[Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance

Martin Basti mbasti at redhat.com
Thu Jul 7 12:54:12 UTC 2016 


On 01.07.2016 13:25, Petr Spacek wrote:
> On 1.7.2016 11:43, Petr Spacek wrote:
>> On 1.7.2016 11:17, Petr Spacek wrote:
>>> On 1.7.2016 11:04, Christian Heimes wrote:
>>>> On 2016-07-01 10:59, Petr Spacek wrote:
>>>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>>>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>>>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>>>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>>>>>> host.
>>>>>>>>
>>>>>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>>>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>>>>>> which might be blocked by a firewall.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>>>>> Interesting. How it happens that replica without CA is calling RedHatCAService?
>>>>>>>
>>>>>>> Also, why replica should be waiting for CA if it is not installed?
>>>>>>>
>>>>>>> I'm confused.
>>>>>> There is a hint in the last sentence: ipa-ca-install
>>>>>>
>>>>>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>>>>>> doesn't wait for the local Dogtag to come up but connects to a remote
>>>>>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>>>>>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>>>>>> never succeeds.
>>>>> Oh, I missed that, thanks!
>>>>>
>>>>> Isn't the root cause that ipa.env.ca_host does not get updated during
>>>>> ipa-ca-install?
>>>> Been there, tried it, didn't work:
>>>> https://fedorahosted.org/freeipa/ticket/6016#comment:1
>>> I understand that it does not work right now but it does not mean that it is
>>> an actual problem in api.env :-)
>>>
>>> Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as
>>> Petr^1 is about to push the RELEASE button any minute now.
>>>
>>> Petr^2 Spacek
>>>
>>>> It just doesn't make sense that RedHatCAService should ever check a
>>>> remote instance. The rest of the class is about the local systemd
>>>> service. As soon as we have sd_notify
>>>> https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd
>>>> to wait for Dogtag.
>> It seems to work but ipa-client-install blows up on certificate request.
>>
>> # getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160701093734':
>>          status: CA_UNREACHABLE
>>          ca-error: Server at
>> https://vm-058-082.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will
>> retry: 903 (RPC failed at server.  an internal error has occurred).
>>          stuck: no
>>          key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local
>> IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
>>          certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
>> host'
>>          CA: IPA
>>          issuer:
>>          subject:
>>          expires: unknown
>>          pre-save command:
>>          post-save command:
>>          track: yes
>>          auto-renew: yes
>>
>> error log on the server:
>>
>> [Fri Jul 01 11:37:34.294677 2016] [wsgi:error] [pid 38273] ipa: INFO:
>> [jsonserver_kerb]
>> host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>> host_mod(u'vm-046.abc.idm.lab.eng.brq.redhat.com', ipasshpubkey=(u'ssh-rsa
>> AAAAB3NzaC1yc2EAAAADAQABAAABAQCtrWFHeOF6UxI/DNdlLsUUazTpol2sRqQgbZplpkB9t/HUSjUHq0OY1mwaUfxvJp/E9yDmuHZgUgzKMSAdUf2apwFm5bw3T7qSdJ0Y7hC9vG0v6kLT0EaPuQmfJ8Rt4xOyva9htKbzkxs9Kr0ujB6V4u41ZZW2oevqtGunC2+aCxkQzd42we0c47ypxnvl8gGAa76CDXenGaChPKSfeEMddnhFvjGfkSyqjD+dCxBF+IyTRDPtt6f5iF80lfv/559rsKYlHdbbgv30i5C/F2DzaB011BmcQwK1eWSGWsEWVFtQKNMdahTl2IMgvZwHcaw8TMqgqqgZ7ZZ6lMR+UA8l',
>> u'ecdsa-sha2-nistp256
>> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHkoeGOzfQzqYOGQs2bdgL0jOBul+/eTBZ0HBM8HW3Wb5O15Fv3rt8jRp+xdSQcdG3DV5yPfjd66Fyz5hCTKS6s=',
>> u'ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIH5/uXvdJ1l+uTAk0rgbjKeTBx9HRWk7w+xJLHMt/yRx'),
>> updatedns=False, version=u'2.26'): SUCCESS
>> [Fri Jul 01 11:37:37.961175 2016] [wsgi:error] [pid 38272] ipa: ERROR:
>> non-public: ValueError: User name is defined only for user and enterprise
>> principals
>> [Fri Jul 01 11:37:37.961220 2016] [wsgi:error] [pid 38272] Traceback (most
>> recent call last):
>> [Fri Jul 01 11:37:37.961224 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in
>> wsgi_execute
>> [Fri Jul 01 11:37:37.961226 2016] [wsgi:error] [pid 38272]     result =
>> self.Command[name](*args, **options)
>> [Fri Jul 01 11:37:37.961229 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
>> [Fri Jul 01 11:37:37.961259 2016] [wsgi:error] [pid 38272]     return
>> self.__do_call(*args, **options)
>> [Fri Jul 01 11:37:37.961262 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
>> [Fri Jul 01 11:37:37.961265 2016] [wsgi:error] [pid 38272]     ret =
>> self.run(*args, **options)
>> [Fri Jul 01 11:37:37.961267 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
>> [Fri Jul 01 11:37:37.961269 2016] [wsgi:error] [pid 38272]     return
>> self.execute(*args, **options)
>> [Fri Jul 01 11:37:37.961271 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 456, in execute
>> [Fri Jul 01 11:37:37.961274 2016] [wsgi:error] [pid 38272]
>> caacl_check(principal_type, principal, ca, profile_id)
>> [Fri Jul 01 11:37:37.961276 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 227, in
>> caacl_check
>> [Fri Jul 01 11:37:37.961278 2016] [wsgi:error] [pid 38272]     principal, ca,
>> profile_id):
>> [Fri Jul 01 11:37:37.961280 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 126, in
>> acl_evaluate
>> [Fri Jul 01 11:37:37.961283 2016] [wsgi:error] [pid 38272]     req =
>> _acl_make_request(principal_type, principal, ca_id, profile_id)
>> [Fri Jul 01 11:37:37.961285 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 68, in
>> _acl_make_request
>> [Fri Jul 01 11:37:37.961287 2016] [wsgi:error] [pid 38272]     req.user.name =
>> principal.username
>> [Fri Jul 01 11:37:37.961289 2016] [wsgi:error] [pid 38272]   File
>> "/usr/lib/python2.7/site-packages/ipapython/kerberos.py", line 169, in username
>> [Fri Jul 01 11:37:37.961292 2016] [wsgi:error] [pid 38272]     "User name is
>> defined only for user and enterprise principals")
>> [Fri Jul 01 11:37:37.961294 2016] [wsgi:error] [pid 38272] ValueError: User
>> name is defined only for user and enterprise principals
>> [Fri Jul 01 11:37:37.961656 2016] [wsgi:error] [pid 38272] ipa: INFO:
>> [xmlserver]
>> host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>> cert_request(u'MIIEDjCCAvYCAQAwZTEzMDEGA1UEChMqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMS4wLAYDVQQDEyV2bS0wNDYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zWanFx8qhfuHDgCjkQxkNBx6PoHfc+xNdb2OBcPfcfHL9HMjRGmTWN+CRZ388C+qxaExYed6WfmB/pK+b2M3fOnz1SRBPqicnCERP3G4mg02sL8cH068FShJvJECxWZxhvMiy/I0l/gRef1CJhaMJ5XGGuhZrLn3+Cv1BEgQDajBFsaZVeWTmwvROTjTht95QLUp8r9laPlGDzYnCdaWQ/R6Z1y+Mdu3I5VmxYL8TsH3NTDHjPvkDuQfPcdGkWp9V06QMp7MZeX0DEhsG2jeQc309xbe3vaPNPWClUv9OQX9xDgdlKO3E6UZKKWjXNUpqErpSFC1PiFqsMbJ36J7QIDAQABoIIBYjArBgkqhkiG9w0BCRQxHh4cAEwAbwBjAGEAbAAgAEkAUABBACAAaABvAHMAdDCCATEGCSqGSIb3DQEJDjGCASIwggEeMIHrBgNVHREBAQAEgeAwgd2gZQYKKwYBBAGCNxQCA6BXDFVob3N0L3ZtLTA0Ni5hYmMuaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ARE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoHQGBisGAQUCAqBqMGigLBsqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoTgwNqADAgEBoS8wLRsEaG9zdBsldm0tMDQ2LmFiYy5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTAMBgNVHRMBAf8E!
>   Aj!
>>   AAMCAGA1UdDgEBAAQWBBQQxo41ZpwB24cjTd1cxY9eKbxNkTANBgkqhkiG9w0BAQsFAAOCAQEAERsZQANNrwiDBTEa0Kpif5DB/lfRjSedZpIL/mPPRUJnKus/9hV5gyUZcUQ+c2NEwvIApBJk0TeSIU0xj+dFOsqaN8iPj05XI5axEnBOqGdkHfjxSe96eR7WHCX8JJPdy5SMcoa1T3R6+4myq2/CWceTNcfxM4DdAY5kYvaePOPb13l3YUy9yB12QhDx+BBTNfmsmVxvGkySfegJcJMacQrbIk3AAoj3BklrTSQPqESBvqSVWT/yZE2HcQ6H2aLfeChdieYFsl/gPqCbLDKQA7gdK9Pv5w2dDzMGvpNne/1MCksu9MD9Ys9KvuugOjWNHciglO/kwF4ZJbfJsRqz0Q==',
>> principal=u'host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM',
>> add=True, version=u'2.51'): ValueError
>>
>>
>> I suspect that this is a regression caused by Kerberos aliases support but I'm
>> not going to ACK this until I can test it thoroughly.
> Okay, after '[PATCH 0178] Fix incorrect check for principal type when
> evaluating CA ACLs' it works. ACK.
>
Patch needs changes in ipa-4-3 branch

More information about the Freeipa-devel mailing list