URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
stlaz commented:
"""
I would put broken KRA cert migration to lowest priority since
https://github.com/freeipa/freeipa/pull/367 moves the original KRA cert anyway.
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
tiran commented:
"""
Cookie parsing bug with FreeIPA 4.4 client:
https://fedorahosted.org/freeipa/ticket/6676
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
tiran commented:
"""
FYI, KRA and vault are broken because KRA cert is not migrated:
https://fedorahosted.org/freeipa/ticket/6675
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Thank you.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390
--
Manage your subscription for the
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Done
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272
--
Manage your subscription for the Freeipa-devel mailing
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
I would personally go with:
* Change session handling: 5959
* Generate tmpfiles config at install time: 5959
* Drop use of kinit_as_http from trust code:
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, is there an umbrella ticket? 5959 perhaps?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045
--
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
For some commits I was sure what ticket to use, for some I was not, so I
elected not to put a specific ticket in there. If you have a good idea of what
ticket
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, most of the commits do not have a ticket link, is this intentional?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Ok split the last stuff in 3 commits.
I remove the use of private ccache for a few reasons:
1. touches environment variables.
2. will unconditionally remove a
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for
the changes in `ipatests/util.py`, but that doesn't mean they should be in
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
We actually record the principal, change the patch to destroy session_cookie in
create_connection if the principal is different.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py,
it makes no sense to keep them separate as in eahc patch I add respecively to
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, I don't think this is the correct approach. Rather than deleting
`context.session_cookie` in `RPCClient.destroy_connection()` when requested, it
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
@HonzaCholasta push it before we break it again! :-)
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680
--
Manage
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
So I am not sure what is going on here, after fiddling with the failing tests
to print out what was going on, they suddenly started working (and a 3 other
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py
I haven't figured out exactly what happens in change_password, I see from logs
sent
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py
I haven't figured out exactly what happens in change_password, I see from logs
sent
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
I think I know what is going on here, can you add an actual test to the
testsuite that checks this ?
I will fix my PR to not cause this deadlock, I've reproduce
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
While investigating the CI test failures, I stumbled upon another issue - two
simultaneous login requests will deadlock httpd until it is restarted. This
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429
--
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
martbab commented:
"""
I have figured out that the previous Travis failures were caused by missing
version in mod_auth_gssapi Requires. If I downgrade the package to
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
martbab commented:
"""
I have disabled updates-testing in the CI because of multitude of unrelated
breakages (recent openldap-client vs. nss breakage comes to mind), but we may
take
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
The correct packages are now in updates-testing in Fedora 25, pick from there.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
pvoborni commented:
"""
Could we rather add the mod_auth_gssapi and gssproxy packages into
@freeipa/freeipa-master copr repo? Without the rpms in master copr repo, other
people's
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
martbab commented:
"""
@simo5 the simplest way to fix CI is to add WIP commit that enables your COPR
repos during 'builddep' step like this (untested):
```diff
diff --git
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Both replica install and CA-less install now work, but:
* `ipa-replica-install` creates `/var/lib/ipa/radb` owned by `root` rather than
`ipaapi`.
*
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
With this last rebase I can install again both ca and ca-less without issues.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Ok reproduced, it is not clar how to me yet, but at some point ca.crt get
zeroed out and that's why the ldap command fails, investigating
"""
See the full
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, it turns out the request fails not on the replica, but on the initial
master, so it's actually `ipa-server-install` which is broken - if you
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Ok, with this latest push I can install servers and replicas both with CA and
CA-less.
I cannot reproduce the failure @HonzaCholasta sees, so from my side I am
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, replica install still fails for me in the same way as before.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
The latest rebase installs a replica correctly here, haven't got to fix ca-less
yet, but everything else should be ready to go.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Here's what I did
```
# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' |
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
I cannot get a replica install to fail like your did, can you post some logs ?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, I can confirm that the ldapi error occurs every other install. I can
also confirm that it does not occur during the initial server install on a
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Thanks @HonzaCholasta I already fixed the service thing but didn't push as I
started getting another error on install, buit before I fix that I am working
on
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
Not sure if it's this PR or not, but `ipa-server-install` *sometimes* fails
with:
```
[11/22]: setting up ssl
[error] NetworkError: cannot connect to
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, I can't reproduce the bug anymore with the latest update.
Pylint found one trivial issue:
```
ipaserver/install/server/upgrade.py:83:
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
I switched all endpoints to use GSSAPI (and transparently use a session cookie
once one transation is successful), so there may be some parts of the code a
bit
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
@simo5, I might have fixed the certmonger issue, see
HonzaCholasta@907ef3cff2045edd4625d4c422d1d0ae473fe51c, however I'm hitting the
"No valid Negotiate
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Rebased on master and fixed a couple minor lint issues
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-270394337
--
Manage
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
rcritten commented:
"""
You can specify the nickname using -n/--nickname. You'll probably also want to
set --cafile=/etc/ipa/ca.crt, --dbdir=/etc/httpd/alias and
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Why is dogtag-ipa-renew-agent-submit part of the certmonger package ?
And how do we fix it now ?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
* Dogtag certificates and RA certificate renewal is broken:
```
ca-error: Server at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
I think this code is ready to be included.
I am still playing with a minor change in mod_auth_gssapi, but that can also go
in later.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
@pspacek I added workflows to the Design page, please verify
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321
--
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Note: this PR also depends on and includes commits from #206
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380
--
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
pspacek commented:
"""
@simo5 Please extend the design page with image description which explains each
of the steps. There are numbers and letters in the image which are not
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Updated branch, hopefully lint will be happy.
While there I discovered dcerpc.py ws using the HTTP keytab, after discussing
with @abbra we decided to just remove
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
simo5 commented:
"""
Yeah going through those right now
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514
--
Manage your subscription
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
tiran commented:
"""
@simo5 TravisCI's pep8 checker is complaining about some PEP8 violations:
```
./ipalib/install/kinit.py:64:1: E302 expected 2 blank lines, found 1
53 matches
Mail list logo
