implemented your requests in [twenzel/4.4/52880_group_prefix] ef8833abf fixup! fixup! fixup! fixup! Bug #52880: add test [twenzel/4.4/52880_group_prefix] 50a2950d1 fixup! Bug #52880: add school admin group [twenzel/kelvin/52880_group_prefix] bc2b59ace Bug #52880: qa requests REOPEN: test_altered_group_prefix() does not test admins_group() (an "admin_user") → As commented, we did not have any validation code for school admins. I added an implementation of this the following commits. I hope this is OK. [twenzel/4.4/52880_group_prefix] 563f3af4b Bug #52880: add school admin validation & test [twenzel/kelvin/52880_group_prefix] 0f0a1e773 Bug #52880: add school admin validation & test The code of the new class is only executed for Users which only the ucsschoolAdministrator flag set, not e.g. for teachers with this flag. I also added a check that (exam-) students must not be part of the school admins group and more tests-cases for admin-users, which were missing.
As discussed, I - merged the kelvin code - merged & build the 4.4 code [4.4] 1bbbaac1d Bug #52880: yaml version [4.4] 3dc98406b Bug #52880: changelogs & advisory [4.4] 75671c5e5 Bug #52880: honor group prefix Package: ucs-school-lib Version: 12.2.15A~4.4.0.202103221340 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-test-ucsschool Version: 6.0.199A~4.4.0.202103221343 Branch: ucs_4.4-0 Scope: ucs-school-4.4 [feature/kelvin] e97e7d78b Bug #52880: Merge branch 'twenzel/kelvin/52880_group_prefix' into feature/kelvin [feature/kelvin] 192a21eb8 Bug #52880: honor group prefixes
Resetting to resolved :) we missed a status here if everything is fine & jenkins happy -> verify
OK: code change 4.4 OK: automated tests 4.4 OK: code change kelvin OK: automated tests kelvin OK: squash and merge to main (both branches) Thanks for adding the admin checking code. Now just waiting for Jenkins.
When building the kelvin container, the group prefix tests must not run (because ldap/base might not be known at this time) [feature/kelvin] 7a1cedbf7 Bug #52884: test_altered_group_prefix must run in container
-- Jenkins tests look good. -> VERIFIED
UCS@school 4.4 v9 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html If this error occurs again, please clone this bug.