On 07/31/2015 01:53 PM, Simo Sorce wrote:
On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote:
Discussed with Ludwig, but it might be interesting to the rest of the
team(and mainly Simo)
In FreeIPA 4.3 - management of CA agmts by a replication plugin, there
is a scenario as follows:
- existing couple of replicas of version 4.2 and earlier (no topology
management)
- upgrade all to future 4.3
- raise domain level to 1
- optionally add a replica
All agmts are now managed by a topology plugin but there is an issue
with the old CA agreements because they were created with bind method:
simple. Atm. no code in IPA framework is executed after raising a domain
level. Therefore the old CA agreements are not converted to use GSSAPI.
If the segments related to the old agreements are removed and then
re-added, topology plugin creates agreements which use GSSAPI.
The old agreements are not converted automatically by a topology plugin
because simple auth is still required for ipa-replica-install (for both
realm and o=ipaca suffix).
My replica-promotion code creates bind agreements directly using GSSAPI,
so going forward we will be covered. What is missing is to prevent
non-promotion installs. We should make it impossible to run
ipa-replica-prepare on level 1 servers I guess.
Nor they can't be converted in IPA upgrade because domain level is
raised after the upgrade.
Question is who should convert the old amgts after raising a domain
level. IPA or topology plugin?
Some of possible solutions are:
1. Convert the CA agmts in domailevel-set method
Nope, the domainlevel-set method can be called on any server, there is
no guarantee this server can reach all servers. There may be network
issues preventing it as well as a server may be temporarily
down/unreachable for whatever reason.
2. Change replica installer to setup Kerberos earlier so that new
agreements could use GSSAPI and therefore topology plugin can convert
all managed agreements which don't use GSSAPI automatically.
This is already done in my replica promotion work, but has no bearing on
*existing* agreements.
only as a side effect. At the moment the topology plugin cannot just
convert a "simple" agreement if itfinds one, because in the initial
phase gssapi
is not yet operational. But if it is ensured that all new agreements
will be gssapi, it can blindly convert all other agreements if zhey are
encountered after domain
lvel raise
3. Automatically convert all agmts by topo plugin. Introduce an attr in
repl agmnt which would be set during replica installation to tell the
topo plugin to not covert the agmnt while the attr is set. Then convert
in installer or when the attr is removed.
This is the only viable method.
#1 is an easy workaround but it creates yet another "sort of upgrade
path" in domain level set.
#2 is more or less a replica promotion.
#3 another workaround
From long term perspective, I like #2 but I don't know what's the state
of replica promotion. Simo?
See above, but I do not see how this has any influence on existing
replicas that are using the simple method.
Attaching IPA patches which I use now (doesn't contain required topo
plugin patches).
Please look at the code in my tree, I think your work conflict with mine
on the installer part.
I do not handle yet the CA replica stuff in my promotion code, but we
should base any work in that direction on the replica-promotion method
and not the old replica install method.
Simo.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code