kanidm: Orca setup script is broken

I did this: ran setup_orca.sh

I expected the following:

Orca to setup the dev env and run as usual.

Kanidm version details

kanidm 1.1.0-rc.15-dev cf87993a1c 2024-01-18T19:30:50.278831Z DEBUG kanidm: Using 20 worker threads Linux sebastiano-XPS-15-9520 6.2.0-39-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 14 14:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Any other comments

Basically it always fails the authentication bit as the admin password variable is always blank since the command supposed to set it: ADMIN_PW=$(grep -E "^admin password" "${KANI_TEMP}/kanifile" | awk '{print $NF}') doesn’t behave as it used to do. Basically in 0e504517159ab0d6eb325ce38e0cc2320b7394c7 this happened in setup_dev_environment.sh:

- echo "admin password:     ${ADMIN_PASS}"

and since kanifile comes from: ../../scripts/setup_dev_environment.sh | tee "${KANI_TEMP}/kanifile") that’s what broke it. My first instinct was adding the admin password thing back but gate it behind a flag in to make it run only when required by orca. On the other hand I don’t really know why it was removed in the first place, so I figured @yaleman has a better understanding on what is going on there and I might ask for some feedback before doing anything 😃

About this issue

  • Original URL
  • State: closed
  • Created 5 months ago
  • Comments: 20 (11 by maintainers)

Most upvoted comments

Well, mostly I was thinking about the way I approached orca in the past was “benchmark” and I modelled a lot of things on ldclt from 389-ds which is their benchmark tool.

But recently @jinnatar pointed out she wanted to see an “enterprise simulator”. Where the benchmark isn’t just “sterile” kind of do-searches like ldclt was doing, but should be about simulating user actions.

Then that got me thinking about a way to potentially use that as a basis to not only do an enterprise simulator, but also how to potentially model a more controlled test mode.

Currently the design has workers that take a task queue and then execute the tasks and report on the stats. That ends up with a thread-per-worker and each worker just shoves out tasks etc. But it’s hard to see how the tasks the correspond to a user, or different things, and it’s hard to do other kinds of interactions.

Instead, I think we could do it like erlang. Instead of workers, we spawn a task for each “person”. Then each of these tasks has a little schedule, like “login, click about, idle for some time, then do some more etc”. It models how a person would interact. At the start of the test, we can have each “task” create it’s own user/password etc, rather than the crazy batch thing we have now. It also allows easier interleaving of things naturally based on user interactions.

We still need a centralised stats-collector but that model already exists, so we can time operations for each task.

This also then makes it easier to do different kinds of tests later like the high-search load tests (direct each “person” to just search) etc.

I think for now we drop the LDAP support too, we can add that back later,

+2
Firstyear on Feb 21, 2024

Did some poking around this and from what I can infer, dropping the add to idm_admins & just switching orca to use idm_admin instead of admin should be the right way to go. At least it now succeeds conntest and from what I can read from the sources, all actions performed are in the domain of idm_admins and not system_admins.

So the problems in order are:

  1. The setup script should infer the password for idm_admin
  2. Orca needs to be patched for using idm_admin instead of admin and to no longer attempt adding admin into idm_admins.
  3. Orca has plenty of other compatibility issues as well, but those should be new separate issues. I’d say when conntest passes, this one is done.
+1
jinnatar on Feb 19, 2024
Read more comments on GitHub
← kanidm: oauth2_consent_scope_map not found in list of valid attributes
kanidm: Tool broken: SchemaViolation(MissingMustAttribute(["oauth2_rs_name"])) →