Re: [Freeipa-devel] MemberOf and Referential Integrity plugin failures cause abort of operation

2015-09-15 Thread Rich Megginson 

On 09/15/2015 04:58 AM, Jan Cholasta wrote:

On 15.9.2015 10:23, Tomas Babej wrote:

Hi,

from DS 1.3.3, the memberOf and referential integrity plugins have been
converted to backend transaction plugins, which means that failures in
these plugins will propagate and cause abort of the operation that
triggered them. [1]

I.e. in case of memberOf plugin, if a operation triggered an addition of
memberOf attribute, and that addition failed, the operation itself did
succeed in spite of this failure. This is no longer the case.


IMO the new transacted behavior is correct - the original operation and 
all of the triggered operations should succeed or fail together.




We have been already hit by this issue in winsync agreement setup:

https://bugzilla.redhat.com/show_bug.cgi?id=1262315

However, there is little special about this case and there might be
multiple such entries in IPA which are added as group members,
but do not contain an objectclass which allows memberOf attribute.

So we need to step back and think - are there any other entries where
this change of behaviour will hit us?


As far as ipalib is concerned, these are the objects which may have 
the memberOf attribute (with object class providing it in parentheses):


group (netstedGroup)
hbacsvc (ipaHBACService)
host (ipaHost)
hostgroup (netstedGroup)
netgroup (ipaNISNetgroup)
privilege (nestedGroup)
role (nestedGroup)
service (ipaService)
sudocmd (NONE)
user (inetUser)

so memberOf needs to be added to ipaSudoCmd.

The config plugin lists memberOf as an operational attribute, which I 
guess is no longer the case?


It should never have been an operational attribute.  Perhaps this was a 
"hack" to workaround the fact that there were objects/objectclasses 
missing memberOf?




Also, memberOf is excluded from replication in 
ipaserver/install/replication.py.


By design - all servers are expected to have the same memberOf plugin 
configuration, and add memberOf locally.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] MemberOf and Referential Integrity plugin failures cause abort of operation

2015-09-15 Thread Jan Cholasta 

On 15.9.2015 10:23, Tomas Babej wrote:

Hi,

from DS 1.3.3, the memberOf and referential integrity plugins have been
converted to backend transaction plugins, which means that failures in
these plugins will propagate and cause abort of the operation that
triggered them. [1]

I.e. in case of memberOf plugin, if a operation triggered an addition of
memberOf attribute, and that addition failed, the operation itself did
succeed in spite of this failure. This is no longer the case.

We have been already hit by this issue in winsync agreement setup:

https://bugzilla.redhat.com/show_bug.cgi?id=1262315

However, there is little special about this case and there might be
multiple such entries in IPA which are added as group members,
but do not contain an objectclass which allows memberOf attribute.

So we need to step back and think - are there any other entries where
this change of behaviour will hit us?


As far as ipalib is concerned, these are the objects which may have the 
memberOf attribute (with object class providing it in parentheses):


group (netstedGroup)
hbacsvc (ipaHBACService)
host (ipaHost)
hostgroup (netstedGroup)
netgroup (ipaNISNetgroup)
privilege (nestedGroup)
role (nestedGroup)
service (ipaService)
sudocmd (NONE)
user (inetUser)

so memberOf needs to be added to ipaSudoCmd.

The config plugin lists memberOf as an operational attribute, which I 
guess is no longer the case?


Also, memberOf is excluded from replication in 
ipaserver/install/replication.py.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code