[Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

[Jan Pazdziora]

On Tue, Mar 11, 2014 at 04:09:37PM +0100, Petr Viktorin wrote:
> 
> Unfortunately, yes, these operations are racy. When something fails,
> or when doing two operations simultaneously, it is possible that the
> objects are not both added.
> If that happens, it is the ACI that should be missing. The
> permission is added first, and the ACI is deleted first. This means
> that when things fail, access is denied, which is both more secure
> and easier to spot than having a stray ACI floating around.
> 
> (In the long term, I'd really like to see a DS plugin for
> permission/ACI sync, so we can leverage transactions -- IPA is
> really the wrong layer to re-implement transactions in.)
> 
> To answer your question, if the permission+ACI is already in LDAP,
> the call will fail with a DuplicateEntry error and post_callback
> won't get called.
> 
> For the case that another permission_add command is called to add a
> permission of the same name, the existence of the permission entry
> acts as a "lock": while it's there, the other permission_add will
> fail, and removing it ("releasing the lock") is the last thing done
> in the error handler.
> 
> I guess it would be good to add a comment saying this.

Thank you for the explanation.

In that case, ack on the patch, provided you add a nice comment. ;-)

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat