[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Rob Crittenden
rcritten at redhat.com
Mon Sep 17 15:17:23 UTC 2012
Martin Kosek wrote:
> On 09/13/2012 06:40 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
>>> rename or delete the linked object. After the update, the links should be
>>> amended.
>>>
>>> ---------
>>>
>>> Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
>>> are used to store DNs of linked objects in IPA (users, hosts, sudo
>>> commands, etc.). However, when the linked objects is deleted or
>>> renamed, the attribute pointing to it stays with the objects and
>>> thus may create a dangling link causing issues in client software
>>> reading the data.
>>>
>>> Directory Server has a plugin to enforce referential integrity (RI)
>>> by checking DEL and MODRDN operations and updating affected links.
>>> It was already used for manager and secretary attributes and
>>> should be expanded for the missing attributes to avoid dangling
>>> links.
>>>
>>> As a prerequisite, all attributes checked for RI must have pres
>>> and eq indexes to avoid performance issues. The following indexes
>>> have been added:
>>> * manager (pres index only)
>>> * secretary (pres index only)
>>> * memberHost
>>> * memberUser
>>> * sourcehost
>>> * memberservice
>>> * managedby
>>> * memberallowcmd
>>> * memberdenycmd
>>> * ipasudorunas
>>> * ipasudorunasgroup
>>>
>>> Referential Integrity plugin was updated to check all these
>>> attributes.
>>>
>>> Note: this update will only fix RI on one master as RI plugin does
>>> not check replicated operations.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2866
>>
>> These patches look good but I'd like to see some tests associated with the
>> referential integrity changes in patch 308. I'm not sure we need a test for
>> every single combination where RI comes into play but at least testing that the
>> original sequence (sudorule/sudocmd) works as expected.
>>
>> rob
>
> Right, I should have seen that coming. I want this feature to be checked
> properly so I added a tests for all RI-checked attributes.
>
> Patches attached.
>
> Martin
>
ACK, pushed to master and ipa-3-0
rob
More information about the Freeipa-devel
mailing list