[Freeipa-devel] Changing CA replication agreements after raising domain level

Simo Sorce simo at redhat.com
Fri Jul 31 11:53:25 UTC 2015 

On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote:
> Discussed with Ludwig, but it might be interesting to the rest of the 
> team(and mainly Simo)
> 
> In FreeIPA 4.3 - management of CA agmts by a replication plugin, there 
> is a scenario as follows:
> 
> - existing couple of replicas of version 4.2 and earlier (no topology 
> management)
> - upgrade all to future 4.3
> - raise domain level to 1
> - optionally add a replica
> 
> All agmts are now managed by a topology plugin but there is an issue 
> with the old CA agreements because they were created with bind method: 
> simple. Atm. no code in IPA framework is executed after raising a domain 
> level. Therefore the old CA agreements are not converted to use GSSAPI.
> 
> If the segments related to the old agreements are removed and then 
> re-added, topology plugin creates agreements which use GSSAPI.
> 
> The old agreements are not converted automatically by a topology plugin 
> because simple auth is still required for ipa-replica-install (for both 
> realm and o=ipaca suffix).

My replica-promotion code creates bind agreements directly using GSSAPI,
so going forward we will be covered. What is missing is to prevent
non-promotion installs. We should make it impossible to run
ipa-replica-prepare on level 1 servers I guess.

> Nor they can't be converted in IPA upgrade because domain level is 
> raised after the upgrade.
> 
> Question is who should convert the old amgts after raising a domain 
> level. IPA or topology plugin?
> 
> Some of possible solutions are:
> 
> 1. Convert the CA agmts in domailevel-set method

Nope, the domainlevel-set method can be called on any server, there is
no guarantee this server can reach all servers. There may be network
issues preventing it as well as a server may be temporarily
down/unreachable for whatever reason.

> 2. Change replica installer to setup Kerberos earlier so that new 
> agreements could use GSSAPI and therefore topology plugin can convert 
> all managed agreements which don't use GSSAPI automatically.

This is already done in my replica promotion work, but has no bearing on
*existing* agreements.

> 3. Automatically convert all agmts by topo plugin. Introduce an attr in 
> repl agmnt which would be set during replica installation to tell the 
> topo plugin to not covert the agmnt while the attr is set. Then convert 
> in installer or when the attr is removed.

This is the only viable method.

> #1 is an easy workaround but it creates yet another "sort of upgrade 
> path" in domain level set.
> #2 is more or less a replica promotion.
> #3 another workaround
> 
>  From long term perspective, I like #2 but I don't know what's the state 
> of replica promotion. Simo?

See above, but I do not see how this has any influence on existing
replicas that are using the simple method.

> Attaching IPA patches which I use now (doesn't contain required topo 
> plugin patches).

Please look at the code in my tree, I think your work conflict with mine
on the installer part.
I do not handle yet the CA replica stuff in my promotion code, but we
should base any work in that direction on the replica-promotion method
and not the old replica install method.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list