URL: https://github.com/SSSD/sssd/pull/941 Author: sumit-bose Title: #941: ipa: add failover to access checks and override lookups Action: opened
PR body: """ Failover handling was missing in some multi-step searches. As mentioned in the comment in the first patch and change in the tevent_req hierarchy might be a more general solution. But since this patch should be backported and in the most cases the need to failover will be visible already in the first search I think these patches are suitable for a start. Additionally I would like to change the override handling in the near future which would change the ipa_id_get_account_info request anyway. Related to https://pagure.io/SSSD/sssd/issue/4114 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/941/head:pr941 git checkout pr941
From 27ccbbe5e2c405b82a868291c57d7eca1195f3d5 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 29 Oct 2019 12:16:40 +0100 Subject: [PATCH 1/2] ipa: add failover to override lookups In the ipa_id_get_account_info request failover handling was missing. Related to https://pagure.io/SSSD/sssd/issue/4114 --- src/providers/ipa/ipa_id.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index 94d5f9d90e..9253514a3e 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -640,7 +640,22 @@ static void ipa_id_get_account_info_got_override(struct tevent_req *subreq) ret = ipa_get_ad_override_recv(subreq, &dp_error, state, &state->override_attrs); talloc_zfree(subreq); + if (ret != EOK) { + ret = sdap_id_op_done(state->op, ret, &dp_error); + + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); + goto fail; + } + tevent_req_set_callback(subreq, ipa_id_get_account_info_connected, + req); + return; + } + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); goto fail; } From 560f6f7a846b138974b70bb9b25cc0d0d76dc046 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 30 Oct 2019 14:23:12 +0100 Subject: [PATCH 2/2] ipa: add failover to access checks While reading the different components of the HBAC rules failover handling was missing. Since the access control is typically the second step after authentication SSSD would have already switched to a working server or into offline mode during authentication. But if e.g. ssh keys are used for authentication and user data are read from cache the HABC rule searches might have to handle failover as well. Related to https://pagure.io/SSSD/sssd/issue/4114 --- src/providers/ipa/ipa_access.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index de9f68170b..375b6f8854 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -296,6 +296,7 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq) struct ipa_fetch_hbac_state *state = NULL; struct tevent_req *req = NULL; errno_t ret; + int dp_error; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ipa_fetch_hbac_state); @@ -308,7 +309,22 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq) state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR; state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR; talloc_zfree(subreq); + if (ret != EOK) { + /* Only call sdap_id_op_done in case of an error to trigger a + * failover. In general changing the tevent_req layout would be better + * so that all searches are in another sub-request so that we can + * error out at any step and the parent request can call + * sdap_id_op_done just once. */ + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ipa_fetch_hbac_retry(req); + if (ret != EAGAIN) { + goto done; + } + return; + } goto done; }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
