#5631 Missing "System: Read Replication Agreements" ACI on new replicas
Closed: Fixed None Opened 3 years ago by mbasti.

This is probably regression caused by commit 86f943c

Reproducible on 4.2, 4.3., master

Plugins 'update_manage_permission' did not add the ACI entry to replica's cn=config because entry already exists on master and this plugin is unaware that cn=config subtree is not replicated.

How to reproduce:
1. install 4.2.3 (or 4.3) master
2. create 4.2.3 (or 4.3) replica
3. ACI "System: Read Replication Agreements" is present in cn=config on master, but missing on replica

Workaround:
1. Copy the ACI from master to replica

Proposed fix:
All permissions that are not in replicated part of tree should not be managed by update_managed_entries plugins during upgrade.

In case that this we cannot achieve, update)managed_entries plugins should always replace ACIs in nonreplicated parts of LDAP tree.

Details:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00411.html


I would not remove the ACI from update_managed_entries, I would rather avoid returning to unstructured ACIs in update files. Some flag to always regenerate this ACI in non-replicated tree during installation or update may be better.

Replying to [comment:1 mkosek]:

I would not remove the ACI from update_managed_entries, I would rather avoid returning to unstructured ACIs in update files. Some flag to always regenerate this ACI in non-replicated tree during installation or update may be better.

This definitely sounds like a good way to go. Because this bug has existed in multiple versions of FreeIPA, you will have potentially hundreds, if not thousands of servers out there now in the wild missing this ACI. Any updates should ensure it exists, and regenerate it if it does not exist.

Replying to [comment:1 mkosek]:

I would not remove the ACI from update_managed_entries, I would rather avoid returning to unstructured ACIs in update files. Some flag to always regenerate this ACI in non-replicated tree during installation or update may be better.
This won't work. If you make change to such permission on one server, how do you replicate the resulting ACI change to other servers? (The answer is you don't, unless you have a dedicated daemon for monitoring changes in the replicated tree and acting upon them.)

master:

  • bba2355 fix permission: Read Replication Agreements

ipa-4-2:

  • de7ec77 fix permission: Read Replication Agreements

ipa-4-3:

  • 2bac05a fix permission: Read Replication Agreements

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2.4

2 years ago

Login to comment on this ticket.

Metadata