[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek
mkosek at redhat.com
Fri Sep 14 08:40:59 UTC 2012
On 09/13/2012 06:40 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
>> rename or delete the linked object. After the update, the links should be
>> amended.
>>
>> ---------
>>
>> Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
>> are used to store DNs of linked objects in IPA (users, hosts, sudo
>> commands, etc.). However, when the linked objects is deleted or
>> renamed, the attribute pointing to it stays with the objects and
>> thus may create a dangling link causing issues in client software
>> reading the data.
>>
>> Directory Server has a plugin to enforce referential integrity (RI)
>> by checking DEL and MODRDN operations and updating affected links.
>> It was already used for manager and secretary attributes and
>> should be expanded for the missing attributes to avoid dangling
>> links.
>>
>> As a prerequisite, all attributes checked for RI must have pres
>> and eq indexes to avoid performance issues. The following indexes
>> have been added:
>> * manager (pres index only)
>> * secretary (pres index only)
>> * memberHost
>> * memberUser
>> * sourcehost
>> * memberservice
>> * managedby
>> * memberallowcmd
>> * memberdenycmd
>> * ipasudorunas
>> * ipasudorunasgroup
>>
>> Referential Integrity plugin was updated to check all these
>> attributes.
>>
>> Note: this update will only fix RI on one master as RI plugin does
>> not check replicated operations.
>>
>> https://fedorahosted.org/freeipa/ticket/2866
>
> These patches look good but I'd like to see some tests associated with the
> referential integrity changes in patch 308. I'm not sure we need a test for
> every single combination where RI comes into play but at least testing that the
> original sequence (sudorule/sudocmd) works as expected.
>
> rob
Right, I should have seen that coming. I want this feature to be checked
properly so I added a tests for all RI-checked attributes.
Patches attached.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-305-2-add-attributeTypes-to-safe-schema-updater.patch
Type: text/x-patch
Size: 6467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120914/474100c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-306-2-amend-memberallowcmd-and-memberdenycmd-attribute-typ.patch
Type: text/x-patch
Size: 4864 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120914/474100c0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-307-2-run-index-task-in-ldap-updater-only-when-needed.patch
Type: text/x-patch
Size: 2813 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120914/474100c0/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-308-2-expand-referential-integrity-checks.patch
Type: text/x-patch
Size: 25021 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120914/474100c0/attachment-0003.bin>
More information about the Freeipa-devel
mailing list