Re: [Freeipa-devel] Changing CA replication agreements after raising domain level
On 07/31/2015 01:53 PM, Simo Sorce wrote: On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote: Discussed with Ludwig, but it might be interesting to the rest of the team(and mainly Simo) In FreeIPA 4.3 - management of CA agmts by a replication plugin, there is a scenario as follows: - existing couple of replicas of version 4.2 and earlier (no topology management) - upgrade all to future 4.3 - raise domain level to 1 - optionally add a replica All agmts are now managed by a topology plugin but there is an issue with the old CA agreements because they were created with bind method: simple. Atm. no code in IPA framework is executed after raising a domain level. Therefore the old CA agreements are not converted to use GSSAPI. If the segments related to the old agreements are removed and then re-added, topology plugin creates agreements which use GSSAPI. The old agreements are not converted automatically by a topology plugin because simple auth is still required for ipa-replica-install (for both realm and o=ipaca suffix). My replica-promotion code creates bind agreements directly using GSSAPI, so going forward we will be covered. What is missing is to prevent non-promotion installs. We should make it impossible to run ipa-replica-prepare on level 1 servers I guess. Nor they can't be converted in IPA upgrade because domain level is raised after the upgrade. Question is who should convert the old amgts after raising a domain level. IPA or topology plugin? Some of possible solutions are: 1. Convert the CA agmts in domailevel-set method Nope, the domainlevel-set method can be called on any server, there is no guarantee this server can reach all servers. There may be network issues preventing it as well as a server may be temporarily down/unreachable for whatever reason. 2. Change replica installer to setup Kerberos earlier so that new agreements could use GSSAPI and therefore topology plugin can convert all managed agreements which don't use GSSAPI automatically. This is already done in my replica promotion work, but has no bearing on *existing* agreements. only as a side effect. At the moment the topology plugin cannot just convert a "simple" agreement if itfinds one, because in the initial phase gssapi is not yet operational. But if it is ensured that all new agreements will be gssapi, it can blindly convert all other agreements if zhey are encountered after domain lvel raise 3. Automatically convert all agmts by topo plugin. Introduce an attr in repl agmnt which would be set during replica installation to tell the topo plugin to not covert the agmnt while the attr is set. Then convert in installer or when the attr is removed. This is the only viable method. #1 is an easy workaround but it creates yet another "sort of upgrade path" in domain level set. #2 is more or less a replica promotion. #3 another workaround From long term perspective, I like #2 but I don't know what's the state of replica promotion. Simo? See above, but I do not see how this has any influence on existing replicas that are using the simple method. Attaching IPA patches which I use now (doesn't contain required topo plugin patches). Please look at the code in my tree, I think your work conflict with mine on the installer part. I do not handle yet the CA replica stuff in my promotion code, but we should base any work in that direction on the replica-promotion method and not the old replica install method. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Changing CA replication agreements after raising domain level
On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote: > Discussed with Ludwig, but it might be interesting to the rest of the > team(and mainly Simo) > > In FreeIPA 4.3 - management of CA agmts by a replication plugin, there > is a scenario as follows: > > - existing couple of replicas of version 4.2 and earlier (no topology > management) > - upgrade all to future 4.3 > - raise domain level to 1 > - optionally add a replica > > All agmts are now managed by a topology plugin but there is an issue > with the old CA agreements because they were created with bind method: > simple. Atm. no code in IPA framework is executed after raising a domain > level. Therefore the old CA agreements are not converted to use GSSAPI. > > If the segments related to the old agreements are removed and then > re-added, topology plugin creates agreements which use GSSAPI. > > The old agreements are not converted automatically by a topology plugin > because simple auth is still required for ipa-replica-install (for both > realm and o=ipaca suffix). My replica-promotion code creates bind agreements directly using GSSAPI, so going forward we will be covered. What is missing is to prevent non-promotion installs. We should make it impossible to run ipa-replica-prepare on level 1 servers I guess. > Nor they can't be converted in IPA upgrade because domain level is > raised after the upgrade. > > Question is who should convert the old amgts after raising a domain > level. IPA or topology plugin? > > Some of possible solutions are: > > 1. Convert the CA agmts in domailevel-set method Nope, the domainlevel-set method can be called on any server, there is no guarantee this server can reach all servers. There may be network issues preventing it as well as a server may be temporarily down/unreachable for whatever reason. > 2. Change replica installer to setup Kerberos earlier so that new > agreements could use GSSAPI and therefore topology plugin can convert > all managed agreements which don't use GSSAPI automatically. This is already done in my replica promotion work, but has no bearing on *existing* agreements. > 3. Automatically convert all agmts by topo plugin. Introduce an attr in > repl agmnt which would be set during replica installation to tell the > topo plugin to not covert the agmnt while the attr is set. Then convert > in installer or when the attr is removed. This is the only viable method. > #1 is an easy workaround but it creates yet another "sort of upgrade > path" in domain level set. > #2 is more or less a replica promotion. > #3 another workaround > > From long term perspective, I like #2 but I don't know what's the state > of replica promotion. Simo? See above, but I do not see how this has any influence on existing replicas that are using the simple method. > Attaching IPA patches which I use now (doesn't contain required topo > plugin patches). Please look at the code in my tree, I think your work conflict with mine on the installer part. I do not handle yet the CA replica stuff in my promotion code, but we should base any work in that direction on the replica-promotion method and not the old replica install method. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Changing CA replication agreements after raising domain level
Discussed with Ludwig, but it might be interesting to the rest of the team(and mainly Simo) In FreeIPA 4.3 - management of CA agmts by a replication plugin, there is a scenario as follows: - existing couple of replicas of version 4.2 and earlier (no topology management) - upgrade all to future 4.3 - raise domain level to 1 - optionally add a replica All agmts are now managed by a topology plugin but there is an issue with the old CA agreements because they were created with bind method: simple. Atm. no code in IPA framework is executed after raising a domain level. Therefore the old CA agreements are not converted to use GSSAPI. If the segments related to the old agreements are removed and then re-added, topology plugin creates agreements which use GSSAPI. The old agreements are not converted automatically by a topology plugin because simple auth is still required for ipa-replica-install (for both realm and o=ipaca suffix). Nor they can't be converted in IPA upgrade because domain level is raised after the upgrade. Question is who should convert the old amgts after raising a domain level. IPA or topology plugin? Some of possible solutions are: 1. Convert the CA agmts in domailevel-set method 2. Change replica installer to setup Kerberos earlier so that new agreements could use GSSAPI and therefore topology plugin can convert all managed agreements which don't use GSSAPI automatically. 3. Automatically convert all agmts by topo plugin. Introduce an attr in repl agmnt which would be set during replica installation to tell the topo plugin to not covert the agmnt while the attr is set. Then convert in installer or when the attr is removed. #1 is an easy workaround but it creates yet another "sort of upgrade path" in domain level set. #2 is more or less a replica promotion. #3 another workaround From long term perspective, I like #2 but I don't know what's the state of replica promotion. Simo? Attaching IPA patches which I use now (doesn't contain required topo plugin patches). -- Petr Vobornik >From 5a1f8ad3b8948d858729b8562e2c01eef161272e Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Wed, 15 Jul 2015 11:17:14 +0200 Subject: [PATCH 1/2] topology: manage ca replication agreements Configure IPA so that topology plugin will manage also CA replication agreements. If domain level > 0, ipa-replica-install: - ipa replica install prepares DB for PKI - setups replications agreements (o=ipaca) with simple bind method - re-initializes the suffix - calls pkispawn - changes agreements to use GSSAPI upgrades if CA is congigured: - ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX - ipaReplTopoManagedSuffix: o=ipaca is added to master entry - binddngroup is added to o=ipaca replica entry --- freeipa.spec.in | 4 +- install/share/Makefile.am | 1 + install/share/ca-topology.uldif | 15 + install/updates/20-replication.update | 5 ++ install/updates/90-post_upgrade_plugins.update | 1 + ipaplatform/base/paths.py | 1 + ipaserver/install/cainstance.py | 80 - ipaserver/install/installutils.py | 1 + ipaserver/install/krbinstance.py| 19 -- ipaserver/install/plugins/update_ca_topology.py | 34 +++ ipaserver/install/replication.py| 68 - ipaserver/install/server/replicainstall.py | 4 +- 12 files changed, 195 insertions(+), 38 deletions(-) create mode 100644 install/share/ca-topology.uldif create mode 100644 ipaserver/install/plugins/update_ca_topology.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 328894c551acde88fbf789537fd9c9a5a39da816..b1da0a66ff51e5b9a1a3bbf3e1504e4fdbaacdd9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -143,8 +143,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.6 -Requires: pki-kra >= 10.2.6 +Requires: pki-ca >= 10.2.7 +Requires: pki-kra >= 10.2.7 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 80e959a751a0800c4d56c379a73b68a2f12570d7..156ee3f528a10a3615b0cc48a8fccad36e143da3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -27,6 +27,7 @@ app_DATA =\ 72domainlevels.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ + ca-topology.uldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ default-caacl.ldif \ diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif new file mode 100644 index ..3da9eaee1478ba0849a164fd2a150772c0151dd8 --- /dev/null +++ b/install/share/ca-topology.uldif @@ -0,0 +1,15 @@ +# add IPA CA ma