[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
thierry bordaz
tbordaz at redhat.com
Mon Sep 22 13:48:21 UTC 2014
Hello Nathaniel,
I have a separated remark about updating the mods.
modifications of the entry occurs in two phases:
* call BE_PREOP plugins then apply the mods on the entry
* call BE_TXN_PREOP plugin then apply *only* extra mods on the entry
The plugin (BE_TXN_PREOP) translates a MOD/replace from MOD/DEL
(current value) + MOD/ADD(new value).
The translation is done like this:
MOD[0]: MOD/REPL ipatokenHOTPcounter new_value
MOD[1]: MOD/REPL modifiersname
MOD[2]: MOD/REPL modifytimestamp
MOD[3]: MOD/REPL entryusn
-->
MOD[0]: MOD/DEL ipatokenHOTPcounter current_value
MOD[1]: MOD/ADD ipatokenHOTPcounter new_value
MOD[2]: MOD/REPL modifiersname
MOD[3]: MOD/REPL modifytimestamp
MOD[4]: MOD/REPL entryusn
That means, we have one added mod (MOD[4]=entryusn) after
BE_TXN_PREOP that will be (re)applied on the second phase.
So the MOD/DEL+MOD/ADD will not be processed. MOD/REPL will be
processed before MOD/DEL+MOD/ADD are generated.
If MOD/DEL+MOD/ADD is needed, then we may need to replace
REPL->DEL/ADD in BE_PREOP callback.
The control done in plugin BE_TXN_PREOP is working fine and
guaranties the counter does not decrease.
thanks
thierry
On 09/19/2014 10:15 PM, Nathaniel McCallum wrote:
> This new version fixes a small style issue pointed out to me by richm
> (thanks!).
>
> On Fri, 2014-09-19 at 13:39 -0400, Nathaniel McCallum wrote:
>> The attached version of the patch should solve all of these issues. It
>> should also be more performant and use less memory.
>>
>> Nathaniel
>>
>>
>> On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote:
>>> On 09/15/2014 09:05 PM, Nathaniel McCallum wrote:
>>>
>>>> This plugin ensures that all counter/watermark operations are atomic
>>>> and never decrement. Also, deletion is not permitted.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4494
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>> Hello Nathaniel,
>>>
>>> More thoughts.. I think being "betxnpreoperation" you are safe
>>> with parallel client ops and the check is atomic. I have few
>>> comments:
>>> * Shouldn't be implemented
>>> SLAPI_PLUGIN_CLOSE_FN/SLAPI_PLUGIN_START_FN callback,
>>> even if they are empty.
>>> * In load_counters, in case we have a target entry that
>>> has not 'objectclass' 'ipatokenHOTP|ipatokenTOTP' and
>>> the mod operation:
>>> dn: <entry>
>>> changetype: modify
>>> replace: ipatokenHOTPcounter
>>> ipatokenHOTPcounter: 200
>>> -
>>> add: objectclass
>>> objectclass: ipatokenHOTP
>>>
>>>
>>> I wonder if the operation will not fail although IMHO
>>> it should succeeds.
>>> Shouldn't let the schema checking reject the operation
>>> if the attribute is not granted by the entry
>>> objectclass
>>> * in load_counters, I am under the impression it may
>>> return ipatokenHOTPcounter or ipatokenTOTPwatermark
>>> (ipatokenHOTPcounter is missing).
>>> But then how the caller knows that the returned value
>>> is a counter or a watermark ?
>>> * in ldapmod_is_attrs you may prefer PL_strcasecmp to
>>> strcasecmp
>>>
>>> About replicated updates, if updates of counters/watermark are
>>> done on several servers. Then a replicated operation may want
>>> to set counters/watermark with a smaller value that the
>>> existing one. In that case, it will return unwilling to
>>> perform. That could break replication.
>>> If the update comes from replication and the value is going
>>> backward, we could make the operation a nop operation (setting
>>> the attribute to its current value).
>>>
>>>
>>> thanks
>>> theirry
>>>
>>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140922/d7d789d5/attachment.htm>
More information about the Freeipa-devel
mailing list