Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek wrote: On 09/13/2012 06:40 PM, Rob Crittenden wrote: Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob Right, I should have seen that coming. I want this feature to be checked properly so I added a tests for all RI-checked attributes. Patches attached. Martin ACK, pushed to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
On 09/13/2012 06:40 PM, Rob Crittenden wrote:
Martin Kosek wrote:
To test, add sudo commands, hosts or users to a sudo rule or hbac rule and
then
rename or delete the linked object. After the update, the links should be
amended.
-
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. The following indexes
have been added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin was updated to check all these
attributes.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
These patches look good but I'd like to see some tests associated with the
referential integrity changes in patch 308. I'm not sure we need a test for
every single combination where RI comes into play but at least testing that
the
original sequence (sudorule/sudocmd) works as expected.
rob
Right, I should have seen that coming. I want this feature to be checked
properly so I added a tests for all RI-checked attributes.
Patches attached.
Martin
From f54743bc5f9d5b83b1376c99483eb38b181d2556 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 12 Sep 2012 09:28:36 +0200
Subject: [PATCH 1/4] Add attributeTypes to safe schema updater
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.
Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.
https://fedorahosted.org/freeipa/ticket/2440
---
ipaserver/install/ldapupdate.py | 68 +++--
1 file changed, 39 insertions(+), 29 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -35,7 +35,7 @@ from ipalib import errors
from ipalib import api
from ipapython.dn import DN
import ldap
-from ldap.schema.models import ObjectClass
+from ldap.schema.models import ObjectClass, AttributeType
from ipapython.ipa_log_manager import *
import krbV
import platform
@@ -551,23 +551,32 @@ class LDAPUpdate:
# Replacing objectClassess needs a special handling and
# normalization of OC definitions to avoid update failures for
# example when X-ORIGIN is the only difference
-objectclass_replacement = False
-if action == replace and entry.dn == DN(('cn', 'schema')) and \
-attr.lower() == objectclasses:
-objectclass_replacement = True
-oid_index = {}
-# build the OID index for replacing
-for objectclass in entry_values:
-try:
-objectclass_object = ObjectClass(str(objectclass))
-except Exception, e:
-self.error('replace: cannot parse ObjectClass %s: %s',
-objectclass, e)
-continue
-# In a corner case, there may be more representations of
-# the same objectclass due to the previous updates
-# We want to replace them all
-oid_index.setdefault(objectclass_object.oid, []).append(objectclass)
+schema_update = False
+schema_elem_class = None
+schema_elem_name = None
+if action == replace and entry.dn == DN(('cn', 'schema')):
+if attr.lower() == objectclasses:
+schema_elem_class = ObjectClass
+schema_elem_name = ObjectClass
+elif attr.lower() == attributetypes:
+schema_elem_class = AttributeType
+schema_elem_name = AttributeType
+
+if schema_elem_class is not None:
+schema_update = True
+
Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
rename or delete the linked object. After the update, the links should be
amended.
-
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. The following indexes
have been added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin was updated to check all these
attributes.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
--
Martin Kosek mko...@redhat.com
Senior Software Engineer - Identity Management Team
Red Hat Inc.
From de4d160ba4a9bce33f227078ba00ee2d8cd04594 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 12 Sep 2012 09:28:36 +0200
Subject: [PATCH 1/4] Add attributeTypes to safe schema updater
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.
Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.
https://fedorahosted.org/freeipa/ticket/2440
---
ipaserver/install/ldapupdate.py | 68 +++--
1 file changed, 39 insertions(+), 29 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -35,7 +35,7 @@ from ipalib import errors
from ipalib import api
from ipapython.dn import DN
import ldap
-from ldap.schema.models import ObjectClass
+from ldap.schema.models import ObjectClass, AttributeType
from ipapython.ipa_log_manager import *
import krbV
import platform
@@ -551,23 +551,32 @@ class LDAPUpdate:
# Replacing objectClassess needs a special handling and
# normalization of OC definitions to avoid update failures for
# example when X-ORIGIN is the only difference
-objectclass_replacement = False
-if action == replace and entry.dn == DN(('cn', 'schema')) and \
-attr.lower() == objectclasses:
-objectclass_replacement = True
-oid_index = {}
-# build the OID index for replacing
-for objectclass in entry_values:
-try:
-objectclass_object = ObjectClass(str(objectclass))
-except Exception, e:
-self.error('replace: cannot parse ObjectClass %s: %s',
-objectclass, e)
-continue
-# In a corner case, there may be more representations of
-# the same objectclass due to the previous updates
-# We want to replace them all
-oid_index.setdefault(objectclass_object.oid, []).append(objectclass)
+schema_update = False
+schema_elem_class = None
+schema_elem_name = None
+if action == replace and entry.dn == DN(('cn', 'schema')):
+if attr.lower() == objectclasses:
+schema_elem_class = ObjectClass
+schema_elem_name = ObjectClass
+elif attr.lower() == attributetypes:
+schema_elem_class = AttributeType
+schema_elem_name = AttributeType
+
+if schema_elem_class is not None:
+schema_update = True
+oid_index = {}
+# build the OID index for replacing
+for schema_elem in entry_values:
+try:
+schema_elem_object = schema_elem_class(str(schema_elem))
+except Exception, e:
+self.error('replace: cannot parse %s %s: %s',
+schema_elem_name, schema_elem, e)
+
