Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix context.principal #7335

Closed
wants to merge 11 commits into from
Closed

Fix context.principal #7335

wants to merge 11 commits into from

Conversation

abbra
Copy link
Contributor

@abbra abbra commented Apr 26, 2024

No description provided.

@abbra abbra added needs review Pull Request is waiting for a review ipa-4-11 Mark for backport to ipa 4.11 labels Apr 26, 2024
@abbra
Copy link
Contributor Author

abbra commented Apr 29, 2024

@t-woerner please review.

@t-woerner
Copy link
Member

There are more places where getattr(context, 'principal') is used in plugins.

Would it be good to fix them too?

@abbra
Copy link
Contributor Author

abbra commented Apr 30, 2024

Yes, I am in the process of fixing those too. The problem I face is how to handle cases where there is no principal to map to and yet that principal is expected. I can do a hard fail (like in cert plugin) but that would be bad.

@rcritten
Copy link
Contributor

I would suggest a helper function for the plugin principal retrieval. There is a matching pattern and by my count there are 15 or 16 times we use it.

@rcritten rcritten mentioned this pull request May 1, 2024
Closed
@abbra
Copy link
Contributor Author

abbra commented May 2, 2024

I would suggest a helper function for the plugin principal retrieval. There is a matching pattern and by my count there are 15 or 16 times we use it.

Yep. Moved the check to principal_has_privilege() to allow re-use. If 'None' principal is passed, we'd pull a bound LDAP DN to do the check. For cn=Directory Manager we'd allow every privilege because a) directory manager can write everywhere, and b) we don't add cn=Directory Manager to any privilege.

@abbra
Copy link
Contributor Author

abbra commented May 2, 2024

The remaining place to investigate is a vault plugin. There we have three places where context.principal is used to decide a DN for the vault container. We probably should be able to handle those in a common way by querying LDAP entry of the bound LDAP DN to see if it has a specific attribute. This, however, will not work for cn=Directory Manager because that entry does not exist and there is an ambiguity what to do in that case -- a directory manager-run operation means basically ipa -e in_server=True vault-add which does not exist in the server context at all (it is client-only operation) and thus cannot be triggered.

@abbra
Copy link
Contributor Author

abbra commented May 3, 2024

@rcritten so I think we can leave out vault's plugin use of context.principal. I think this PR is ready for review now.

@rcritten
Copy link
Contributor

rcritten commented May 6, 2024

I tried a batch of user_add in server_context and got an AttributeError but there is no visible traceback so I need to dig into this further to see what is going on.

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024
edited

@rcritten I added an experimental commit that performs auditing to the journal for every single command run in the server context. This will have a side-effect that all commands used during installation will also be recorded.

Let me know if anything there can be improved.

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024

Fyi, when I say 'all commands', it also means we get auditing of IPA API JSON-RPC endpoint as well:

# kinit admin
Password for [email protected]: 
# ipa ping
----------------------------------------------------------------
IPA server version 4.12.0.dev202403201320+git. API version 2.253
----------------------------------------------------------------
# journalctl -t IPA.API 
May 08 12:00:15 master2.ipa2.test IPA.API[368050]: [/usr/bin/ipa] [autobind]: user_find(None, whoami=False, all=False, raw=False, version='2.253', no_members=True, pkey_only=False, in_group=('admins',))
May 08 12:00:15 master2.ipa2.test IPA.API[368050]: [/usr/bin/ipa] [autobind]: otptoken_find(None, ipatokenowner='foobar', all=False, raw=False, version='2.253', no_members=False, pkey_only=False)
May 08 12:00:15 master2.ipa2.test IPA.API[368050]: [/usr/bin/ipa] [autobind]: subid_find(None, ipaowner='foobar', all=False, raw=False, version='2.253', pkey_only=False)
May 08 12:00:15 master2.ipa2.test IPA.API[368050]: [/usr/bin/ipa] [autobind]: user_del(('foobar',), continue=False, version='2.253')
May 08 12:00:17 master2.ipa2.test IPA.API[368050]: [/usr/bin/ipa] [autobind]: console(None, version='2.253')
May 08 12:14:27 master2.ipa2.test IPA.API[368142]: [/mod_wsgi] [email protected]: ping(version='2.253')

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024

Here is an example, in TestSimpleReplication::install test:

$ curl -s http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d2453380-0d3b-11ef-8430-fa163e030f13/test_integration-test_simple_replication.py-TestSimpleReplication-install/master.ipa.test/journal.gz |zgrep IPA.API|wc -l
193

Here is the full output, without dates and hostname prefix:

$ curl -s http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d2453380-0d3b-11ef-8430-fa163e030f13/test_integration-test_simple_replication.py-TestSimpleReplication-install/master.ipa.test/journal.gz |zgrep IPA.API|cut -d' ' -f5-
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: caacl_find(None, all=False, raw=False, version='2.253', no_members=True, pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: caacl_add('hosts_services_caIPAserviceCert', hostcategory='all', servicecategory='all', all=False, raw=False, version='2.253', no_members=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: caacl_add_profile('hosts_services_caIPAserviceCert', all=False, raw=False, version='2.253', no_members=False, certprofile=('caIPAserviceCert',))
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: host_show('master.ipa.test', rights=False, all=False, raw=False, version='2.253', no_members=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: service_add(ipapython.kerberos.Principal('HTTP/[email protected]'), force=True, skip_host_check=False, all=False, raw=False, version='2.253', no_members=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: topologysuffix_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: topologysegment_find('domain', None, all=True, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnszone_add(<DNS name ipa.test.>, idnssoamname=<DNS name master.ipa.test.>, idnssoarname=<DNS name hostmaster.ipa.test.>, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy='grant IPA.TEST krb5-self * A; grant IPA.TEST krb5-self * AAAA; grant IPA.TEST krb5-self * SSHFP;', idnsallowdynupdate=True, idnsallowquery='any;', idnsallowtransfer='none;', skip_overlap_check=True, force=True, skip_nameserver_check=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kerberos>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, txtrecord=('IPA.TEST',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name master>, arecord=('192.168.121.94',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnszone_find(None, forward_only=False, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name @>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, nsrecord=('master.ipa.test.',), force=True, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsserver_add('master.ipa.test', idnssoamname=<DNS name master.ipa.test.>, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsserver_mod('master.ipa.test', idnsforwarders=('192.168.121.1',), idnsforwardpolicy='only', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: server_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False, servrole=('IPA master',))
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: location_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: schema(version='2.170')
/mod_wsgi[11592]: [IPA.API] host/[email protected]: ping(version='2.253')
/mod_wsgi[11594]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.107')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: config_show(rights=False, all=False, raw=True, version='2.0')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: host_show('master.ipa.test', rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: host_mod('master.ipa.test', random=False, ipasshpubkey=('ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOdmTRlXa7mo5P5M0g1Z38TTa9FvLWIR9zObNX1dhrIKf43I0/Y1DEmbKagg6qq1KTPscmSVpNgpfYplqBRWTo=', 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5QWyoQGvhF677zliXwusziT6iCJuF6uZkdVvvlvd9y', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQV4g+EdXK1qx4+w1TYUVkIBgpDVRy+gLeQj3KKH5h78gm8Lt9tGngNllDuKDzX2PMSEgf7XC8dYdsrOcosiIMXf8XCuVLFLHwaoBVdpwCHxkQ2o32jPuM2pUPglQI7bEXeJqgADrk1q/lcBaczSndbivh3klc04eW+vEbVsyMJ2DDlVACaHf69LIkR2ULgQ+YOELhQ0R/Ln6O7SUXl2KXCyBPzfm0Lh/d/1huEjVaKarnSUptH0Ys1mNVLIIX9cSPEWn4Xf6n3G0PzKlDC69YHF6rMAZ4eq6vNc7UMa7RqHrHFZRodraDrchgA7uwF+JN08A+HF5HSqbvq+klv8ZhW32+ZpLRyxY/3PZALWGfPvtlSnrCTYYAqf55hN2tgmdX2BjUj4JjqyFJkyixxUwih2p8xx761G0ILRBFqfXcYZniAE3cqatEq1U3EIH92tpAn5ou66Y8LAoSUTfA5Rw0p4Vf10+8LEG7cCcmowfg/KKx3f8JyH1R2wejwemYgJ8='), rights=False, updatedns=False, all=False, raw=False, version='2.26', no_members=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: server_role_find(None, server_server='master.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: server_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False, servrole=('IPA master',))
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kerberos.ipa.test.>, txtrecord=('"IPA.TEST"',), urirecord=('0 100 "krb5srv:m:tcp:master.ipa.test."', '0 100 "krb5srv:m:udp:master.ipa.test."'), setattr=('idnsTemplateAttribute;cnamerecord=_kerberos.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _ldap._tcp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 389 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _ldap._tcp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_ldap._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kerberos._tcp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 88 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kerberos._tcp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kerberos._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kerberos._udp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 88 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kerberos._udp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kerberos._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kerberos-master._tcp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 88 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kerberos-master._tcp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kerberos-master._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kerberos-master._udp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 88 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kerberos-master._udp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kerberos-master._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kpasswd._tcp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 464 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kpasswd._tcp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kpasswd._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kpasswd._udp.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=('0 100 464 master.ipa.test.',), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kpasswd._udp.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kpasswd._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name _kpasswd.ipa.test.>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, urirecord=('0 100 "krb5srv:m:tcp:master.ipa.test."', '0 100 "krb5srv:m:udp:master.ipa.test."'), force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_mod(<DNS name ipa.test.>, <DNS name _kpasswd.ipa.test.>, setattr=('idnsTemplateAttribute;cnamerecord=_kpasswd.\\{substitutionvariable_ipalocation\\}._locations',), addattr=('objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name ipa-ca.ipa.test.>, arecord=('192.168.121.94',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: location_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-install[6573]: [IPA.API] [autobind]: dns_update_system_records(dry_run=False, all=False, raw=False, version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: dnszone_mod(<DNS name ipa.test.>, dnsttl=1, dnsdefaultttl=1, rights=False, force=False, all=False, raw=False, version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: dnsrecord_show(<DNS name ipa.test.>, <DNS name master.ipa.test.>, rights=False, structured=False, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] [email protected]: dnsrecord_add(<DNS name ipa.test.>, <DNS name replica0.ipa.test.>, arecord=('192.168.121.146',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: domainlevel_get(version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: dnsconfig_mod(idnsallowsyncptr=True, rights=False, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] [email protected]: dnszone_add(<DNS name 121.168.192.in-addr.arpa.>, idnssoarname=<DNS name hostmaster>, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy='grant IPA.TEST krb5-subdomain 121.168.192.in-addr.arpa. PTR;', idnsallowdynupdate=False, idnsallowquery='any;', idnsallowtransfer='none;', skip_overlap_check=True, force=False, skip_nameserver_check=False, all=False, raw=False, version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: dnszone_mod(<DNS name 121.168.192.in-addr.arpa.>, idnsallowdynupdate=True, rights=False, force=False, all=False, raw=False, version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: host_add('replica0.ipa.test', nshardwareplatform='x86_64', nsosversion='6.5.10-300.fc39.x86_64', random=False, force=True, no_reverse=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11594]: [IPA.API] [email protected]: config_show(rights=False, all=False, raw=False, version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: join('replica0.ipa.test', realm='IPA.TEST', nshardwareplatform='x86_64', nsosversion='6.5.10-300.fc39.x86_64', version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: schema(version='2.170')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ping(version='2.253')
/mod_wsgi[11592]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.107')
/mod_wsgi[11594]: [IPA.API] host/[email protected]: config_show(rights=False, all=False, raw=True, version='2.0')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: host_show('replica0.ipa.test', rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: host_mod('replica0.ipa.test', random=False, ipasshpubkey=('ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOdmTRlXa7mo5P5M0g1Z38TTa9FvLWIR9zObNX1dhrIKf43I0/Y1DEmbKagg6qq1KTPscmSVpNgpfYplqBRWTo=', 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5QWyoQGvhF677zliXwusziT6iCJuF6uZkdVvvlvd9y', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQV4g+EdXK1qx4+w1TYUVkIBgpDVRy+gLeQj3KKH5h78gm8Lt9tGngNllDuKDzX2PMSEgf7XC8dYdsrOcosiIMXf8XCuVLFLHwaoBVdpwCHxkQ2o32jPuM2pUPglQI7bEXeJqgADrk1q/lcBaczSndbivh3klc04eW+vEbVsyMJ2DDlVACaHf69LIkR2ULgQ+YOELhQ0R/Ln6O7SUXl2KXCyBPzfm0Lh/d/1huEjVaKarnSUptH0Ys1mNVLIIX9cSPEWn4Xf6n3G0PzKlDC69YHF6rMAZ4eq6vNc7UMa7RqHrHFZRodraDrchgA7uwF+JN08A+HF5HSqbvq+klv8ZhW32+ZpLRyxY/3PZALWGfPvtlSnrCTYYAqf55hN2tgmdX2BjUj4JjqyFJkyixxUwih2p8xx761G0ILRBFqfXcYZniAE3cqatEq1U3EIH92tpAn5ou66Y8LAoSUTfA5Rw0p4Vf10+8LEG7cCcmowfg/KKx3f8JyH1R2wejwemYgJ8='), rights=False, updatedns=False, all=False, raw=False, version='2.26', no_members=False)
/mod_wsgi[11591]: [IPA.API] [email protected]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/mod_wsgi[11592]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.107')
/mod_wsgi[11594]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11594]: [IPA.API] host/[email protected]: ca_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/mod_wsgi[11595]: [IPA.API] host/[email protected]: env(('version',), server=False, all=True, version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: env(('fips_mode',), server=False, all=True, version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: ping(version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: server_conncheck('master.ipa.test', 'replica0.ipa.test', version='2.162')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: caacl_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False)
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: certprofile_show('caIPAserviceCert', rights=False, all=False, raw=False, version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11595]: [IPA.API] host/[email protected]: service_mod(ipapython.kerberos.Principal('ldap/[email protected]'), addattr=('usercertificate=MIIFFTCCA32gAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI0MDUwODEzMTc0N1oXDTI2MDUwOTEzMTc0N1owLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMMEXJlcGxpY2EwLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsYBIn6d4zo/qasZj4wo11r+6Ive+GnFGpuiihW7B5hnQirFtPAjK8gv7ugAOAxQpMUnfkzwgYetFGp8hKGgEO3E+4CAxHuZWcyN8rfzYfNO6ZjW6aU0z5WnuAonyhNNP+CsqWuhL+uBrsD/CCjbxdQzvMFpMUbFxaTJLboSPmpkZwuwUYj0AcFqOfBYUonqNS/D3n1OwxIXjFEgXCCli9Klu2ELpnyqjlWt0SVXG87EdiQIWSjfuXGq18vRd+kJqqIYHoCR3Zq87NYmNw3vbRgqbNtIegISx/kRt6bXChE2gBk027fXmUoB/yW3zProa0TcZxqJ0eJYp3W4NdFtORwIDAQABo4IBtjCCAbIwHwYDVR0jBBgwFoAUCYWNESO8Dn97+CEYvNa6jfezUCQwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgNVHR8EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLmlwYS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUHY15Bf4u8gEOWhPEUXI26KKWef8wgY8GA1UdEQSBhzCBhIIRcmVwbGljYTAuaXBhLnRlc3SgLwYKKwYBBAGCNxQCA6AhDB9sZGFwL3JlcGxpY2EwLmlwYS50ZXN0QElQQS5URVNUoD4GBisGAQUCAqA0MDKgChsISVBBLlRFU1ShJDAioAMCAQGhGzAZGwRsZGFwGxFyZXBsaWNhMC5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEApTk0geN3+fjJ6NEL6neDTx0Vi75yvnsZyUquw8kR/6agsec3tsUlYCgYyaaEuXmJbgdOVomMb3OzS8xvWmTHXI69Kcv26wyerqX3ojiRTYAPSW/jGj8DSDI5pKPOYSBVWW8hAv2MGr+8WckAzRXfgYtH6mz9UL7tIbQ+f1QJZ/xyU9BfMReYnyF25i+cMB8qF3nfKANfxeL52j99Ylyd1HW1GppzRBJ9nXt9DLuPDR3jL5Vm+HsBgU9XC/xDMWKBsHtpag2RvT9hI4nLpzAtXw3ZrgY76kWhJEVFD4pqeByJ2IH5B+GdXgydhRHjLYSr0BOLeFkCGceklcBcvnfUGRkpQqkHpyJGQ0vJjICGznoaEoA+b5t3qg0BMwd7dAMJm4UdMZHyRQ5Z2OZZQrtCXwOBUnbT4Guxf0CXRhql/H8CXOvSas3BxU5LNxyTPh7zxYmrNA588T/kVwxB7Bk1RgmeUKyTKMQEdPkdmM3q7mjMcb9bLJ29ytNti6MQ9Fho',), rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11595]: [IPA.API] host/[email protected]: cert_request(<cryptography.hazmat.bindings._rust.x509.CertificateSigningRequest object at 0x7f802d41a9e0>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/[email protected]'), add=True, chain=False, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: caacl_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False)
/mod_wsgi[11591]: [IPA.API] host/[email protected]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/mod_wsgi[11591]: [IPA.API] host/[email protected]: server_role_find(None, server_server='replica0.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: server_show('replica0.ipa.test', rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: certprofile_show('caIPAserviceCert', rights=False, all=False, raw=False, version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: ca_is_enabled(version='2.253')
/mod_wsgi[11591]: [IPA.API] host/[email protected]: service_mod(ipapython.kerberos.Principal('HTTP/[email protected]'), addattr=('usercertificate=MIIFJjCCA46gAwIBAgIBDDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI0MDUwODEzMTgwNVoXDTI2MDUwOTEzMTgwNVowLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMMEXJlcGxpY2EwLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmfL6gHZ8iAKzxw5QZRCn4PkB7shB9963gFmwQVQvzOlR8+IvBlrQ+Fypw+EiR6kuxcA2U9PVzqTMmz4rHAJZ5Y88bj7qcJvAcaod6JKzAFgc6j3LBRbKVLjkWu82YCu7RXrw8S+fOkwOmaE9uV0yTkCXT/W7KD1cjXS9Jbq4JsT094Waqnd0RzT6CsrXmK6PhiA0CuFd61vVrKQqcuyVyuKhajDCp31SW5K1x/GGM/7srg4XlMQgmxZvp0GFhHRm8SS42mKteszmkWxfjyoOpGwKjFToxTJbuKVU6iZ/7w2dFF639qS5nQRbssNpkrcN/0Xj1E1LRFu6FSvYXrjDwIDAQABo4IBxzCCAcMwHwYDVR0jBBgwFoAUCYWNESO8Dn97+CEYvNa6jfezUCQwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgNVHR8EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLmlwYS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU+Y2rleNJtxkgFyBWu79DwJpeVyQwgaAGA1UdEQSBmDCBlYIRcmVwbGljYTAuaXBhLnRlc3SCD2lwYS1jYS5pcGEudGVzdKAvBgorBgEEAYI3FAIDoCEMH0hUVFAvcmVwbGljYTAuaXBhLnRlc3RASVBBLlRFU1SgPgYGKwYBBQICoDQwMqAKGwhJUEEuVEVTVKEkMCKgAwIBAaEbMBkbBEhUVFAbEXJlcGxpY2EwLmlwYS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQBAY0H9nyp1ghf6VB3xzcCCgHLc0+ZlDRVoOBAFnm43WuFnHTngXJLcepYcmO6hdCG3e8dTtzB+Wlg2+P/49uDl+ehLI9rf9zOru9HrKOwNrsd2IhusxzscBV+waiU/PaB+FSVrP32/nAhO0gfF5dD+2aIppkVxl5cUCwmLgdjzFgIerTvxzXbCU2VysvA0c03bqLCoSSdNlERAF/Jjl8s8DEqYyBFfLLwhba3ZRJIIiZxKgTDe5+zgYcYBQbK51WOUek/kmvlwMGRYNwpG96QVo5U1yPi3sScpzlQM/hHOwFHauy/YaJtz9rWnOw6SEcI6LaXUN5THzS8PttJ1TgMCMpOBs6mJWhChh6ZPM5ZeDmfi6Is62Oo8mYKGfuOTUnbPM1S6H36RhPJam77goEHFgE3V85kw29po1WxV2hMujcOjbMGqvgoaF1JmkMiz3qeV4c+cjaRAhMsknq1lxCxiCwd8DXUEBIWcfhcIZYJZNcRV+Jj1MCmcqwtVxZ2Bt9w=',), rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11591]: [IPA.API] host/[email protected]: cert_request(<cryptography.hazmat.bindings._rust.x509.CertificateSigningRequest object at 0x7f802d41a9e0>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('HTTP/[email protected]'), add=True, chain=False, all=False, raw=False, version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: ping(version='2.253')
/mod_wsgi[11594]: [IPA.API] [email protected]: command_defaults('user_add/1', params=('cn',), kw={'givenname': 'test', 'sn': 'user'}, version='2.253')
/mod_wsgi[11595]: [IPA.API] [email protected]: user_add('testuser1', givenname='test', sn='user', cn='test user', displayname='test user', initials='tu', gecos='test user', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=False, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11591]: [IPA.API] [email protected]: ping(version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: user_show('testuser2', rights=False, all=False, raw=False, version='2.253', no_members=False)
/mod_wsgi[11594]: [IPA.API] [email protected]: ping(version='2.253')
/mod_wsgi[11595]: [IPA.API] [email protected]: topologysegment_find('domain', None, all=False, raw=False, version='2.253', pkey_only=False)
/mod_wsgi[11591]: [IPA.API] [email protected]: ping(version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: domainlevel_get(version='2.253')
/mod_wsgi[11592]: [IPA.API] [email protected]: topologysegment_mod('domain', 'master.ipa.test-to-replica0.ipa.test', nsds5replicatedattributelist='(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: topologysuffix_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: topologysegment_find('ca', None, all=True, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: topologysegment_find('domain', None, all=True, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: domainlevel_get(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: topologysegment_mod('domain', 'master.ipa.test-to-replica0.ipa.test', nsds5replicatedattributelist='(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: idrange_show('IPA.TEST_id_range', rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnszone_find(None, forward_only=False, all=True, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: adtrust_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsconfig_show(rights=False, all=True, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsconfig_show(rights=False, all=True, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: location_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: kra_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dns_is_enabled(version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsrecord_find(<DNS name ipa.test.>, 'ipa-ca', structured=False, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: server_role_find(None, server_server='master.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: server_role_find(None, server_server='replica0.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: server_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False, servrole=('IPA master',))
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name ipa-ca.ipa.test.>,), continue=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsrecord_del(<DNS name ipa.test.>, <DNS name ipa-ca.ipa.test.>, del_all=True, structured=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name ipa-ca.ipa.test.>, arecord=('192.168.121.94', '192.168.121.146'), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: location_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: caacl_find(None, all=False, raw=False, version='2.253', no_members=True, pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: trust_find(None, sizelimit=0, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: service_show(ipapython.kerberos.Principal('HTTP/[email protected]'), rights=False, all=True, raw=False, version='2.253', no_members=False)
/usr/sbin/ipa-server-upgrade[13640]: [IPA.API] [autobind]: server_role_find(None, server_server='master.ipa.test', role_servrole='IPA master', status='hidden', include_master=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: domainlevel_get(version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, server_server='master.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, server_server='replica0.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_find(None, sizelimit=0, all=False, raw=False, version='2.253', no_members=False, pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: topologysegment_find('domain', None, sizelimit=0, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: topologysegment_find('ca', None, sizelimit=0, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: config_show(rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dns_is_enabled(version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsconfig_show(rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, role_servrole='KRA server', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: ca_is_enabled(version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dns_is_enabled(version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_find(<DNS name ipa.test.>, 'replica0', structured=False, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_find(<DNS name ipa.test.>, 'replica0', structured=False, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_del(<DNS name ipa.test.>, <DNS name replica0>, arecord=('192.168.121.146',), del_all=False, structured=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnszone_show(<DNS name 121.168.192.in-addr.arpa.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: topologysuffix_find(None, all=True, raw=True, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, server_server='master.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_role_find(None, server_server='replica0.ipa.test', status='enabled', include_master=True, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_find(None, all=False, raw=False, version='2.253', no_members=False, pkey_only=False, servrole=('IPA master',))
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnszone_show(<DNS name ipa.test.>, rights=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name ipa-ca.ipa.test.>,), continue=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_del(<DNS name ipa.test.>, <DNS name ipa-ca.ipa.test.>, del_all=True, structured=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: dnsrecord_add(<DNS name ipa.test.>, <DNS name ipa-ca.ipa.test.>, arecord=('192.168.121.94', '192.168.121.146'), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.253')
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: location_find(None, all=False, raw=False, version='2.253', pkey_only=False)
/usr/sbin/ipa-replica-manage[15414]: [IPA.API] [autobind]: server_del(('replica0.ipa.test',), continue=False, ignore_topology_disconnect=True, ignore_last_of_role=True, force=False, version='2.253')

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024

I just realized I switched the labels. The idea was to put IPA.API as the program name so that journalctl -t IPA.API would match all IPA API log entries. Alternatively, one would need to use journalctl -g IPA.API instead. May be it is better this way?

@rcritten
Copy link
Contributor

rcritten commented May 8, 2024

I like the journal logger. I've been testing with -g for now. It is working fine.

I was playing with things though and maybe it's just a console error so out-of-band for this change, but try something like showing an unknown user:

api.Command["user_show"]('foo')

It results in a rather gigantic traceback with the raw ldap.NO_SUCH_OBJECT not caught. The journal logged:
abrt-notification[2706723]: Process 2706693 (ipa) of user 1000 encountered an uncaught ldap.NO_SUCH_OBJECT exception

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024

Thanks. I see the same in a Fedora's 4.11.1 on F39, so this is unrelated. I think it would be nice if console framework would override InteractiveConsole.showtraceback() for IPA exceptions to print the final message and not the whole traceback.

I added an experimental commit -- let me know if that one is OK for you.

@abbra
Copy link
Contributor Author

abbra commented May 8, 2024

@t-woerner could you please check whether this PR works for ansible-freeipa?

@rcritten
Copy link
Contributor

rcritten commented May 8, 2024

The override does make it work a lot nicer in console.

@t-woerner
Copy link
Member

t-woerner commented May 10, 2024
edited

For the enablement of batch command in the IpaAnsibleModule backend for client context we would need to have a way to detect the availability of this PR on the server side.
Due to the issues with error reporting and aborted batch commands processing we have to disable the use of batch command if the fix is not there.

@abbra
Copy link
Contributor Author

abbra commented May 15, 2024

I tried to bump batch command's version to 2. However, this has an effect that only batch/2 command becomes available. As a result, batch/1 is no longer available and simple batch command cannot be performed by a client that does not know about batch/2 because it is filtered out from the list of default command versions on the client side then.

This is unfortunate and does not allow us to use the versioning of the commands for anything useful.

Alternatives that might be used:

  • create a new batch-style command and rely on its existence.
  • add an option to existing batch command and check command metadata that this option is present

Both approaches are easy if ansible-freeipa needs to detect newer API. Relying on API version is cumbersome, especially if these calls need to be backported.

@t-woerner
Copy link
Member

@abbra I think it would be good to add an option to the existing batch command.

Something that might help for ansible-freeipa would be to have some sort of a quiet mode where only errors and some sort of acks are returned. Important is to have the same length of the returned list with and without this option enabled.

@t-woerner
Copy link
Member

The only field that ansible-freeipa modules are currently using from the batch results is randompassword for user and host modules. It would be great if we could limit the output to this at least for the user and host module.
The query mode (WIP) for the modules enables to get the whole list of fields, or only specific fields back.

@abbra
privilege: use context.principal only when it is defined
deb1df0 
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

In principal_has_privilege() we can take None principal object as a sign
that currently bound LDAP DN has to be checked for the privilege. This
allows to match any type of account to the privilege, with exception of
the cn=Directory Manager which is never added to privileges explicitly.

cn=Directory Manager will be allowed any privilege because it already
can write to any LDAP entry.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <[email protected]>
@abbra
Copy link
Contributor Author

abbra commented May 17, 2024

@t-woerner I added keeponly=List of strings option. The following script will add five users and will remove everything but dn', uid, and randompassword` from the output:

from ipalib import api, errors
from pprint import pprint as pp

api.bootstrap_with_global_options(context="server")
api.finalize()
api.Backend.ldap2.connect()

batch_args = []
for i in range(5):
    user_id = "huser%i" % i
    args = [user_id]
    kw = {'givenname' : user_id, 'sn' : user_id, 'random' : True}
    batch_args.append({'method' : 'user_add', 'params' : [args, kw]})

keeponly=('dn', 'uid', 'randompassword')
r = api.Command["batch"](methods=batch_args, keeponly=keeponly)
pp(r)

This is what you'd get:

ipa: DEBUG: raw: batch(user_add('huser0', givenname='huser0', sn='huser0', random=True), user_add('huser1', givenname='huser1', sn='huser1', random=True), user_add('huser2', givenname='huser2', sn='huser2', random=True), user_add('huser3', givenname='huser3', sn='huser3', random=True), user_add('huser4', givenname='huser4', sn='huser4', random=True))
ipa: DEBUG: batch(user_add('huser0', givenname='huser0', sn='huser0', random=True), user_add('huser1', givenname='huser1', sn='huser1', random=True), user_add('huser2', givenname='huser2', sn='huser2', random=True), user_add('huser3', givenname='huser3', sn='huser3', random=True), user_add('huser4', givenname='huser4', sn='huser4', random=True))
ipa: DEBUG: raw: user_add('huser0', givenname='huser0', sn='huser0', random=True, version='2.253')
ipa: DEBUG: user_add('huser0', givenname='huser0', sn='huser0', cn='huser0 huser0', displayname='huser0 huser0', initials='hh', gecos='huser0 huser0', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=True, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-IPA1-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f9d46704050>
ipa: DEBUG: add_entry_to_group: dn=uid=huser0,cn=users,cn=accounts,dc=ipa1,dc=test group_dn=cn=ipausers,cn=groups,cn=accounts,dc=ipa1,dc=test member_attr=member
ipa: INFO: [autobind]: batch: user_add('huser0', givenname='huser0', sn='huser0', random=True): SUCCESS
ipa: DEBUG: raw: user_add('huser1', givenname='huser1', sn='huser1', random=True, version='2.253')
ipa: DEBUG: user_add('huser1', givenname='huser1', sn='huser1', cn='huser1 huser1', displayname='huser1 huser1', initials='hh', gecos='huser1 huser1', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=True, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
ipa: DEBUG: add_entry_to_group: dn=uid=huser1,cn=users,cn=accounts,dc=ipa1,dc=test group_dn=cn=ipausers,cn=groups,cn=accounts,dc=ipa1,dc=test member_attr=member
ipa: INFO: [autobind]: batch: user_add('huser1', givenname='huser1', sn='huser1', random=True): SUCCESS
ipa: DEBUG: raw: user_add('huser2', givenname='huser2', sn='huser2', random=True, version='2.253')
ipa: DEBUG: user_add('huser2', givenname='huser2', sn='huser2', cn='huser2 huser2', displayname='huser2 huser2', initials='hh', gecos='huser2 huser2', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=True, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
ipa: DEBUG: add_entry_to_group: dn=uid=huser2,cn=users,cn=accounts,dc=ipa1,dc=test group_dn=cn=ipausers,cn=groups,cn=accounts,dc=ipa1,dc=test member_attr=member
ipa: INFO: [autobind]: batch: user_add('huser2', givenname='huser2', sn='huser2', random=True): SUCCESS
ipa: DEBUG: raw: user_add('huser3', givenname='huser3', sn='huser3', random=True, version='2.253')
ipa: DEBUG: user_add('huser3', givenname='huser3', sn='huser3', cn='huser3 huser3', displayname='huser3 huser3', initials='hh', gecos='huser3 huser3', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=True, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
ipa: DEBUG: add_entry_to_group: dn=uid=huser3,cn=users,cn=accounts,dc=ipa1,dc=test group_dn=cn=ipausers,cn=groups,cn=accounts,dc=ipa1,dc=test member_attr=member
ipa: INFO: [autobind]: batch: user_add('huser3', givenname='huser3', sn='huser3', random=True): SUCCESS
ipa: DEBUG: raw: user_add('huser4', givenname='huser4', sn='huser4', random=True, version='2.253')
ipa: DEBUG: user_add('huser4', givenname='huser4', sn='huser4', cn='huser4 huser4', displayname='huser4 huser4', initials='hh', gecos='huser4 huser4', krbprincipalname=(ipapython.kerberos.Principal('[email protected]'),), random=True, noprivate=False, all=False, raw=False, version='2.253', no_members=False)
ipa: DEBUG: add_entry_to_group: dn=uid=huser4,cn=users,cn=accounts,dc=ipa1,dc=test group_dn=cn=ipausers,cn=groups,cn=accounts,dc=ipa1,dc=test member_attr=member
ipa: INFO: [autobind]: batch: user_add('huser4', givenname='huser4', sn='huser4', random=True): SUCCESS
{'count': 5,
 'messages': [{'code': 13001,
               'data': {'server_version': '2.253'},
               'message': 'API Version number was not sent, forward '
                          "compatibility not guaranteed. Assuming server's API "
                          'version, 2.253',
               'name': 'VersionMissing',
               'type': 'warning'}],
 'results': [{'error': None,
              'result': {'dn': ipapython.dn.DN('uid=huser0,cn=users,cn=accounts,dc=ipa1,dc=test'),
                         'randompassword': '1Vx%vE-.^|?<B<;go.LUtR',
                         'uid': ['huser0']},
              'summary': 'Added user "huser0"',
              'value': 'huser0'},
             {'error': None,
              'result': {'dn': ipapython.dn.DN('uid=huser1,cn=users,cn=accounts,dc=ipa1,dc=test'),
                         'randompassword': '6Kw<@/NbCe%_D~kzIC}!(?',
                         'uid': ['huser1']},
              'summary': 'Added user "huser1"',
              'value': 'huser1'},
             {'error': None,
              'result': {'dn': ipapython.dn.DN('uid=huser2,cn=users,cn=accounts,dc=ipa1,dc=test'),
                         'randompassword': '4Id}!I>2>~%y.J(b4z]!,D',
                         'uid': ['huser2']},
              'summary': 'Added user "huser2"',
              'value': 'huser2'},
             {'error': None,
              'result': {'dn': ipapython.dn.DN('uid=huser3,cn=users,cn=accounts,dc=ipa1,dc=test'),
                         'randompassword': '4Rd(k0OKFmSP$0!MI%(9(Q',
                         'uid': ['huser3']},
              'summary': 'Added user "huser3"',
              'value': 'huser3'},
             {'error': None,
              'result': {'dn': ipapython.dn.DN('uid=huser4,cn=users,cn=accounts,dc=ipa1,dc=test'),
                         'randompassword': '4Oa>?93/tz_yBWRo8.0KNv',
                         'uid': ['huser4']},
              'summary': 'Added user "huser4"',
              'value': 'huser4'}]}

@abbra abbra force-pushed the fix-context.principal branch 2 times, most recently from 1599946 to f6e5d22 Compare May 17, 2024 12:29
@abbra
Copy link
Contributor Author

abbra commented May 17, 2024

The tests are working, you can see results here: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/301658bc-144a-11ef-a5bd-fa163e792862/report.html?sort=result

@abbra
Copy link
Contributor Author

abbra commented May 17, 2024

Removed temp commit and added test_integration/test_idm_api.py to the set of nightly_latest tests. Since the whole set of API tests works now, it can be used to detect failures in the API on a regular base. We also have batch command tests in ipatests/test_xmlrpc/test_batch_plugin.py but I'll leave them as it is. Previously test_idm_api test suite was not even enabled.

@abbra
Copy link
Contributor Author

abbra commented May 17, 2024

Moved instead to gating.yaml because otherwise we'd have to add it to all nightly variants and that is not needed, for sure.

@abbra abbra added the re-run Trigger a new run of PR-CI label May 18, 2024
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label May 18, 2024
@abbra abbra force-pushed the fix-context.principal branch 2 times, most recently from 5a41ea7 to 8238dab Compare May 20, 2024 07:41
@abbra
Copy link
Contributor Author

abbra commented May 20, 2024

I've updated test_idm_api to have some sensible test of the batch command. It now makes sure only attributes we requested are returned. A care is taken for the ping command because it will have no 'result' returned at all (only 'summary' and 'error'). Note that order is not preserved for dicts so we cannot do straight comparison, hence using 'set()' here. In addition, we do a generic test to have a subset of the keeponly attributes returned, not an explicit equivalence.

abbra added 2 commits May 20, 2024 14:36
@abbra
pylint: use yield_from for trivial cases
5d380cc 
Follow pylint recommendations (turned errors in recent pylint updates)
and use PEP-380 syntax for subgenerators. This is supported by all
Python 3 versions since ~2011.

Signed-off-by: Alexander Bokovoy <[email protected]>
@abbra
batch: add keeponly option
95827a4 
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.

This can be useful if you are only interested in getting names and
assigned random passwords, for example.

Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <[email protected]>
@abbra
Copy link
Contributor Author

abbra commented May 20, 2024

Moved API audit commit into a separate PR: #7348

@t-woerner
Copy link
Member

LGTM

keeponly works like a charm.

@rjeffman rjeffman added the ack Pull Request approved, can be merged label May 21, 2024
@antoniotorresm antoniotorresm added the pushed Pull Request has already been pushed label May 22, 2024
@antoniotorresm
Copy link
Contributor

master:

  • 295ac63 privilege: use context.principal only when it is defined
  • 3608b2b batch: account for auto-binding in server context
  • 71d886f config: use context.principal only when it is defined
  • ab54656 server: use context.principal only when it is defined
  • 08f1e6f trust: use context.principal only when it is defined
  • b6131b5 trust: handle stray pylint warning
  • e386e22 cert: use context.principal only when it is defined
  • 902c8b0 passwd: handle LDAP auto-bind use case as well
  • c325f9c user: handle LDAP auto-bind for whoami case
  • 6cc0a0b pylint: use yield_from for trivial cases
  • 9e86169 batch: add keeponly option

@antoniotorresm
Copy link
Contributor

@abbra we need a manual backport of this PR to ipa-4-11.

This was referenced May 22, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjeffman rjeffman rjeffman left review comments

@t-woerner t-woerner t-woerner approved these changes

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-11 Mark for backport to ipa 4.11 needs review Pull Request is waiting for a review pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
6 participants
@abbra @t-woerner @rcritten @antoniotorresm @rjeffman @freeipa-pr-ci