I think we now have enough for a proper ticket.
I will create one latter today. also since I have RHEV support for my
production instances I will also create a matching case with Red Hat.
On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino
<prmarino1(a)gmail.com> wrote:
Ok
I dug in a little further it looks like them memberof plugin in 389
server is making them lowercase which from an LDAP and or Posix
perspective is not a problem but this seems to be the root cause of
the issue of the difference.
while this behavior is strange it is not invalid because DN's are case
insensitive.
The easiest way to fix this is to change the query of the group from
the ad_groups table to an ilike. The potential problem here is it
conflicts with SAM in windows where group names are case sensitive.
This is definitely a conflict in design between AD and LDAP's core design.
Interestingly I can add roles to the group and there is no problem it
sets it correctly so somewhere else in the code an ilike is being uses
to query the groups table.
On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino
<prmarino1(a)gmail.com> wrote:
> I found why the group_ids field is wrong
>
> If you look at the ad_groups table then mane for the group is "<domain
> here>/Groups/sysadmin" however if you look at the groups field in the
> users table it says "<domain here>/groups/sysadmin"
> I tried updating the name field in the ad_groups table to match
> "<domain here>/groups/sysadmin" then removed and added a user now
the
> if for that group in the group_ids field is being set correctly.
>
> This is at least a usable workaround for now. now we need to find the
> root cause.
>
>
> On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino
> <prmarino1(a)gmail.com> wrote:
>> confirmed that does seem to be the cause I updated the group_ids field
>> of a user to the appropriate Id's from ad_groups and it fixed that
>> user.
>> in answer to your question "Did you first add the goup, and then added
>> users (that belong to a group) either by adding users, or by adding a
>> permission?" Ive tried it ever different way I can think of the
>> results are always the same.
>>
>>
>> On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs(a)redhat.com>
wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
>>>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>>>> Cc: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
>>>> Sent: Sunday, August 17, 2014 4:33:30 PM
>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>>>
>>>> here are the results of the queries you asked for
>>>>
>>>>
>>>> group_ids
>>>>
>>>> |
>>>>
>>>> groups
>>>>
>>>>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------
>>>>
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> ----
>>>>
00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000
>>>> | <domain here>/groups/sysadmin,<domain
here>/groups/pmarino,<domain
>>>> here>/groups/pd managers,<domain here>/groups/qa
managers,<domain
>>>> here>/groups/accounting managers,<domain here>/directory
administrat
>>>> ors
>>>> (1 row)
>>>>
>>>>
>>>> engine=# select id, name from ad_groups;
>>>> id | name
>>>>
--------------------------------------+---------------------------------------
>>>> eee00000-0000-0000-0000-123456789eee | Everyone
>>>> 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain
here>/Groups/sysadmin
>>>> (2 rows)
>>>
>>> It does look that there is something wrong in the association of users to
their group IDS.
>>> Just to make sure I'm not missing anything -
>>> Did you first add the goup, and then added users (that belong to a group)
either by adding users, or by adding a permission?
>>>
>>> Yair
>>>
>>>>
>>>>
>>>>
>>>> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky
<yzaslavs(a)redhat.com> wrote:
>>>> >
>>>> >
>>>> > ----- Original Message -----
>>>> >> From: "Paul Robert Marino"
<prmarino1(a)gmail.com>
>>>> >> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>>>> >> Cc: "Itamar Heim" <iheim(a)redhat.com>,
users(a)ovirt.org
>>>> >> Sent: Wednesday, August 13, 2014 11:47:40 PM
>>>> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
>>>> >>
>>>> >> Ok so before I open a bug ticket I want to confirm I'm not
doing any
>>>> >> thing wrong here.
>>>> >> I upgraded to 3.4
>>>> >> now it says "Active: false " on LDAP groups.
>>>> >>
>>>> >> Again I tried to add the sysadmin group from the directory
server and
>>>> >> set the power user and super user roles on the group
>>>> >> it shows up as "<domain name>/Groups/sysadmin"
>>>> >> I adder the permisions by clicking on the configure link on the
top of
>>>> >> the screen and set them in the "System Permissions"
tab
>>>> >
>>>> > Sounds good so far.
>>>> > I assume also you see the permissiosn in the permissions sub tab
when you
>>>> > click the group.
>>>> >
>>>> >>
>>>> >> I added a user (pmarino) to the system which shows in the
"Directory
>>>> >> Group" tab shows "sysadmin groups <domian
name>" among others
>>>> >> however it only shows in the Permissions tab the permissions
inherited
>>>> >> by "Everyone" it does not show any permissions
inherited by the
>>>> >> sysadmin group.
>>>> >
>>>> > This is not good - I mean, should have worked.
>>>> >
>>>> >>
>>>> >> just to prove it didnt work I logged out and attempted to log
back in
>>>> >> as the user (pmarino) it wouldn't let me log in
>>>> >>
>>>> >> I logged back in as the internal admin user then I added the
SuperUser
>>>> >> permissions directly to the pmarino account and logged back out
again.
>>>> >> Now when I logged in as pmarino it gave me the access I
expected.
>>>> >
>>>> > Can I please ask you to provide some database info ?
>>>> >
>>>> > It will be awesome if you can provide the following SQL queries
results -
>>>> >
>>>> > select group_ids, groups from users where username ilike
'%pmarino%';
>>>> >
>>>> > In addition, please perform - select id, name from ad_groups;
>>>> >
>>>> > Thanks for your help.
>>>> >
>>>> > P.S - As far as I understand the two bugs mentioend by Itamar (I
mean, the
>>>> > solution to the bugs) should have fixed your issue as well.
>>>> >
>>>> >
>>>> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> Here is the relevant portion of the engine log
>>>> >> "
>>>> >> 2014-08-13 16:00:38,801 INFO
>>>> >> [org.ovirt.engine.core.bll.AddGroupCommand]
(ajp-/127.0.0.1:8702-5)
>>>> >> [1e7fa420] Running command: AddGroupCommand internal: false.
Entities
>>>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type:
System
>>>> >> 2014-08-13 16:00:38,813 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420,
Call
>>>> >> Stack: null, Custom Event ID: -1, Message: User '<domain
>>>> >> name>/Groups/sysadmin' was added successfully to the
system.
>>>> >> 2014-08-13 16:09:01,352 INFO
>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
>>>> >> AddSystemPermissionCommand internal: false. Entities affected :
ID:
>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>>>> >> 2014-08-13 16:09:01,371 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
>>>> >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message:
User/Group
>>>> >> <domain name>/Groups/sysadmin was granted permission for
Role
>>>> >> SuperUser on System by admin.
>>>> >> 2014-08-13 16:10:40,963 INFO
>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
>>>> >> AddSystemPermissionCommand internal: false. Entities affected :
ID:
>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>>>> >> 2014-08-13 16:10:40,979 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID:
b42abcb,
>>>> >> Call Stack: null, Custom Event ID: -1, Message: User/Group
<domain
>>>> >> name>/Groups/sysadmin was granted permission for Role
PowerUserRole on
>>>> >> System by admin.
>>>> >> 2014-08-13 16:20:53,891 INFO
>>>> >> [org.ovirt.engine.core.bll.AddUserCommand]
(ajp-/127.0.0.1:8702-4)
>>>> >> [58e00be1] Running command: AddUserCommand internal: false.
Entities
>>>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type:
System
>>>> >> 2014-08-13 16:20:53,919 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1,
Call
>>>> >> Stack: null, Custom Event ID: -1, Message: User
'pmarino' was added
>>>> >> successfully to the system.
>>>> >> 2014-08-13 16:35:52,202 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack:
null,
>>>> >> Custom Event ID: -1, Message: User pmarino failed to log in.
>>>> >> 2014-08-13 16:35:52,202 WARN
>>>> >> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>>>> >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser
failed.
>>>> >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>>> >> 2014-08-13 16:39:48,048 INFO
>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
>>>> >> AddSystemPermissionCommand internal: false. Entities affected :
ID:
>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>>>> >> 2014-08-13 16:39:48,069 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
>>>> >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message:
User/Group
>>>> >> pmarino was granted permission for Role SuperUser on System by
admin.
>>>> >> 2014-08-13 16:40:43,357 INFO
>>>> >>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null,
Custom
>>>> >> Event ID: -1, Message: User pmarino logged in.
>>>> >>
>>>> >> "
>>>> >>
>>>> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky
<yzaslavs(a)redhat.com>
>>>> >> wrote:
>>>> >> >
>>>> >> >
>>>> >> > ----- Original Message -----
>>>> >> >> From: "Yair Zaslavsky"
<yzaslavs(a)redhat.com>
>>>> >> >> To: "Itamar Heim" <iheim(a)redhat.com>
>>>> >> >> Cc: users(a)ovirt.org
>>>> >> >> Sent: Monday, August 11, 2014 8:13:53 PM
>>>> >> >> Subject: Re: [ovirt-users] ovirt with 389 server
inactive groups
>>>> >> >>
>>>> >> >> I have checked the codebase of 3.3 -
>>>> >> >> the "active" field is used for presentation
purpose only.
>>>> >> >
>>>> >> > Presentation wise only - means that it is not used for our
permissions
>>>> >> > calculation , for example.
>>>> >> >
>>>> >> >> Alon has addressed our plans for this in his previous
comments.
>>>> >> >> I hope this clarifies more..
>>>> >> >>
>>>> >> >> Yair
>>>> >> >>
>>>> >> >>
>>>> >> >> ----- Original Message -----
>>>> >> >> > From: "Itamar Heim"
<iheim(a)redhat.com>
>>>> >> >> > To: "Alon Bar-Lev"
<alonbl(a)redhat.com>, "Paul Robert Marino"
>>>> >> >> > <prmarino1(a)gmail.com>
>>>> >> >> > Cc: users(a)ovirt.org
>>>> >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM
>>>> >> >> > Subject: Re: [ovirt-users] ovirt with 389 server
inactive groups
>>>> >> >> >
>>>> >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
>>>> >> >> > >
>>>> >> >> > >
>>>> >> >> > > ----- Original Message -----
>>>> >> >> > >> From: "Paul Robert Marino"
<prmarino1(a)gmail.com>
>>>> >> >> > >> To: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>>>> >> >> > >> Cc: "Maurice James"
<mjames(a)media-node.com>, users(a)ovirt.org
>>>> >> >> > >> Sent: Sunday, August 10, 2014 10:43:14
PM
>>>> >> >> > >> Subject: Re: [ovirt-users] ovirt with 389
server inactive groups
>>>> >> >> > >>
>>>> >> >> > >> Sorry for my delayed response to this
>>>> >> >> > >>
>>>> >> >> > >> I am using ovirt 3.3.
>>>> >> >> > >> I am using Kerberos 5, and all of the DNS
requirements are in
>>>> >> >> > >> place.
>>>> >> >> > >> Finally 389 server is the upstream
project for RHDS and one of the
>>>> >> >> > >> upstream projects for IPA.
>>>> >> >> > >> So I chose to set it as RHDS because its
an identical match.
>>>> >> >> > >>
>>>> >> >> > >> User authentication works just fine my
problem is adding roles to
>>>> >> >> > >> groups.
>>>> >> >> > >> I can assign a role to a group but the
group always shows an
>>>> >> >> > >> inactive
>>>> >> >> > >> status; however if I assign a role
directly to to a user it works
>>>> >> >> > >> fine.
>>>> >> >> > >> In addition if I drill down into a user
it knows what groups in
>>>> >> >> > >> the
>>>> >> >> > >> 389 server the user is a member of.
>>>> >> >> > >>
>>>> >> >> > >> finally I can't see any error in the
logs when adding a role to a
>>>> >> >> > >> group
>>>> >> >> > >>
>>>> >> >> > >
>>>> >> >> > > Please open a bug, I am unsure that it will
be addressed before
>>>> >> >> > > 3.5,
>>>> >> >> > > as
>>>> >> >> > > we
>>>> >> >> > > have done major rework for the authentication
and authorization to
>>>> >> >> > > make
>>>> >> >> > > it
>>>> >> >> > > much more versatile. Even if there will be a
fix it will be
>>>> >> >> > > provided
>>>> >> >> > > to
>>>> >> >> > > 3.4.z.
>>>> >> >> > >
>>>> >> >> > > It will be best if you want to test this
scenario in 3.5 release
>>>> >> >> > > candidate
>>>> >> >> > > and the new ldap provider, so we can address
the issue before 3.5
>>>> >> >> > > release
>>>> >> >> > > if exists.
>>>> >> >> > >
>>>> >> >> >
>>>> >> >> > could also be one of these fixed in 3.4:
>>>> >> >> > 3.4.0 - Bug 1065615 - When adding a user that
belongs to a group, it
>>>> >> >> > does not inherit the group permissions
>>>> >> >> > 3.4.1 - Bug 1069562 - When assigning permissions
to user that belongs
>>>> >> >> > to
>>>> >> >> > a group indirectly, it does not inherit the group
permissions
>>>> >> >> >
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon
Bar-Lev <alonbl(a)redhat.com>
>>>> >> >> > >> wrote:
>>>> >> >> > >>>
>>>> >> >> > >>>
>>>> >> >> > >>> ----- Original Message -----
>>>> >> >> > >>>> From: "Maurice James"
<mjames(a)media-node.com>
>>>> >> >> > >>>> To: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>>>> >> >> > >>>> Cc: "Itamar Heim"
<iheim(a)redhat.com>, users(a)ovirt.org
>>>> >> >> > >>>> Sent: Saturday, August 9, 2014
3:47:04 AM
>>>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt
with 389 server inactive groups
>>>> >> >> > >>>>
>>>> >> >> > >>>> Does this still require the use
of kerberos? Will 389-ds work on
>>>> >> >> > >>>> its
>>>> >> >> > >>>> own?
>>>> >> >> > >>>
>>>> >> >> > >>> In 3.5 we introduced pure ldap
support[1], obsoleting the
>>>> >> >> > >>> kerberos/ldap
>>>> >> >> > >>> mix.
>>>> >> >> > >>>
>>>> >> >> > >>> It will be great to receive
feedback[2].
>>>> >> >> > >>>
>>>> >> >> > >>> 389ds is not supported directly, I
think it is similar to IPA as
>>>> >> >> > >>> it
>>>> >> >> > >>> uses
>>>> >> >> > >>> 389. Maybe I should rename the
profile of ipa to 389 if it works
>>>> >> >> > >>> properly.
>>>> >> >> > >>>
>>>> >> >> > >>> Regards,
>>>> >> >> > >>> Alon
>>>> >> >> > >>>
>>>> >> >> > >>> [1]
>>>> >> >> > >>>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
>>>> >> >> > >>> [2]
>>>> >> >> > >>>
http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
>>>> >> >> > >>>
>>>> >> >> > >>>>
>>>> >> >> > >>>> ----- Original Message -----
>>>> >> >> > >>>> From: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>>>> >> >> > >>>> To: "Itamar Heim"
<iheim(a)redhat.com>
>>>> >> >> > >>>> Cc: users(a)ovirt.org
>>>> >> >> > >>>> Sent: Friday, August 8, 2014
3:45:07 PM
>>>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt
with 389 server inactive groups
>>>> >> >> > >>>>
>>>> >> >> > >>>>
>>>> >> >> > >>>>
>>>> >> >> > >>>> ----- Original Message -----
>>>> >> >> > >>>>> From: "Itamar Heim"
<iheim(a)redhat.com>
>>>> >> >> > >>>>> To: "Paul Robert
Marino" <prmarino1(a)gmail.com>, users(a)ovirt.org
>>>> >> >> > >>>>> Sent: Friday, August 8, 2014
10:37:11 PM
>>>> >> >> > >>>>> Subject: Re: [ovirt-users]
ovirt with 389 server inactive
>>>> >> >> > >>>>> groups
>>>> >> >> > >>>>>
>>>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul
Robert Marino wrote:
>>>> >> >> > >>>>>> I have ovirt engine
running and connected to a 389 server with
>>>> >> >> > >>>>>> the
>>>> >> >> > >>>>>> memberof plugin enabled
and working properly.
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>> I can add users and
assign them to roles without any issues.
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>> when I look at a user I
can see all the LDAP groups they are a
>>>> >> >> > >>>>>> member
>>>> >> >> > >>>>>> of.
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>> when I run
engine-manage-domains -action=validate it tells me
>>>> >> >> > >>>>>> the
>>>> >> >> > >>>>>> domain is valid.
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>> here is my problem when I
try to assign a role to an LDAP
>>>> >> >> > >>>>>> group
>>>> >> >> > >>>>>> it
>>>> >> >> > >>>>>> looks like it works but
in the general tab when under the
>>>> >> >> > >>>>>> group
>>>> >> >> > >>>>>> it
>>>> >> >> > >>>>>> tells me the status is
Inactive.
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>> dose any one know how to
enable the group?
>>>> >> >> > >>>>>>
_______________________________________________
>>>> >> >> > >>>>>> Users mailing list
>>>> >> >> > >>>>>> Users(a)ovirt.org
>>>> >> >> > >>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >> > >>>>>>
>>>> >> >> > >>>>>
>>>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP
provider?
>>>> >> >> > >>>>
>>>> >> >> > >>>>
>>>> >> >> > >>>> On case this is 3.5 it is known
issue, all groups will be seen
>>>> >> >> > >>>> as
>>>> >> >> > >>>> inactive,
>>>> >> >> > >>>> this field will probably be
removed from UI, as groups are no
>>>> >> >> > >>>> longer
>>>> >> >> > >>>> fetched
>>>> >> >> > >>>> periodically.
>>>> >> >> > >>>> This field is totally ignored.
>>>> >> >> > >>>>
>>>> >> >> > >>>> Alon
>>>> >> >> > >>>>
_______________________________________________
>>>> >> >> > >>>> Users mailing list
>>>> >> >> > >>>> Users(a)ovirt.org
>>>> >> >> > >>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >> > >>>>
>>>> >> >> > >>>
_______________________________________________
>>>> >> >> > >>> Users mailing list
>>>> >> >> > >>> Users(a)ovirt.org
>>>> >> >> > >>>
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >> > >>
>>>> >> >> > >
_______________________________________________
>>>> >> >> > > Users mailing list
>>>> >> >> > > Users(a)ovirt.org
>>>> >> >> > >
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >> > >
>>>> >> >> >
>>>> >> >> > _______________________________________________
>>>> >> >> > Users mailing list
>>>> >> >> > Users(a)ovirt.org
>>>> >> >> >
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >> >
>>>> >> >> _______________________________________________
>>>> >> >> Users mailing list
>>>> >> >> Users(a)ovirt.org
>>>> >> >>
http://lists.ovirt.org/mailman/listinfo/users
>>>> >> >>
>>>> >> > _______________________________________________
>>>> >> > Users mailing list
>>>> >> > Users(a)ovirt.org
>>>> >> >
http://lists.ovirt.org/mailman/listinfo/users
>>>> >>
>>>>