[Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance

Petr Spacek pspacek at redhat.com
Fri Jul 1 11:25:02 UTC 2016 

On 1.7.2016 11:43, Petr Spacek wrote:
> On 1.7.2016 11:17, Petr Spacek wrote:
>> On 1.7.2016 11:04, Christian Heimes wrote:
>>> On 2016-07-01 10:59, Petr Spacek wrote:
>>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>>>>> host.
>>>>>>>
>>>>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>>>>> which might be blocked by a firewall.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>>>>
>>>>>> Interesting. How it happens that replica without CA is calling RedHatCAService?
>>>>>>
>>>>>> Also, why replica should be waiting for CA if it is not installed?
>>>>>>
>>>>>> I'm confused.
>>>>>
>>>>> There is a hint in the last sentence: ipa-ca-install
>>>>>
>>>>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>>>>> doesn't wait for the local Dogtag to come up but connects to a remote
>>>>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>>>>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>>>>> never succeeds.
>>>>
>>>> Oh, I missed that, thanks!
>>>>
>>>> Isn't the root cause that ipa.env.ca_host does not get updated during
>>>> ipa-ca-install?
>>>
>>> Been there, tried it, didn't work:
>>> https://fedorahosted.org/freeipa/ticket/6016#comment:1
>>
>> I understand that it does not work right now but it does not mean that it is
>> an actual problem in api.env :-)
>>
>> Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as
>> Petr^1 is about to push the RELEASE button any minute now.
>>
>> Petr^2 Spacek
>>
>>> It just doesn't make sense that RedHatCAService should ever check a
>>> remote instance. The rest of the class is about the local systemd
>>> service. As soon as we have sd_notify
>>> https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd
>>> to wait for Dogtag.
> 
> It seems to work but ipa-client-install blows up on certificate request.
> 
> # getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20160701093734':
>         status: CA_UNREACHABLE
>         ca-error: Server at
> https://vm-058-082.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will
> retry: 903 (RPC failed at server.  an internal error has occurred).
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local
> IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
> host'
>         CA: IPA
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
> error log on the server:
> 
> [Fri Jul 01 11:37:34.294677 2016] [wsgi:error] [pid 38273] ipa: INFO:
> [jsonserver_kerb]
> host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> host_mod(u'vm-046.abc.idm.lab.eng.brq.redhat.com', ipasshpubkey=(u'ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQCtrWFHeOF6UxI/DNdlLsUUazTpol2sRqQgbZplpkB9t/HUSjUHq0OY1mwaUfxvJp/E9yDmuHZgUgzKMSAdUf2apwFm5bw3T7qSdJ0Y7hC9vG0v6kLT0EaPuQmfJ8Rt4xOyva9htKbzkxs9Kr0ujB6V4u41ZZW2oevqtGunC2+aCxkQzd42we0c47ypxnvl8gGAa76CDXenGaChPKSfeEMddnhFvjGfkSyqjD+dCxBF+IyTRDPtt6f5iF80lfv/559rsKYlHdbbgv30i5C/F2DzaB011BmcQwK1eWSGWsEWVFtQKNMdahTl2IMgvZwHcaw8TMqgqqgZ7ZZ6lMR+UA8l',
> u'ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHkoeGOzfQzqYOGQs2bdgL0jOBul+/eTBZ0HBM8HW3Wb5O15Fv3rt8jRp+xdSQcdG3DV5yPfjd66Fyz5hCTKS6s=',
> u'ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIH5/uXvdJ1l+uTAk0rgbjKeTBx9HRWk7w+xJLHMt/yRx'),
> updatedns=False, version=u'2.26'): SUCCESS
> [Fri Jul 01 11:37:37.961175 2016] [wsgi:error] [pid 38272] ipa: ERROR:
> non-public: ValueError: User name is defined only for user and enterprise
> principals
> [Fri Jul 01 11:37:37.961220 2016] [wsgi:error] [pid 38272] Traceback (most
> recent call last):
> [Fri Jul 01 11:37:37.961224 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in
> wsgi_execute
> [Fri Jul 01 11:37:37.961226 2016] [wsgi:error] [pid 38272]     result =
> self.Command[name](*args, **options)
> [Fri Jul 01 11:37:37.961229 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
> [Fri Jul 01 11:37:37.961259 2016] [wsgi:error] [pid 38272]     return
> self.__do_call(*args, **options)
> [Fri Jul 01 11:37:37.961262 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
> [Fri Jul 01 11:37:37.961265 2016] [wsgi:error] [pid 38272]     ret =
> self.run(*args, **options)
> [Fri Jul 01 11:37:37.961267 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
> [Fri Jul 01 11:37:37.961269 2016] [wsgi:error] [pid 38272]     return
> self.execute(*args, **options)
> [Fri Jul 01 11:37:37.961271 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 456, in execute
> [Fri Jul 01 11:37:37.961274 2016] [wsgi:error] [pid 38272]
> caacl_check(principal_type, principal, ca, profile_id)
> [Fri Jul 01 11:37:37.961276 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 227, in
> caacl_check
> [Fri Jul 01 11:37:37.961278 2016] [wsgi:error] [pid 38272]     principal, ca,
> profile_id):
> [Fri Jul 01 11:37:37.961280 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 126, in
> acl_evaluate
> [Fri Jul 01 11:37:37.961283 2016] [wsgi:error] [pid 38272]     req =
> _acl_make_request(principal_type, principal, ca_id, profile_id)
> [Fri Jul 01 11:37:37.961285 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 68, in
> _acl_make_request
> [Fri Jul 01 11:37:37.961287 2016] [wsgi:error] [pid 38272]     req.user.name =
> principal.username
> [Fri Jul 01 11:37:37.961289 2016] [wsgi:error] [pid 38272]   File
> "/usr/lib/python2.7/site-packages/ipapython/kerberos.py", line 169, in username
> [Fri Jul 01 11:37:37.961292 2016] [wsgi:error] [pid 38272]     "User name is
> defined only for user and enterprise principals")
> [Fri Jul 01 11:37:37.961294 2016] [wsgi:error] [pid 38272] ValueError: User
> name is defined only for user and enterprise principals
> [Fri Jul 01 11:37:37.961656 2016] [wsgi:error] [pid 38272] ipa: INFO:
> [xmlserver]
> host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> cert_request(u'MIIEDjCCAvYCAQAwZTEzMDEGA1UEChMqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMS4wLAYDVQQDEyV2bS0wNDYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zWanFx8qhfuHDgCjkQxkNBx6PoHfc+xNdb2OBcPfcfHL9HMjRGmTWN+CRZ388C+qxaExYed6WfmB/pK+b2M3fOnz1SRBPqicnCERP3G4mg02sL8cH068FShJvJECxWZxhvMiy/I0l/gRef1CJhaMJ5XGGuhZrLn3+Cv1BEgQDajBFsaZVeWTmwvROTjTht95QLUp8r9laPlGDzYnCdaWQ/R6Z1y+Mdu3I5VmxYL8TsH3NTDHjPvkDuQfPcdGkWp9V06QMp7MZeX0DEhsG2jeQc309xbe3vaPNPWClUv9OQX9xDgdlKO3E6UZKKWjXNUpqErpSFC1PiFqsMbJ36J7QIDAQABoIIBYjArBgkqhkiG9w0BCRQxHh4cAEwAbwBjAGEAbAAgAEkAUABBACAAaABvAHMAdDCCATEGCSqGSIb3DQEJDjGCASIwggEeMIHrBgNVHREBAQAEgeAwgd2gZQYKKwYBBAGCNxQCA6BXDFVob3N0L3ZtLTA0Ni5hYmMuaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ARE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoHQGBisGAQUCAqBqMGigLBsqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoTgwNqADAgEBoS8wLRsEaG9zdBsldm0tMDQ2LmFiYy5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTAMBgNVHRMBAf8EAj!
>  AAMCAGA1UdDgEBAAQWBBQQxo41ZpwB24cjTd1cxY9eKbxNkTANBgkqhkiG9w0BAQsFAAOCAQEAERsZQANNrwiDBTEa0Kpif5DB/lfRjSedZpIL/mPPRUJnKus/9hV5gyUZcUQ+c2NEwvIApBJk0TeSIU0xj+dFOsqaN8iPj05XI5axEnBOqGdkHfjxSe96eR7WHCX8JJPdy5SMcoa1T3R6+4myq2/CWceTNcfxM4DdAY5kYvaePOPb13l3YUy9yB12QhDx+BBTNfmsmVxvGkySfegJcJMacQrbIk3AAoj3BklrTSQPqESBvqSVWT/yZE2HcQ6H2aLfeChdieYFsl/gPqCbLDKQA7gdK9Pv5w2dDzMGvpNne/1MCksu9MD9Ys9KvuugOjWNHciglO/kwF4ZJbfJsRqz0Q==',
> principal=u'host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM',
> add=True, version=u'2.51'): ValueError
> 
> 
> I suspect that this is a regression caused by Kerberos aliases support but I'm
> not going to ACK this until I can test it thoroughly.

Okay, after '[PATCH 0178] Fix incorrect check for principal type when
evaluating CA ACLs' it works. ACK.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list