Bug 1075118

Summary: Replica installation fails if replica file generated on migrated replica
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: alee, dpal, edewata, jcholast, ksiddiqu, nkinder, pviktori, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-24.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:43:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1073810    
Attachments:
Description Flags
ipa replica install log file
none
console output of ipa replica install none

Description Kaleem 2014-03-11 14:24:03 UTC 
Created attachment 873161 [details]
ipa replica install log file

Description of problem:

This i faced when i tried to create a replica from a Replica (RHEL-7.0) which was migrated from a RHEL-6.5 based Master.

Version-Release number of selected component (if applicable):
[root@rhel70-replica ~]# rpm -q ipa-server pki-ca 389-ds-base
ipa-server-3.3.3-21.el7.x86_64
pki-ca-10.0.5-3.el7.noarch
389-ds-base-1.3.1.6-22.el7.x86_64
[root@rhel70-replica ~]# 


How reproducible:
Always

Steps to Reproduce:
1. Install Master on RHEL-6.5 
2. Install Replica on RHEL-7.0 from RHEL-6.5 based Master.
3. Now again install another replica on RHEL-7.0 from replica of step (2).

Actual results:

Replica install fails

Expected results:
Replica install should be successful 

Additional info:
Please find the attached ipareplica-install.log from replica machine where replica installation is failing
Comment 2 Martin Kosek 2014-03-11 15:45:52 UTC 
Thanks for report, I can also reproduce. Adding more data

7.0 replica httpd access_log:
...
10.16.78.57 - - [11/Mar/2014:11:34:08 -0400] "GET /ca/rest/securityDomain/domainInfo HTTP/1.1" 200 236
10.16.78.57 - - [11/Mar/2014:11:34:09 -0400] "GET /ca/rest/account/login HTTP/1.1" 403 272


7.0 replica /var/log/pki/pki-tomcat/ca/system:
...
28495.ajp-bio-127.0.0.1-8009-exec-2 - [11/Mar/2014:11:34:09 EDT] [13] [6] checkPermission(): permission denied for the resource certServer.ca.account on operation login
28495.ajp-bio-127.0.0.1-8009-exec-2 - [11/Mar/2014:11:34:09 EDT] [13] [3] Authorization Failed

Nathan, Ade or Rob - any idea what could cause this one? I am also CCing Jan to help with this case.
Comment 4 Nathan Kinder 2014-03-11 16:41:08 UTC 
Is this the same as the other issue you reported with AVC messages when creating a replica?

    https://bugzilla.redhat.com/show_bug.cgi?id=1075153

If it's not the same, do you see any AVC messages for this issue?
Comment 5 Namita Soman 2014-03-11 17:05:11 UTC 
when installing rhel7 replica - the AVCs mentioned in bz1075153 were seen. 

Then this SAME rhel7 ipa server was used to generate replica pkg and install a new rhel7 replica
Comment 6 Martin Kosek 2014-03-11 19:44:22 UTC 
I can reproduce this issue even with SELinux to permissive, I do not think this is solely caused by SELinux (though I agree that potential SELinux issues should be fixed).
Comment 7 Dmitri Pal 2014-03-11 20:07:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4243
Comment 8 Martin Kosek 2014-03-11 21:26:08 UTC 
I was now working Endi on investigating the issue in my VMs and Endi discovered that there some ACLs missing (cn=aclResources,o=ipaca) due to incomplete update of the PKI database to Dogtag 10 level.

This is something I would like have investigated further and decide what we would do for 7.0, I see 2 options:

1) Fix pkispawn so that when Dogtag 10 clone is being created and it detects this is a Dogtag 9 DB, it adds missing ACL items or other entries required for Dogtag 10 function. This precludes that these changes do not destroy PKI on RHEL-6.

2) Do not fix anything in 7.0 and just add a new step to the migration procedure so that admin needs to run ldapmodify to add the missing Dogtag 10 DB himself as a requirement to be able install additional Dogtag 10 clone (not my favorite option).
Comment 9 Endi Sukma Dewata 2014-03-11 22:16:25 UTC 
As Martin mentioned, Dogtag 10 (RHEL 7) requires some additional ACL entries, but currently there is no automatic mechanism to upgrade Dogtag 9 (RHEL 6.5) database, so the entries have to be added manually with this command:

$ ldapmodify -h `hostname` -D "cn=Directory Manager" -w <password> -x
dn: cn=aclResources,o=ipaca
changetype: modify
add: resourceACLS
resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
-
delete: resourceACLS
resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml
-
add: resourceACLS
resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
-
delete: resourceACLS
resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information
-
add: resourceACLS
resourceACLS: certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information

Note that in order to run this command, the base DN must match the existing tree, and the delete operations must match the current content. Also, since the database is replicated, this command should only be executed once. Additional testing may be needed to verify that the older Dogtag (RHEL 6.5) will continue to run with the upgraded database.
Comment 10 Martin Kosek 2014-03-12 09:48:42 UTC 
I can confirm I was repeatedly able to install IPA replica when these ACLs were fixed. I did basic tests of requesting certificates in both Dogtag 9 and Dogtag 10 based replicas and it worked. I also tried installing IPA client for both D9 and D10 replicas and certmonger correctly retrieved the client certificate.

So now we just need to fix pkispawn to migrate the ACLs when it detects they are not there.
Comment 11 Martin Kosek 2014-03-12 16:00:41 UTC 
Removing needinfo? - we already identified this is not caused by SELinux.
Comment 12 Martin Kosek 2014-03-13 15:57:40 UTC 
After discussion, we chose to do the ACL updates in IPA replica installer. This will fix the issue for the short term.

The long term fix will be used when database migration scripts are added in PKI:

https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
https://fedorahosted.org/pki/ticket/906 (checking database version)
Comment 14 Petr Viktorin (pviktori) 2014-03-14 13:29:05 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b3c2197b7e4ed18a7febe3efa6396c2272ebccca
ipa-3-3:
https://fedorahosted.org/freeipa/changeset/9bc032f9ec0c44e83550d6f87f72e9395c3093d9
Comment 15 Kaleem 2014-03-18 12:50:39 UTC 
Verified. Now replica install is successful with replica file created on migrated replica on RHEL-7.0 from RHEL-6.5 based IPA installation.

IPA Version:
============
[root@rhel70-replica ~]# rpm -q ipa-server pki-ca
ipa-server-3.3.3-25.el7.x86_64
pki-ca-10.0.5-3.el7.noarch
[root@rhel70-replica ~]#

Please find the attached console output.
Comment 16 Kaleem 2014-03-18 12:51:31 UTC 
Created attachment 875921 [details]
console output of ipa replica install
Comment 17 Ludek Smid 2014-06-13 11:43:40 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.