[Freeipa-devel] [PATCH] 0471 permission_add: Remove permission entry if adding the ACI fails

Jan Pazdziora jpazdziora at redhat.com
Tue Mar 11 14:08:17 UTC 2014 

On Fri, Feb 21, 2014 at 03:30:22PM +0100, Petr Viktorin wrote:
> Hello,
> A permission object was not removed in permission-add when adding
> the ACI failed. Here is a fix.
> 
> https://fedorahosted.org/freeipa/ticket/4187
> 
> 
> Earlier we agreed that patch authors should bug the reviewer. I
> guess now this means I should set Patch-review-by in the ticket,
> right? So:
> Martin, you reviewed the other ACI patches so I think you should
> continue. If you don't agree, unset the field in the ticket.
> 
> -- 
> Petr³

> From 5ad2066b71b09248d348a5c4c85ef2ace0c553a4 Mon Sep 17 00:00:00 2001
> From: Petr Viktorin <pviktori at redhat.com>
> Date: Fri, 21 Feb 2014 13:58:15 +0100
> Subject: [PATCH] permission_add: Remove permission entry if adding the ACI
>  fails
> 
> https://fedorahosted.org/freeipa/ticket/4187
> ---
>  ipalib/plugins/permission.py                   | 15 ++++++++++++++-
>  ipatests/test_xmlrpc/test_permission_plugin.py | 25 +++++++++++++++++++++++++
>  2 files changed, 39 insertions(+), 1 deletion(-)
> 
> diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
> index 64deb99ef98583daf0419a240aa8852b0262874d..cb6f18b478735920bbf6cef4febc91481631c560 100644
> --- a/ipalib/plugins/permission.py
> +++ b/ipalib/plugins/permission.py
> @@ -812,7 +812,20 @@ def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options):
>          return dn
>  
>      def post_callback(self, ldap, dn, entry, *keys, **options):
> -        self.obj.add_aci(entry)
> +        try:
> +            self.obj.add_aci(entry)
> +        except Exception:
> +            # Adding the ACI failed.
> +            # We want to be 100% sure the ACI is not there, so try to
> +            # remove it. (This is a no-op if the ACI was not added.)
> +            self.obj.remove_aci(entry)
> +            # Remove the entry
> +            try:
> +                self.api.Backend['ldap2'].delete_entry(entry)
> +            except errors.NotFound:
> +                pass
> +            # Re-raise original exception
> +            raise
>          self.obj.postprocess_result(entry, options)
>          return dn

I'm not totally happy about this patch.

What happens when the ACI is already in LDAP and some part of that
self.obj.add_aci(entry) operation fails? Won't you go and instead of
doing noop, remove the ACI instead?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-devel mailing list