#8596 improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
Closed: fixed 4 months ago by abbra. Opened 5 months ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1895197

Description of problem:

improve the way IPA detects PKI services, do not rely on files or directories,
try to rely on the Dogtag tools or interfaces, example:

use
pki-server subsystem-find
from
base/server/python/pki/server/cli/subsystem.py
class SubsystemFindCLI(pki.cli.CLI):

pki-server subsystem-find
-----------------
2 entries matched
-----------------
  Subsystem ID: ca
  Instance ID: pki-tomcat
  Enabled: True

  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: True


instead of

/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

    def is_installed(self):
        """
        Determine if subsystem instance has been installed.
        Returns True/False
        """
        return os.path.exists(os.path.join(
            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))


this directory path testing return an incorrect true status because for
example, there is no "ipa-kra-install --uninstall" ( removed in 2018 / bz
1454444 ):
ipa-kra-install --uninstall
ERROR: Standalone KRA uninstallation was removed in IPA 4.5 as it had never
worked properly and only caused issues.


real world scenario example:

there is a RHEL-7 IPA replica deployed
that system is updated from RHEL-7.8 to RHEL-7.9
the update fails in IPA, leading to failing "ipactl restart", then to some
serious other problems:


in this case, there was no PKI KRA subsystem configured listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b "ou=Security
Domain,o=ipaca"
nor from a
ipa config-show --all

and no ipara listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b o=ipaca
'(|(uid=ipara)(uid=ipakra))'

but we till had a directory
/var/lib/pki/pki-tomcat/kra/

so the test in
/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

incorrectly returned a true status in is_installed(self)

that all lead to a LDAP error on no ipakra user entry, then to a failed IPA
update, then to a failed ipactl start, and a bad situation.


Version-Release number of selected component (if applicable):
RHEL-7
RHEL-8

How reproducible:


Steps to Reproduce:
1. IPA with CA, NO KRA
2. add a /var/lib/pki/pki-tomcat/kra/ directory
3. try to run the ipa console for
api.Updater[fix_kra_people_entry]()


Actual results:

2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry
...
2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry
2020-11-03T17:27:14Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
966, in update
    self._run_updates(all_updates)
...
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_peop
le_entry.py", line 35, in execute
    entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)

then I realize there is no KRA agent LDAP entry
uid=ipakra,ou=people,o=kra,o=ipaca
because that RHEL IPA system has no KRA installed (but has a CA)

so why the failure in fix_kra_people_entry.py if there is no KRA ??

the IPA update uses "plug-ins" to update various elements, listed from
/usr/share/ipa/updates/90-post_upgrade_plugins.update

and one of them is
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry
.py

which calls
/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

which calls a function is_installed()

the problem is is_installed() simply check for a directory path to decide a PKI
subsystem is installed and configured, which is not a sufficient way to detect
the availability of a service.


Expected results:
yes


Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1895197

5 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

5 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5290

5 months ago

master:

  • 930453b Improve PKI subsystem detection
  • 526686e ipatests: add test for PKI subsystem detection

ipa-4-8:

  • af830c0 Improve PKI subsystem detection
  • 7d47e37 ipatests: add test for PKI subsystem detection

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

ipa-4-9:

  • cf30cc3 Improve PKI subsystem detection
  • 24f6a36 ipatests: add test for PKI subsystem detection

ipa-4-6:

  • 137c456 Improve PKI subsystem detection
  • 8367ede ipatests: add test for PKI subsystem detection

master:

  • 6e0634b ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

ipa-4-8:

  • 35be925 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

ipa-4-9:

  • 0db2896 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

ipa-4-6:

  • 46a4e93 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

Login to comment on this ticket.

Metadata