[Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

[Petr Viktorin]

On 03/12/2014 10:20 AM, Jan Pazdziora wrote:
> On Tue, Mar 11, 2014 at 04:09:37PM +0100, Petr Viktorin wrote:
>>
>> Unfortunately, yes, these operations are racy. When something fails,
>> or when doing two operations simultaneously, it is possible that the
>> objects are not both added.
>> If that happens, it is the ACI that should be missing. The
>> permission is added first, and the ACI is deleted first. This means
>> that when things fail, access is denied, which is both more secure
>> and easier to spot than having a stray ACI floating around.
>>
>> (In the long term, I'd really like to see a DS plugin for
>> permission/ACI sync, so we can leverage transactions -- IPA is
>> really the wrong layer to re-implement transactions in.)
>>
>> To answer your question, if the permission+ACI is already in LDAP,
>> the call will fail with a DuplicateEntry error and post_callback
>> won't get called.
>>
>> For the case that another permission_add command is called to add a
>> permission of the same name, the existence of the permission entry
>> acts as a "lock": while it's there, the other permission_add will
>> fail, and removing it ("releasing the lock") is the last thing done
>> in the error handler.
>>
>> I guess it would be good to add a comment saying this.
>
> Thank you for the explanation.
>
> In that case, ack on the patch, provided you add a nice comment. ;-)
>


Thanks, added comment and pushed to master: 
d3a34591a807f1420042ddbb53b3d5ac846927aa

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0471.2-permission_add-Remove-permission-entry-if-adding-the.patch
Type: text/x-patch
Size: 3603 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140312/245e4a6c/attachment.bin>