Don't use a hidden value of certname if use_uuid_for_certificates has been toggled on/off #925
Conversation
|
So the scenario here is that you enable the setting, create the host, disable the setting, you provision the host and it stays in effect. I'm worried about another case where you enable the setting, provision the host, disable it and then Foreman doesn't know the correct certname for the host. In that case you'd want Foreman to still know the old UUID certname, but not issue UUID certnames to new hosts. Does that make sense? I'm not sure which is correct if so. @GregSutcliffe, what are your thoughts? |
|
The UI hides the certname when you disable that option, so you cannot see or edit it. The behavior should be made consistent - the other way around is never to hide the certname if it has been set, that way I can see that I have to delete it. |
|
Yes, having the ability to view and edit the certname would be useful generally and probably help here. I think that'd be a viable solution. Another way, which I think would keep both of our scenarios working, would be to reset the certname according to the current value of the UUID setting while performing the certificate revocation and setting up autosigning. e.g. in app/models/host/managed.rb, handle_ca: Between delCertificate (revocation) and setAutosign (adding autosign entry), we reset certname if it contains a UUID and the UUID setting's now off: I think this would solve the problem you're hitting, while keeping certname working for existing hosts? |
|
@domcleal that makes a lot of sense, apart from being able to edit the certname. Since that's closely tied to certificate generation/revocation, I'm not sure making it editable is a good idea. I definitely agree with displaying it if it's not == to the hostname (or maybe just all the time), and the reset code looks good too. |
|
Seems complicated? I like that my proposal has simple logic based on the one setting, because I don't want to keep the UUID cert name after toggling this option off anyhow. |
|
@sodabrew I agree, the issue is that your patch as written will mean that when you rebuild a host, the old cert won't get cleaned out from your puppetmaster. This is because the clean operation happens as the host is being rebuilt (specifically when it retrieves it's provision template), which will be after you've altered the Setting and thus it tries to clean What @domcleal is proposing is to fix that problem by resetting the certname after the clean has happened, rather than before - i.e by hooking in at the right time in the orchestration. Otherwise the logic is pretty much the same, the only extra bit is looking explicitly for old UUID certnames, rather than any certname. It's still based on the one setting, as you rightly want. |
|
Oh, gotcha. Sounds good - will you be able to code this up for 1.3, or shall I jump in on it? |
|
If you're able to, that'd be great - though I'd ask for tests too please. test/unit/host_test.rb in the handle_ca area would be a good place to start I think, since there's a test that stubs out most of those calls already. Thanks! |
|
If this works and looks mergeble then I'll rebase/squash first :) ... caveat that I haven't actually run the unit tests yet. |
|
[test] |
1 similar comment
|
[test] |
| h.expects(:delCertificate).returns(true) | ||
| h.expects(:setAutosign).returns(true) | ||
| assert h.handle_ca | ||
| assert h.certname.nil? |
There was a problem hiding this comment.
This is failing in the tests as h.certname will return the name if not defined. Perhaps use .read_attribute(:certname) or assert_equal to the name?
|
Last one? [test] |
|
I hope so, sorry for the dumb errors! I couldn't get tests running locally at all :/ |
|
No worries, that's unusual. It's normally OK after copying the settings/database files in place, db:migrate and rake test. |
|
Did the tests begin? |
|
Yep, on their way now. It checks every 15 mins, so there's some latency involved :) |
|
Huh. |
|
Ah, because the methods on the host itself (which calls the PuppetCA object) are stubbed: Removing these lines and making the puppetca stubs return |
…based certificate and before enabling autosign for a hostname-based certificate
|
[test] |
| return false unless delCertificate | ||
|
|
||
| # If the user has changed use_uuid_for_certificates to false, | ||
| # then null out the certname. This means we may revoke the hostname |
There was a problem hiding this comment.
shouldnt we do this when the setting change instead?
this might be a bit unexpected?
There was a problem hiding this comment.
That then raises the issue in my first two comments, we lose track of certificates of existing hosts. This is less surprising, as existing certs continue to work and Foreman can delete them (as we continue to track them), but then sign new certificates as per the current value of the setting.
There was a problem hiding this comment.
shouldn't we have some way to warn the user? that this change is potentially impacting some of the hosts?
ideally, we should have a way to:
- let the user know which systems might be impacted
- let the user decide what to do on a per system base?
There was a problem hiding this comment.
Perhaps ideally, but that's a lot of complexity and work for a single setting.
There was a problem hiding this comment.
I see a few options forward then:
- document well
- open another follow up feature request and merge as is
- extend this PR to include a warning to the user?
any other option? what would be your take?
There was a problem hiding this comment.
I prefer (1) and (2). I think the behaviour this PR currently implements is good - it doesn't break existing hosts and automatically picks up the change when required. I can add a note to the setting in the manual and file a related ticket on merge.
|
Added logging? |
|
Nice, thanks @sodabrew. I'll give this a try and merge tomorrow. |
|
Thank you too, I appreciated the pointers along the way. |
Expected:
Actual:
Patch fixes this by checking for state of the use_uuid_for_certificates setting in the certname model method.