[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks

[Rob Crittenden]

Martin Kosek wrote:
> To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
> rename or delete the linked object. After the update, the links should be amended.
>
> ---------
>
> Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
> are used to store DNs of linked objects in IPA (users, hosts, sudo
> commands, etc.). However, when the linked objects is deleted or
> renamed, the attribute pointing to it stays with the objects and
> thus may create a dangling link causing issues in client software
> reading the data.
>
> Directory Server has a plugin to enforce referential integrity (RI)
> by checking DEL and MODRDN operations and updating affected links.
> It was already used for manager and secretary attributes and
> should be expanded for the missing attributes to avoid dangling
> links.
>
> As a prerequisite, all attributes checked for RI must have pres
> and eq indexes to avoid performance issues. The following indexes
> have been added:
>    * manager (pres index only)
>    * secretary (pres index only)
>    * memberHost
>    * memberUser
>    * sourcehost
>    * memberservice
>    * managedby
>    * memberallowcmd
>    * memberdenycmd
>    * ipasudorunas
>    * ipasudorunasgroup
>
> Referential Integrity plugin was updated to check all these
> attributes.
>
> Note: this update will only fix RI on one master as RI plugin does
> not check replicated operations.
>
> https://fedorahosted.org/freeipa/ticket/2866

These patches look good but I'd like to see some tests associated with 
the referential integrity changes in patch 308. I'm not sure we need a 
test for every single combination where RI comes into play but at least 
testing that the original sequence (sudorule/sudocmd) works as expected.

rob