[Freeipa-devel] [PATCHES] 213-224 Use old entry state in LDAP mods
Petr Viktorin
pviktori at redhat.com
Fri Jan 10 13:38:56 UTC 2014
On 01/10/2014 12:43 PM, Jan Cholasta wrote:
> On 20.12.2013 13:06, Petr Viktorin wrote:
>> I now have a failing test in test_permission_rollback. Let's think about
>> this case for a moment:
>>
>> The permission system has "rollback": if an ACI update fails, the entry
>> is rolled back. Currently it works (for ipapermlocation changes) like
>> this:
>>
>> - The old entry is retreived
>> - A new entry is populated (NB, the framework's mod operation does not
>> retrieve the entry it modifies; rather it builds an entirely new entry
>> with *only* the data that's changed, and relies on generate_modlist
>> doing MOD_REPLACE when orig data is missing).
>> - update is called on the new entry
>> - The ACI is updated, and this fails (e.g. with SyntaxError)
>> - update is called on the *old* entry retreived in the first step. Up to
>> now this had restored the entry (since existing state was looked up
>> before each mod), but with these patches it raises EmptyModlist since
>> the object has not changed relative to its orig data.
>>
>> Obviously this approach is wrong given how entry is supposed to work
>> now, and I'll be happy to change it it. But it's not clear what's the
>> right way to do such rollback.
>
> I have added an optional argument to reset_modlist, which you can use to
> specify on which entry to base the modlist, see patch 214.
>
> Updated patches attached.
>
Thanks!
Looks good, test pass, upgrade works too. ACK, pushed to master:
7b3d9be388f8e3da3959912061513e40b31926c5
--
Petr³
More information about the Freeipa-devel
mailing list