New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clean up the PKI securitydomain when removing a server #5915
Conversation
3d3c9ba
to
af4744e
Compare
ipaserver/plugins/server.py
Outdated
@@ -753,6 +753,9 @@ def pre_callback(self, ldap, dn, *keys, **options): | |||
self._ensure_last_of_role( | |||
pkey, ignore_last_of_role=options.get('ignore_last_of_role', False) | |||
) | |||
with self.api.Backend.ra_securitydomain as domain_api: | |||
domain_api.delete_domain(pkey, 'KRA') | |||
domain_api.delete_domain(pkey, 'CA') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the topology is CA-less, this fails with:
# ipa server-del replica.ipa.test
Removing replica.ipa.test from replication topology, please wait...
ipa: ERROR: an internal error has occurred
The code must be called only when CA is enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed and added a CAless test to the temp commit. Nice catch, thanks.
test_integration/test_server_del.py::TestLastServices::test_forced_removal_of_master due to KDC being unavailable. Not sure why this would be affected, going to re-run it. |
The real issue is this one:
If the last CA is force-removed, the server-del probably removes the CA role from the master before it tries to call the CA to update the security domain. I suspect the code is failing because it doesn't know which server to contact for the security domain op. |
Ok. I added a broad try/except. I don't think this should block removal but the user should be notified that the server hasn't been removed from the security domain. |
Hi @rcritten
After |
Huh, that test worked fine locally. I wonder if I specifically just ran that one test instead of the whole suite. I'll add a fixture. |
9dc6c71
to
a2a2ae8
Compare
Hi @rcritten |
PKI has its own internal knowledge of servers and services in its securitydomain. This has not been cleaned up in the past but is becoming more of an issue as PKI now relies on its securitydomain for more things, and it has a healthcheck that reports inconsistencies. Removing entries is straightforward using the PKI REST API. In order to operate on the API access is needed. There was an unused Security Domain Administrators group that I've added to the resourceACLS we created for managing the securitydomain. The ipara user is added as a member of this group. The REST API binds to the CA using the IPA RA certificate. Related commits are b3c2197 and ba4df64. These resourceACLS were originally created as a backwards compatibility mechanism for dogtag v9 and later only created when a replica was installed purportedly to save a restart. I don't see any reason to not have these defined. They are apparently needed due to the PKI database upgrade issues. In any case if the purpose was to suppress these ACLS it failed because as soon as a replica with a CA was installed they were as well, and we need this ACL in order to manage the securitydomain. https://pagure.io/freeipa/issue/8930 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
For every server-del ensure that the server being deleted is also removed from the PKI securitydomain. https://pagure.io/freeipa/issue/8930 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
vagrant provisioning errors, re-running. |
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.
Removing entries is straightforward using the PKI REST API.
In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.
Related commits are b3c2197
and ba4df64.
These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.
In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden rcritten@redhat.com