context.principal is used for the info log in the error case of the execution of the commands. But this attribute does not seem to be set in all cases (using server context), which results in a trace in the error handling. Therefore the execution is aborted and real failure is not returned.
Trace back and aborted execution
No failure and full processing of all commands.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.11.0-5.el9.x86_64 ipa-client-4.11.0-5.el9.x86_64 389-ds-base-2.4.5-3.el9.x86_64 krb5-server-1.21.1-1.el9.x86_64
Please provide logs and a reproducer json content. context.principal should be set for all HTTPS-endpoint initiated calls.
The reproducer:
<img alt="batch-test.py" src="/freeipa/issue/raw/files/8b20c2dea370df38ba30a77648a882c8a4a5853640087f43c582b1933a651ab3-batch-test.py" />
Current Output Init
Add host batch-test-host-01.cos9.local
Run batch: [{'method': 'host_mod', 'params': (['batch-test-host-01.cos9.local'], {'updatedns': True})}, {'method': 'host_mod', 'params': (['batch-test-host-01.cos9.local'], {'location': 'bar'})}]
AttributeError("'_thread._local' object has no attribute 'principal'") name 'ret' is not defined
location: None
Expected Output Init
ipa: INFO: UNKNOWN: batch: host_mod('batch-test-host-01.cos9.local', updatedns=True): EmptyModlist ipa: INFO: UNKNOWN: batch: ConversionError ("{'count': 2, 'results': [{'error': 'no modifications to be performed', " "'error_code': 4202, 'error_name': 'EmptyModlist', 'error_kw': {}}, {'error': " '"invalid \'params\': Unknown option: location", \'error_code\': 3008, ' "'error_name': 'ConversionError', 'error_kw': {'name': 'params', 'error': " "'Unknown option: location'}}], 'messages': [{'type': 'warning', 'name': " '\'VersionMissing\', \'message\': "API Version number was not sent, forward ' 'compatibility not guaranteed. Assuming server\'s API version, 2.253", ' "'code': 13001, 'data': {'server_version': '2.253'}}]}")
This reproducer uses server context which is not expected to provide context.principal because it uses LDAPI with UID binding and is not GSSAPI authentication. We still need to fix places where context.principal is referenced to avoid those issues.
context.principal
Worse batch
batch_args = [ { "method": "host_mod", "params": ([host_fqdn], { "nshostlocation": "foo", }) }, { "method": "host_mod", "params": ([host_fqdn], { "updatedns": True, }) }, { "method": "host_mod", "params": ([host_fqdn], { "nshostlocation": "bar", }) }, ]
Current result Init
Run batch: [{'method': 'host_mod', 'params': (['batch-test-host-01.cos9.local'], {'nshostlocation': 'foo'})}, {'method': 'host_mod', 'params': (['batch-test-host-01.cos9.local'], {'updatedns': True})}, {'method': 'host_mod', 'params': (['batch-test-host-01.cos9.local'], {'nshostlocation': 'bar'})}]
ipa: INFO: UNKNOWN: batch: host_mod('batch-test-host-01.cos9.local', nshostlocation='foo'): SUCCESS AttributeError("'_thread._local' object has no attribute 'principal'") name 'ret' is not defined
location: ['foo']
Expected result Init
ipa: INFO: UNKNOWN: batch: host_mod('batch-test-host-01.cos9.local', nshostlocation='foo'): SUCCESS ipa: INFO: UNKNOWN: batch: host_mod('batch-test-host-01.cos9.local', updatedns=True): EmptyModlist ipa: INFO: UNKNOWN: batch: host_mod('batch-test-host-01.cos9.local', nshostlocation='bar'): SUCCESS ("{'count': 3, 'results': [{'result': {'krbprincipalname': " "[ipapython.kerberos.Principal('host/batch-test-host-01.cos9.local@COS9.LOCAL')], " "'fqdn': ['batch-test-host-01.cos9.local'], 'nshostlocation': ['foo'], " "'krbcanonicalname': " "[ipapython.kerberos.Principal('host/batch-test-host-01.cos9.local@COS9.LOCAL')], " "'has_password': False, 'has_keytab': False, 'managedby_host': " "['batch-test-host-01.cos9.local']}, 'value': " "'batch-test-host-01.cos9.local', 'summary': 'Modified host " '"batch-test-host-01.cos9.local"\', \'error\': None}, {\'error\': \'no ' "modifications to be performed', 'error_code': 4202, 'error_name': " "'EmptyModlist', 'error_kw': {}}, {'result': {'krbprincipalname': " "[ipapython.kerberos.Principal('host/batch-test-host-01.cos9.local@COS9.LOCAL')], " "'fqdn': ['batch-test-host-01.cos9.local'], 'nshostlocation': ['bar'], " "'krbcanonicalname': " "[ipapython.kerberos.Principal('host/batch-test-host-01.cos9.local@COS9.LOCAL')], " "'has_password': False, 'has_keytab': False, 'managedby_host': " "['batch-test-host-01.cos9.local']}, 'value': " "'batch-test-host-01.cos9.local', 'summary': 'Modified host " '"batch-test-host-01.cos9.local"\', \'error\': None}], \'messages\': ' '[{\'type\': \'warning\', \'name\': \'VersionMissing\', \'message\': "API ' 'Version number was not sent, forward compatibility not guaranteed. Assuming ' 'server\'s API version, 2.253", \'code\': 13001, \'data\': ' "{'server_version': '2.253'}}]}")
location: ['bar']
@twoerner can you try https://github.com/freeipa/freeipa/pull/7335 ?
@abbra About batch, why aren't you changing line 177, like I did in PR https://github.com/freeipa/freeipa/pull/7332/ ?
Using just 'UNKNOWN' is incorrect. We have security checks there in place, they need to be done regardless whether context principal is set or not. And that means validating things before we dereference context.principal.
There is getattr(context, 'principal', 'UNKNOWN') in line 177, shouldn't this be replaced with op_account also?
getattr(context, 'principal', 'UNKNOWN')
op_account
There are more places where getattr(context, 'principal') is used in plugins.
getattr(context, 'principal')
Understood.
Why these comments are here and not in the pull request review, btw?
Yeah, good point.
master:
ipa-4-11:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.