#7593 Replication races in DogtagInstance.setup_admin
Closed: fixed 6 months ago by cheimes. Opened 6 months ago by cheimes.

DogtagInstance.setup_admin and related methods have multiple LDAP replication race conditions. The bugs can cause parallel ipa-replica-install to fail. The issue typically manifests itself as:

com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain: com.netscape.certsrv.base.UnauthorizedException: User admin-replica1.ipa.example is not a member of Enterprise CA Administrators group.

_add_admin_to_group

The _add_admin_to_group method https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_397-407 uses an LDAP search + MOD_REPLACE to add the host admin to the admin group. This is subject to race conditions. In case an other thread, process, or replica modifies the group between read and mod, the previous modification is lost. The method must use MOD_ADD to add the user to the group.

setup_admin

The setup_admin waits until the new admin user has been replicated to the replication source. But that is not sufficient. Since the admin is first created and then appended to the groups, the method must wait until the group membership addition have been replicated, too.

https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_439-444


Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2051

6 months ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1594141

6 months ago

master:

  • 14c869b Improve and fix timeout bug in wait_for_entry()
  • 1b966f7 Use common replication wait timeout of 5min
  • ad838c3 Fix replication races in Dogtag admin code

ipa-4-6:

  • 7357637 Improve and fix timeout bug in wait_for_entry()
  • 3988988 Use common replication wait timeout of 5min
  • 763951c Fix replication races in Dogtag admin code

ipa-4-5:

  • 7e96487 Improve and fix timeout bug in wait_for_entry()
  • d129cb2 Use common replication wait timeout of 5min
  • b763b62 Fix replication races in Dogtag admin code

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

master:

  • 52cdd21 Catch ACIError instead of invalid credentials

ipa-4-6:

  • d0dd00f Catch ACIError instead of invalid credentials

Login to comment on this ticket.

Metadata