[Freeipa-devel] certprofiles -- problem with delete

Martin Kosek mkosek at redhat.com
Thu May 21 13:20:30 UTC 2015 

On 05/21/2015 03:10 PM, Fraser Tweedale wrote:
> On Thu, May 21, 2015 at 02:36:14PM +0200, Milan Kubik wrote:
>> Hi Fraser and list,
>>
>> I ran into this when I was tinkering with the commands.
>>
>> The ipa certprofile plugin[s] does not take the backend result into the
>> picture right now. When I tried to delete the *default profile*, the entry
>> from ipa suffix got deleted. However the command failed
>> and the profile is still in the dogtag managed suffix.
>> After I've done this to the installed instance, subsequent uninstall
>> operation failed on some step involving dogtag. I suspect it is related.
>> I haven't been able to reproduce this for now as at the moment there
>> was no package with dogtag in the copr repo.
>> Reproducer for this is attached. (This reproducer requires patches at
>> least up to freeipa-ftweedal-0005-3-Add-certprofile-plugin.patch)
>>
>> It may be more complicated issue than it seems, though.
>> If we delete the ipa managed entry before the dogtag operation
>> and this one fails, it leaves us in an inconsistent state.
>> If on the other hand we delete the ipa managed entry after dogtag
>> call, it opens an possibility of failing to delete the entry in ipa, leading
>> to inconsistency again.
>>
>> The solution to this would be a transaction. The problem here is
>> that the transaction here would span through two integrated
>> components (three actually, ipa, 389 and dogtag, in this context).
>> Not an easy thing to do I assume.
>>
>> TL;DR:
>>
>>  * certprofile-del deletes ipa managed entry and dogtag doesn't
>>  * how do we approach possibly irreversible changes in LDAPObject
>>     plugins when integrated component doesn't behave?
>>
>> Your thoughts on this?
>>
> Thanks for the report - certprofile-del was working at an earlier
> stage so I will track down the issue and fix.
> 
> I have pondered the transaction requirements: I am managing it for
> certprofile-import by deleting the entry if the dogtag import fails.
> I suppose I can do a similar thing for certprofile del - keep a copy
> of the entry and re-add it if delete fails.  Sound OK to you?

Yeah, this is what we do in permission-mod post_callback for example.

> 
> Cheers,
> Fraser
> 
>>
>> Thanks,
>> Milan
> 
>

More information about the Freeipa-devel mailing list