[Freeipa-devel] Changing CA replication agreements after raising domain level

Fri Jul 31 12:04:37 UTC 2015

On 07/31/2015 01:53 PM, Simo Sorce wrote:
> On Fri, 2015-07-31 at 13:33 +0200, Petr Vobornik wrote:
>> Discussed with Ludwig, but it might be interesting to the rest of the
>> team(and mainly Simo)
>>
>> In FreeIPA 4.3 - management of CA agmts by a replication plugin, there
>> is a scenario as follows:
>>
>> - existing couple of replicas of version 4.2 and earlier (no topology
>> management)
>> - upgrade all to future 4.3
>> - raise domain level to 1
>> - optionally add a replica
>>
>> All agmts are now managed by a topology plugin but there is an issue
>> with the old CA agreements because they were created with bind method:
>> simple. Atm. no code in IPA framework is executed after raising a domain
>> level. Therefore the old CA agreements are not converted to use GSSAPI.
>>
>> If the segments related to the old agreements are removed and then
>> re-added, topology plugin creates agreements which use GSSAPI.
>>
>> The old agreements are not converted automatically by a topology plugin
>> because simple auth is still required for ipa-replica-install (for both
>> realm and o=ipaca suffix).
> My replica-promotion code creates bind agreements directly using GSSAPI,
> so going forward we will be covered. What is missing is to prevent
> non-promotion installs. We should make it impossible to run
> ipa-replica-prepare on level 1 servers I guess.
>
>> Nor they can't be converted in IPA upgrade because domain level is
>> raised after the upgrade.
>>
>> Question is who should convert the old amgts after raising a domain
>> level. IPA or topology plugin?
>>
>> Some of possible solutions are:
>>
>> 1. Convert the CA agmts in domailevel-set method
> Nope, the domainlevel-set method can be called on any server, there is
> no guarantee this server can reach all servers. There may be network
> issues preventing it as well as a server may be temporarily
> down/unreachable for whatever reason.
>
>> 2. Change replica installer to setup Kerberos earlier so that new
>> agreements could use GSSAPI and therefore topology plugin can convert
>> all managed agreements which don't use GSSAPI automatically.
> This is already done in my replica promotion work, but has no bearing on
> *existing* agreements.
only as a side effect. At the moment the topology plugin cannot just 
convert a "simple" agreement if itfinds one, because in the initial 
phase gssapi
is not yet operational. But if it is ensured that all new agreements 
will be gssapi, it can blindly convert all other agreements if zhey are 
encountered after domain
lvel raise

>
>> 3. Automatically convert all agmts by topo plugin. Introduce an attr in
>> repl agmnt which would be set during replica installation to tell the
>> topo plugin to not covert the agmnt while the attr is set. Then convert
>> in installer or when the attr is removed.
> This is the only viable method.
>
>> #1 is an easy workaround but it creates yet another "sort of upgrade
>> path" in domain level set.
>> #2 is more or less a replica promotion.
>> #3 another workaround
>>
>>   From long term perspective, I like #2 but I don't know what's the state
>> of replica promotion. Simo?
> See above, but I do not see how this has any influence on existing
> replicas that are using the simple method.
>
>> Attaching IPA patches which I use now (doesn't contain required topo
>> plugin patches).
> Please look at the code in my tree, I think your work conflict with mine
> on the installer part.
> I do not handle yet the CA replica stuff in my promotion code, but we
> should base any work in that direction on the replica-promotion method
> and not the old replica install method.
>
> Simo.
>