[Freeipa-devel] Changing CA replication agreements after raising domain level
Simo Sorce
simo at redhat.com
Fri Jul 31 11:53:25 UTC 2015
On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote:
> Discussed with Ludwig, but it might be interesting to the rest of the
> team(and mainly Simo)
>
> In FreeIPA 4.3 - management of CA agmts by a replication plugin, there
> is a scenario as follows:
>
> - existing couple of replicas of version 4.2 and earlier (no topology
> management)
> - upgrade all to future 4.3
> - raise domain level to 1
> - optionally add a replica
>
> All agmts are now managed by a topology plugin but there is an issue
> with the old CA agreements because they were created with bind method:
> simple. Atm. no code in IPA framework is executed after raising a domain
> level. Therefore the old CA agreements are not converted to use GSSAPI.
>
> If the segments related to the old agreements are removed and then
> re-added, topology plugin creates agreements which use GSSAPI.
>
> The old agreements are not converted automatically by a topology plugin
> because simple auth is still required for ipa-replica-install (for both
> realm and o=ipaca suffix).
My replica-promotion code creates bind agreements directly using GSSAPI,
so going forward we will be covered. What is missing is to prevent
non-promotion installs. We should make it impossible to run
ipa-replica-prepare on level 1 servers I guess.
> Nor they can't be converted in IPA upgrade because domain level is
> raised after the upgrade.
>
> Question is who should convert the old amgts after raising a domain
> level. IPA or topology plugin?
>
> Some of possible solutions are:
>
> 1. Convert the CA agmts in domailevel-set method
Nope, the domainlevel-set method can be called on any server, there is
no guarantee this server can reach all servers. There may be network
issues preventing it as well as a server may be temporarily
down/unreachable for whatever reason.
> 2. Change replica installer to setup Kerberos earlier so that new
> agreements could use GSSAPI and therefore topology plugin can convert
> all managed agreements which don't use GSSAPI automatically.
This is already done in my replica promotion work, but has no bearing on
*existing* agreements.
> 3. Automatically convert all agmts by topo plugin. Introduce an attr in
> repl agmnt which would be set during replica installation to tell the
> topo plugin to not covert the agmnt while the attr is set. Then convert
> in installer or when the attr is removed.
This is the only viable method.
> #1 is an easy workaround but it creates yet another "sort of upgrade
> path" in domain level set.
> #2 is more or less a replica promotion.
> #3 another workaround
>
> From long term perspective, I like #2 but I don't know what's the state
> of replica promotion. Simo?
See above, but I do not see how this has any influence on existing
replicas that are using the simple method.
> Attaching IPA patches which I use now (doesn't contain required topo
> plugin patches).
Please look at the code in my tree, I think your work conflict with mine
on the installer part.
I do not handle yet the CA replica stuff in my promotion code, but we
should base any work in that direction on the replica-promotion method
and not the old replica install method.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list