|
Packit |
fd8b60 |
Some (intentional) changes from Sun's submission are noted in the
|
|
Packit |
fd8b60 |
install guide.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Bugs or issues:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The "full resync" part of the protocol involves the master side firing
|
|
Packit |
fd8b60 |
off a normal kprop (and going back to servicing requests), and the
|
|
Packit |
fd8b60 |
replica side stopping all the incremental propagation stuff and
|
|
Packit |
fd8b60 |
waiting for the kprop. If the connection from the master never comes
|
|
Packit |
fd8b60 |
in for some reason, the replica side just blocks forever, and never
|
|
Packit |
fd8b60 |
resumes incremental propagation.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The protocol does not currently pass policy database changes; this was
|
|
Packit |
fd8b60 |
an intentional decision on Sun's part. The policy database is only
|
|
Packit |
fd8b60 |
relevant to the master KDC, and is usually fairly static (aside from
|
|
Packit |
fd8b60 |
refcount updates), but not propagating it does mean that a replica
|
|
Packit |
fd8b60 |
maintained via iprop can't simply be promoted to a master in disaster
|
|
Packit |
fd8b60 |
recovery or other cases without doing a full propagation or restoring
|
|
Packit |
fd8b60 |
a database from backups.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Shawn had a good suggestion after I started the integration work, and
|
|
Packit |
fd8b60 |
which I haven't had a chance to implement: Make the update-log code
|
|
Packit |
fd8b60 |
fit in as a sort of pseudo-database layer via the DAL, being called
|
|
Packit |
fd8b60 |
through the standard DAL methods, and doing its work around calls
|
|
Packit |
fd8b60 |
through to the real database back end again through the DAL methods.
|
|
Packit |
fd8b60 |
So for example, creating a "iprop+db2" database would create an update
|
|
Packit |
fd8b60 |
log and the real db2 database; storing a principal entry would update
|
|
Packit |
fd8b60 |
the update log as well; etc. At least initially, we wouldn't treat it
|
|
Packit |
fd8b60 |
as a differently-named database; the installation of the hooks would
|
|
Packit |
fd8b60 |
be done by explicitly checking if iprop is enabled, etc.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The "iprop role" is assumed to be either master or replica. The
|
|
Packit |
fd8b60 |
master writes a log, and the replica fetches it. But what about a
|
|
Packit |
fd8b60 |
cascade propagation model where A sends to B which sends to C, perhaps
|
|
Packit |
fd8b60 |
because A's bandwidth is highly limited, or B and C are co-located?
|
|
Packit |
fd8b60 |
In such a case, B would want to operate in both modes. Granted, with
|
|
Packit |
fd8b60 |
iprop the bandwidth issues should be less important, but there may
|
|
Packit |
fd8b60 |
still be reasons one may wish to run in such a configuration.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The propagation of changes does not happen in real time. It's not a
|
|
Packit |
fd8b60 |
"push" protocol; the replicas poll periodically for changes. Perhaps
|
|
Packit |
fd8b60 |
a future revision of the protocol could address that.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin/cli/kadmin.c call to kadm5_init_iprop - is this needed in
|
|
Packit |
fd8b60 |
client-side program? Should it be done in libkadm5srv instead as part
|
|
Packit |
fd8b60 |
of the existing kadm5_init* so that database-accessing applications
|
|
Packit |
fd8b60 |
that don't get updated at the source level will automatically start
|
|
Packit |
fd8b60 |
changing the update log as needed?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Locking: Currently DAL exports the DB locking interface to the caller;
|
|
Packit |
fd8b60 |
we want to slip the iprop code in between -- run it plus the DB update
|
|
Packit |
fd8b60 |
operation with the DB lock held, whether or not the caller grabbed the
|
|
Packit |
fd8b60 |
lock. (Does the caller always grab the lock before making changes?)
|
|
Packit |
fd8b60 |
Currently we're using a file lock on the update log itself; this will
|
|
Packit |
fd8b60 |
be independent of whether the DB back end implements locking (which
|
|
Packit |
fd8b60 |
may be a good thing or a bad thing, depending).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Various logging calls with odd format strings like "<null>" should be
|
|
Packit |
fd8b60 |
fixed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Why are different principal names used, when incremental propagation
|
|
Packit |
fd8b60 |
requires that normal kprop (which uses host principals) be possible
|
|
Packit |
fd8b60 |
anyways?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Why is this tied to kadmind, aside from (a) wanting to prevent other
|
|
Packit |
fd8b60 |
db changes, which locking protocols should deal with anyways, (b)
|
|
Packit |
fd8b60 |
existing acl code, (c) existing server process?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The incremental propagation protocol requires an ACL entry on the
|
|
Packit |
fd8b60 |
master, listing the replica. Since the full-resync part uses normal
|
|
Packit |
fd8b60 |
kprop, the replica also has to have an ACL entry for the master. If
|
|
Packit |
fd8b60 |
this is missing, I suspect the behavior will be that every two
|
|
Packit |
fd8b60 |
minutes, the master side will (at the prompting of the replica) dump
|
|
Packit |
fd8b60 |
out the database and attempt a full propagation.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Possible optimizations: If an existing dump file has a recent enough
|
|
Packit |
fd8b60 |
serial number, just send it, without dumping again? Use just one dump
|
|
Packit |
fd8b60 |
file instead of one per replica?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Requiring normal kprop means the replica still can't be behind a NAT
|
|
Packit |
fd8b60 |
or firewall without special configuration. The incremental parts can
|
|
Packit |
fd8b60 |
work in such a configuration, so long as outgoing TCP connections are
|
|
Packit |
fd8b60 |
allowed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Still limited to IPv4 because of limitations in MIT's version of the
|
|
Packit |
fd8b60 |
RPC code. (This could be fixed for kprop, if IPv6 sites want to do
|
|
Packit |
fd8b60 |
full propagation only. Doing incremental propagation over IPv6 will
|
|
Packit |
fd8b60 |
take work on the RPC library, and probably introduce
|
|
Packit |
fd8b60 |
backwards-incompatible ABI changes.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Overflow checks for ulogentries times block size?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If file can't be made the size indicated by ulogentries, should we
|
|
Packit |
fd8b60 |
truncate or error out? If we error out, this could blow out when
|
|
Packit |
fd8b60 |
resizing the log because of a too-large log entry.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kprop invocation doesn't specify a realm name, so it'll only work
|
|
Packit |
fd8b60 |
for the default realm. No clean way to specify a port number, either.
|
|
Packit |
fd8b60 |
Would it be overkill to come up with a way to configure host+port for
|
|
Packit |
fd8b60 |
kpropd on the master? Preferably in a way that'd support cascading
|
|
Packit |
fd8b60 |
propagations.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kadmind process, when it needs to run kprop, extracts the replica
|
|
Packit |
fd8b60 |
host name from the client principal name. It assumes that the
|
|
Packit |
fd8b60 |
principal name will be of the form foo/hostname@REALM, and looks
|
|
Packit |
fd8b60 |
specifically for the "/" and "@" to chop up the string form of the
|
|
Packit |
fd8b60 |
name. If looking up that name won't give a working IPv4 address for
|
|
Packit |
fd8b60 |
the replica, kprop will fail (and kpropd will keep waiting,
|
|
Packit |
fd8b60 |
incremental updates will stop, etc).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Mapping between file offsets and structure addresses, we should be
|
|
Packit |
fd8b60 |
careful about alignment. We're probably okay on current platforms,
|
|
Packit |
fd8b60 |
but if we break log-format compatibility with Sun at some point, use
|
|
Packit |
fd8b60 |
the chance to make the kdb_ent_header_t offsets be more strictly
|
|
Packit |
fd8b60 |
aligned in the file. (16 or 32 bytes?)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Not thread safe! The kdb5.c code will get a lock on the update log
|
|
Packit |
fd8b60 |
file while making changes, but the lock is per-process. Currently
|
|
Packit |
fd8b60 |
there are no processes I know of that use multiple threads and change
|
|
Packit |
fd8b60 |
the database. (There's the Novell patch to make the KDC
|
|
Packit |
fd8b60 |
multithreaded, but the kdc-kdb-update option doesn't currently
|
|
Packit |
fd8b60 |
compile.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Logging in kpropd is poor to useless. If there are any problems, run
|
|
Packit |
fd8b60 |
it in debug mode ("-d"). You'll still lose all output from the
|
|
Packit |
fd8b60 |
invocation of kdb5_util dump and kprop run out of kadmind.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Other man page updates needed: Anything with new -x options.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Comments from lha:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Verify both client and server are demanding privacy from RPC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Authorization code in check_iprop_rpcsec_auth is weird. Check realm
|
|
Packit |
fd8b60 |
checking, is it trusting the client realm length?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
What will happen if my realm is named "A" and I can get a cross realm
|
|
Packit |
fd8b60 |
(though multihop) to ATHENA.MIT.EDU's iprop server?
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Why is the ACL not applied before we get to the functions themselves?
|