[Freeipa-devel] [PATCH] 0057 Prevent replica-install from overwriting cert profile
Fraser Tweedale
ftweedal at redhat.com
Wed May 11 09:01:59 UTC 2016
Hi team,
Attached patch fixes https://fedorahosted.org/freeipa/ticket/5881.
It will prevent the issue; I will send a separate mail with my ideas
about how to repair installations that were already affected.
Cheers,
Fraser
-------------- next part --------------
From 017da750cff1be553e94673735722656a75bc837 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 11 May 2016 16:13:51 +1000
Subject: [PATCH] Prevent replica install from overwriting cert profiles
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
---
ipaserver/install/cainstance.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a21f7d2671461dfb99797d39fc7ee5706317241f..7ba5a5ae72bea656c5818a9fd5909926eb4886d1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1664,7 +1664,9 @@ def import_included_profiles():
conn.add_entry(entry)
profile_data = ipautil.template_file(
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Create the profile, replacing any existing profile of same name
+ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
root_logger.info("Imported profile '%s'", profile_id)
api.Backend.ra_certprofile.override_port = None
@@ -1716,12 +1718,17 @@ def migrate_profiles_to_ldap():
profile_data += '\n'
profile_data += 'profileId={}\n'.format(profile_id)
profile_data += 'classId={}\n'.format(class_id)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Import the profile, but do not replace it if it already exists.
+ # This prevents replicas from replacing IPA-managed profiles with
+ # Dogtag default profiles of same name.
+ #
+ _create_dogtag_profile(profile_id, profile_data, overwrite=False)
api.Backend.ra_certprofile.override_port = None
-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@@ -1732,9 +1739,8 @@ def _create_dogtag_profile(profile_id, profile_data):
root_logger.debug("Error migrating '{}': {}".format(
profile_id, e))
- # conflicting profile; replace it if we are
- # installing IPA, but keep it for upgrades
- if api.env.context == 'installer':
+ # profile already exists
+ if overwrite:
try:
profile_api.disable_profile(profile_id)
except errors.RemoteRetrieveError:
--
2.5.5
-------------- next part --------------
From b4e12ae1616fdb8c281fa039665f554876c31da6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 11 May 2016 16:13:51 +1000
Subject: [PATCH] Prevent replica install from overwriting cert profiles
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
---
ipaserver/install/cainstance.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 10bc2afc416737e89ffa7255e50bec96eb86fcce..274694012d5afc8690c4d69356d5ae56ae0a44e1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1665,7 +1665,9 @@ def import_included_profiles():
conn.add_entry(entry)
profile_data = ipautil.template_file(
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Create the profile, replacing any existing profile of same name
+ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
root_logger.info("Imported profile '%s'", profile_id)
api.Backend.ra_certprofile.override_port = None
@@ -1717,12 +1719,17 @@ def migrate_profiles_to_ldap():
profile_data += '\n'
profile_data += 'profileId={}\n'.format(profile_id)
profile_data += 'classId={}\n'.format(class_id)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Import the profile, but do not replace it if it already exists.
+ # This prevents replicas from replacing IPA-managed profiles with
+ # Dogtag default profiles of same name.
+ #
+ _create_dogtag_profile(profile_id, profile_data, overwrite=False)
api.Backend.ra_certprofile.override_port = None
-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@@ -1733,9 +1740,8 @@ def _create_dogtag_profile(profile_id, profile_data):
root_logger.debug("Error migrating '{}': {}".format(
profile_id, e))
- # conflicting profile; replace it if we are
- # installing IPA, but keep it for upgrades
- if api.env.context == 'installer':
+ # profile already exists
+ if overwrite:
try:
profile_api.disable_profile(profile_id)
except errors.RemoteRetrieveError:
--
2.5.5
-------------- next part --------------
From 02cf81b70e5ddf9c4b6ad37c4545d806c959507a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 11 May 2016 16:13:51 +1000
Subject: [PATCH] Prevent replica install from overwriting cert profiles
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
---
ipaserver/install/cainstance.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3ca4fa8d373ebc3375a9fc75b59969292f0198f0..7e68b832831c3487c7bda466ba04d1a3eb51e780 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1764,7 +1764,9 @@ def import_included_profiles():
conn.add_entry(entry)
profile_data = ipautil.template_file(
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Create the profile, replacing any existing profile of same name
+ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
root_logger.info("Imported profile '%s'", profile_id)
api.Backend.ra_certprofile.override_port = None
@@ -1816,12 +1818,17 @@ def migrate_profiles_to_ldap(dogtag_constants):
profile_data += '\n'
profile_data += 'profileId={}\n'.format(profile_id)
profile_data += 'classId={}\n'.format(class_id)
- _create_dogtag_profile(profile_id, profile_data)
+
+ # Import the profile, but do not replace it if it already exists.
+ # This prevents replicas from replacing IPA-managed profiles with
+ # Dogtag default profiles of same name.
+ #
+ _create_dogtag_profile(profile_id, profile_data, overwrite=False)
api.Backend.ra_certprofile.override_port = None
-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@@ -1832,9 +1839,8 @@ def _create_dogtag_profile(profile_id, profile_data):
root_logger.debug("Error migrating '{}': {}".format(
profile_id, e))
- # conflicting profile; replace it if we are
- # installing IPA, but keep it for upgrades
- if api.env.context == 'installer':
+ # profile already exists
+ if overwrite:
try:
profile_api.disable_profile(profile_id)
except errors.RemoteRetrieveError:
--
2.5.5
More information about the Freeipa-devel
mailing list