|
 |
ef0222 |
From a4dd1eb5087c2f8a3a9133f42efa025221edc1c9 Mon Sep 17 00:00:00 2001
|
|
|
ef0222 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ef0222 |
Date: Wed, 30 Oct 2019 14:23:12 +0100
|
|
|
ef0222 |
Subject: [PATCH] ipa: add failover to access checks
|
|
|
ef0222 |
MIME-Version: 1.0
|
|
|
ef0222 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ef0222 |
Content-Transfer-Encoding: 8bit
|
|
|
ef0222 |
|
|
|
ef0222 |
While reading the different components of the HBAC rules failover
|
|
|
ef0222 |
handling was missing. Since the access control is typically the second
|
|
|
ef0222 |
step after authentication SSSD would have already switched to a working
|
|
|
ef0222 |
server or into offline mode during authentication. But if e.g. ssh keys
|
|
|
ef0222 |
are used for authentication and user data are read from cache the HABC
|
|
|
ef0222 |
rule searches might have to handle failover as well.
|
|
|
ef0222 |
|
|
|
ef0222 |
Related to https://pagure.io/SSSD/sssd/issue/4114
|
|
|
ef0222 |
|
|
|
ef0222 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
ef0222 |
(cherry picked from commit 707fdf0406644de08cfb7f59fa4eec393be5c62a)
|
|
|
ef0222 |
---
|
|
|
ef0222 |
src/providers/ipa/ipa_access.c | 16 ++++++++++++++++
|
|
|
ef0222 |
1 file changed, 16 insertions(+)
|
|
|
ef0222 |
|
|
|
ef0222 |
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
|
|
|
ef0222 |
index de9f68170..375b6f885 100644
|
|
|
ef0222 |
--- a/src/providers/ipa/ipa_access.c
|
|
|
ef0222 |
+++ b/src/providers/ipa/ipa_access.c
|
|
|
ef0222 |
@@ -296,6 +296,7 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
|
|
|
ef0222 |
struct ipa_fetch_hbac_state *state = NULL;
|
|
|
ef0222 |
struct tevent_req *req = NULL;
|
|
|
ef0222 |
errno_t ret;
|
|
|
ef0222 |
+ int dp_error;
|
|
|
ef0222 |
|
|
|
ef0222 |
req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
|
ef0222 |
state = tevent_req_data(req, struct ipa_fetch_hbac_state);
|
|
|
ef0222 |
@@ -308,7 +309,22 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
|
|
|
ef0222 |
state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR;
|
|
|
ef0222 |
state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR;
|
|
|
ef0222 |
talloc_zfree(subreq);
|
|
|
ef0222 |
+
|
|
|
ef0222 |
if (ret != EOK) {
|
|
|
ef0222 |
+ /* Only call sdap_id_op_done in case of an error to trigger a
|
|
|
ef0222 |
+ * failover. In general changing the tevent_req layout would be better
|
|
|
ef0222 |
+ * so that all searches are in another sub-request so that we can
|
|
|
ef0222 |
+ * error out at any step and the parent request can call
|
|
|
ef0222 |
+ * sdap_id_op_done just once. */
|
|
|
ef0222 |
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
|
|
|
ef0222 |
+ if (dp_error == DP_ERR_OK && ret != EOK) {
|
|
|
ef0222 |
+ /* retry */
|
|
|
ef0222 |
+ ret = ipa_fetch_hbac_retry(req);
|
|
|
ef0222 |
+ if (ret != EAGAIN) {
|
|
|
ef0222 |
+ goto done;
|
|
|
ef0222 |
+ }
|
|
|
ef0222 |
+ return;
|
|
|
ef0222 |
+ }
|
|
|
ef0222 |
goto done;
|
|
|
ef0222 |
}
|
|
|
ef0222 |
|
|
|
ef0222 |
--
|
|
|
ef0222 |
2.21.1
|
|
|
ef0222 |
|