[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
Nathaniel McCallum
npmccallum at redhat.com
Mon Sep 22 12:38:05 UTC 2014
On Mon, 2014-09-22 at 11:22 +0200, thierry bordaz wrote:
> On 09/20/2014 09:39 PM, Nathaniel McCallum wrote:
> > On Sat, 2014-09-20 at 00:25 +0200, thierry bordaz wrote:
> >> Hello Nathaniel,
> >>
> >> sanitize_input translates MOD/REPLACE into MOD/DEL+MOD/ADD. It
> >> looks good but difficult to think to all possible cases.
> >> I think to the following corner case:
> >> The initial entry has ipatokenHOTPcounter=5
> >> ldapmodify..
> >> changetype: modify
> >> add: ipatokenHOTPcounter
> >> ipatokenHOTPcounter: 6
> >> -
> >> replace: ipatokenHOTPcounter
> >> ipatokenHOTPcounter: 7
> >>
> >> It translates
> >> add: 6
> >> del: 5
> >> add: 7
> >>
> >> This operation will fail because ipatokenHOTPcounter is
> >> single-valued although IMHO it should succeed.
> > No. It should fail. There can only ever be one ipatokenHOTPcounter.
> >
> >> This is a so special operation that is may not really be a
> >> concern.
> > +1
> >
> >> It is important that attribute are single valued. The
> >> replication changelog will replicated MOD/DEL + MOD/ADD for a
> >> MOD/REPL.
> >> That means that if the attributes are updated on several
> >> masters, the number of values can likely increase. Where for
> >> single value it should only keep the most recent value.
> > That is a concern, at least for now. Eventually we won't use replication
> > for this at all. But for now, we will.
> >
> > Here is the problem I foresee. You have two servers: A and B.
> >
> > The user authenticates on A. This triggers a MOD/DEL(0)+MOD/ADD(1).
> > Replication is sent to server B.
> >
> > Before the replication is performed on server B, the user authenticates
> > with the next token. This triggers a MOD/DEL(0)+MOD/ADD(2). Replication
> > is sent to server A. This replication will fail because A has a value of
> > 1, not a value of 0.
> >
> > The end result is that there will be different values for
> > ipatokenHOTPcounter on the two different servers. A will have 1 and B
> > will have 2. Once this happens, the replications can never reconcile
> > (this is a big problem). I see two options here, both theoretical.
>
> The final value (when all updates has been replicated/applied) will rely
> on the timestamp of the operation (CSN). When a CSN is generated on a
> master it is guaranteed that it is greater (more recent) than any known
> CSNs. In your scenario "nothing" can guaranty that the CSN of the
> second update (B) is larger than the CSN of the first update. If CSN(B)
> > CSN(A), the final value will be '2' else it will be '1'.
>
> When the server B will receive the first update ('1') its current value
> is '2'. So it will reject the update, that may break replication.
> If we decide to not control replicated update and if CSN(A) > CSN(B),
> then the final value will go backward.
The whole point of this plugin is, in a sense, to break replication. CSN
is *not* sufficient to determine valid updates for the
counter/watermark. We don't care what the CSN is, we only care whether
the counter/watermark has increased.
The counter/watermark MUST NEVER decrease.
Please see my new patch here:
http://www.redhat.com/archives/freeipa-devel/2014-September/msg00435.html
> > Option #1 is to hook 389 in a different place: before the mods are
> > performed by after the replication changelog is generated.
> > Alternatively, we could insert a hook after the replication changelog is
> > generated, but before it is sent. We could consolidate the MOD/DEL
> > +MOD/ADD here into a single MOD/REPLACE operation.
> With current replication it would be major change. Update of the
> changelog is done in betxn_postop based on the operations mods.
> >
> > Option #2 is to have some way to translate the MOD/REPLACE(X) into a
> > MOD/DEL(<=X)+MOD/ADD(X).
> I think it is already what the plugin is doing. It retrieves the current
> value from the entry and do a mod/del on this value then a mod/add of
> the new value. (at the condition new_value>current_value).
> My concern is that in your scenario, due to parallel update with several
> new_values we may select an incorrect new_value.
>
> The 'Dynamic Master proxy' (
> http://www.freeipa.org/page/V4/OTP_Replay_Prevention#Replication_Counter_Race)
> solution looks as a good one.
Synchronous synchronization is the better plan on that page. But this is
a *huge* task. Too big for 4.1.
More information about the Freeipa-devel
mailing list