[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Rob Crittenden
rcritten at redhat.com
Thu Sep 13 16:40:16 UTC 2012
Martin Kosek wrote:
> To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
> rename or delete the linked object. After the update, the links should be amended.
>
> ---------
>
> Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
> are used to store DNs of linked objects in IPA (users, hosts, sudo
> commands, etc.). However, when the linked objects is deleted or
> renamed, the attribute pointing to it stays with the objects and
> thus may create a dangling link causing issues in client software
> reading the data.
>
> Directory Server has a plugin to enforce referential integrity (RI)
> by checking DEL and MODRDN operations and updating affected links.
> It was already used for manager and secretary attributes and
> should be expanded for the missing attributes to avoid dangling
> links.
>
> As a prerequisite, all attributes checked for RI must have pres
> and eq indexes to avoid performance issues. The following indexes
> have been added:
> * manager (pres index only)
> * secretary (pres index only)
> * memberHost
> * memberUser
> * sourcehost
> * memberservice
> * managedby
> * memberallowcmd
> * memberdenycmd
> * ipasudorunas
> * ipasudorunasgroup
>
> Referential Integrity plugin was updated to check all these
> attributes.
>
> Note: this update will only fix RI on one master as RI plugin does
> not check replicated operations.
>
> https://fedorahosted.org/freeipa/ticket/2866
These patches look good but I'd like to see some tests associated with
the referential integrity changes in patch 308. I'm not sure we need a
test for every single combination where RI comes into play but at least
testing that the original sequence (sudorule/sudocmd) works as expected.
rob
More information about the Freeipa-devel
mailing list