Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek wrote: On 09/13/2012 06:40 PM, Rob Crittenden wrote: Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob Right, I should have seen that coming. I want this feature to be checked properly so I added a tests for all RI-checked attributes. Patches attached. Martin ACK, pushed to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
On 09/13/2012 06:40 PM, Rob Crittenden wrote: Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob Right, I should have seen that coming. I want this feature to be checked properly so I added a tests for all RI-checked attributes. Patches attached. Martin From f54743bc5f9d5b83b1376c99483eb38b181d2556 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 12 Sep 2012 09:28:36 +0200 Subject: [PATCH 1/4] Add attributeTypes to safe schema updater AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch just like ObjectClass attribute which is already being normalized before an update value is compared with update instructions. Expand safe schema updater routine to cover both ObjectClasses and AttributeTypes updates. https://fedorahosted.org/freeipa/ticket/2440 --- ipaserver/install/ldapupdate.py | 68 +++-- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -35,7 +35,7 @@ from ipalib import errors from ipalib import api from ipapython.dn import DN import ldap -from ldap.schema.models import ObjectClass +from ldap.schema.models import ObjectClass, AttributeType from ipapython.ipa_log_manager import * import krbV import platform @@ -551,23 +551,32 @@ class LDAPUpdate: # Replacing objectClassess needs a special handling and # normalization of OC definitions to avoid update failures for # example when X-ORIGIN is the only difference -objectclass_replacement = False -if action == replace and entry.dn == DN(('cn', 'schema')) and \ -attr.lower() == objectclasses: -objectclass_replacement = True -oid_index = {} -# build the OID index for replacing -for objectclass in entry_values: -try: -objectclass_object = ObjectClass(str(objectclass)) -except Exception, e: -self.error('replace: cannot parse ObjectClass %s: %s', -objectclass, e) -continue -# In a corner case, there may be more representations of -# the same objectclass due to the previous updates -# We want to replace them all -oid_index.setdefault(objectclass_object.oid, []).append(objectclass) +schema_update = False +schema_elem_class = None +schema_elem_name = None +if action == replace and entry.dn == DN(('cn', 'schema')): +if attr.lower() == objectclasses: +schema_elem_class = ObjectClass +schema_elem_name = ObjectClass +elif attr.lower() == attributetypes: +schema_elem_class = AttributeType +schema_elem_name = AttributeType + +if schema_elem_class is not None: +schema_update = True +
Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 -- Martin Kosek mko...@redhat.com Senior Software Engineer - Identity Management Team Red Hat Inc. From de4d160ba4a9bce33f227078ba00ee2d8cd04594 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 12 Sep 2012 09:28:36 +0200 Subject: [PATCH 1/4] Add attributeTypes to safe schema updater AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch just like ObjectClass attribute which is already being normalized before an update value is compared with update instructions. Expand safe schema updater routine to cover both ObjectClasses and AttributeTypes updates. https://fedorahosted.org/freeipa/ticket/2440 --- ipaserver/install/ldapupdate.py | 68 +++-- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -35,7 +35,7 @@ from ipalib import errors from ipalib import api from ipapython.dn import DN import ldap -from ldap.schema.models import ObjectClass +from ldap.schema.models import ObjectClass, AttributeType from ipapython.ipa_log_manager import * import krbV import platform @@ -551,23 +551,32 @@ class LDAPUpdate: # Replacing objectClassess needs a special handling and # normalization of OC definitions to avoid update failures for # example when X-ORIGIN is the only difference -objectclass_replacement = False -if action == replace and entry.dn == DN(('cn', 'schema')) and \ -attr.lower() == objectclasses: -objectclass_replacement = True -oid_index = {} -# build the OID index for replacing -for objectclass in entry_values: -try: -objectclass_object = ObjectClass(str(objectclass)) -except Exception, e: -self.error('replace: cannot parse ObjectClass %s: %s', -objectclass, e) -continue -# In a corner case, there may be more representations of -# the same objectclass due to the previous updates -# We want to replace them all -oid_index.setdefault(objectclass_object.oid, []).append(objectclass) +schema_update = False +schema_elem_class = None +schema_elem_name = None +if action == replace and entry.dn == DN(('cn', 'schema')): +if attr.lower() == objectclasses: +schema_elem_class = ObjectClass +schema_elem_name = ObjectClass +elif attr.lower() == attributetypes: +schema_elem_class = AttributeType +schema_elem_name = AttributeType + +if schema_elem_class is not None: +schema_update = True +oid_index = {} +# build the OID index for replacing +for schema_elem in entry_values: +try: +schema_elem_object = schema_elem_class(str(schema_elem)) +except Exception, e: +self.error('replace: cannot parse %s %s: %s', +schema_elem_name, schema_elem, e) +