Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding host should allow use of 'force' checkbox without IP address added #624

Open
abbra opened this issue Jan 20, 2025 · 3 comments · May be fixed by #627
Open

Adding host should allow use of 'force' checkbox without IP address added #624

abbra opened this issue Jan 20, 2025 · 3 comments · May be fixed by #627

Comments

@abbra
Copy link

abbra commented Jan 20, 2025

The code in the web ui is wrong in assuming that we cannot force creation of the entry without IP address.

The whole idea behind ipa host-add --force is to allow adding host objects that don't have DNS entries associated with them. It means there should be no prevention of adding a host entry if it has no IP address.

In IPA API these options are separate and have separate meaning:

 ipa help host-add|egrep -- '--force|--ip-address'
  --force               force host name even if not in DNS
  --ip-address=STR      Add the host to DNS with this IP address

We have plenty of tests in IPA upstream tests that only add a host object and never add anything in the DNS. This is typically used for Kerberos services or certificate management: a host is added to manage Kerberos services or to allow host principal to issue certificates for managed hosts while not having the host itself in DNS.
carma12 added a commit to carma12/freeipa-webui that referenced this issue Jan 29, 2025
@carma12
Fix: Allow 'Force' without IP address
3612c40 
Adding host should allow use of 'force'
checkbox without IP address added, as the
idea is to allow adding host objects that
don't have DNS entries associated with them.

Fixes: freeipa#624
Signed-off-by: Carla Martinez <carlmart@redhat.com>
@carma12 carma12 linked a pull request Jan 29, 2025 that will close this issue
Open
@carma12
Copy link
Collaborator

carma12 commented Jan 29, 2025

@abbra - I created a PR to fix that.

Based on what's mentioned in the issue's description, is it possible to create a new host without the Force option? I checked this in the current WebUI and seems to show an error when that happens. I wonder if we should also replicate that in the modern WebUI (as it allows it from now).

This is the current request payload that is sent to API when a new host is create without the Force option set (modern WebUI), and the result of it is that it creates a new host entry. If we want to replicate what I mentioned above, probably some parameters will need to be removed from the payload itself:

Image

@abbra
Copy link
Author

abbra commented Jan 30, 2025

The logic in host plugin on the server side:

  • for host_add command:
    • if ip_address is present and DNS role is enabled somewhere in the IPA topology: validate records and prepare them for adding to forward/reverse entries
    • if neither force nor ip_address are present: verify the host is resolvable through the DNS

So force without ip_address just skips DNS resolution of the host.
If force is missing, we attempt to do host resolution and then it depends on the result of that resolution. E.g. if example2.dom-server.ipa.demo exists somewhere we can reach, it would be resolved and thus will permit the host creation.

I think there is a bug in the modern web UI code though if it is sending empty values for ip_address and other fields. It is not supposed to send them:

# ipa console
(Custom IPA interactive Python console)
    api: IPA API object
    pp: pretty printer
>>> api.Command.host_add('example2.ipa.test', description='', ip_address='')
{'result': {'objectclass': ('ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice', 'krbprincipalaux', 'krbprincipal', 'ieee802device', 'ipasshhost', 'top', 'ipaSshGroupOfPubKeys'), 'krbcanonicalname': ('host/example2.ipa.test@IPA1DEMO.TEST',), 'krbprincipalname': ('host/example2.ipa.test@IPA1DEMO.TEST',), 'ipauniqueid': ('9639ef56-deec-11ef-b7bc-6e0dc8acc30a',), 'fqdn': ('example2.ipa.test',), 'has_password': False, 'has_keytab': False, 'managedby_host': ('example2.ipa.test',), 'dn': 'fqdn=example2.ipa.test,cn=computers,cn=accounts,dc=ipa1demo,dc=test'}, 'value': 'example2.ipa.test', 'summary': 'Added host "example2.ipa.test"'}
>>> api.Command.host_add('example3.ipa.test')
IPA public error exception: DNSNotARecordError: Host 'example3.ipa.test' does not have corresponding DNS A/AAAA record
>>> exit 
# journalctl -g IPA.API --full | tail -2
Jan 30 09:28:38 m1.ipa1demo.test /mod_wsgi[7003]: [IPA.API] admin@IPA1DEMO.TEST: host_add: SUCCESS [ldap2_139660931883632] {"fqdn": "example2.ipa.test", "description": null, "random": false, "force": false, "no_reverse": false, "ip_address": null, "all": false, "raw": false, "version": "2.254", "no_members": false}
Jan 30 09:28:55 m1.ipa1demo.test /mod_wsgi[7002]: [IPA.API] admin@IPA1DEMO.TEST: host_add: DNSNotARecordError [ldap2_139660931899680] {"fqdn": "example3.ipa.test", "random": false, "force": false, "no_reverse": false, "all": false, "raw": false, "version": "2.254", "no_members": false}

We would need to validate ip_address being non-empty if it is specified but the UI must not send empty values for these attributes.

carma12 added a commit to carma12/freeipa-webui that referenced this issue Jan 30, 2025
@carma12
Fix: Allow 'Force' without IP address
35a50cf 
Adding host should allow use of 'force'
checkbox without IP address added, as the
idea is to allow adding host objects that
don't have DNS entries associated with them.

Fixes: freeipa#624
Signed-off-by: Carla Martinez <carlmart@redhat.com>
@carma12
Copy link
Collaborator

carma12 commented Jan 30, 2025

@abbra - I corrected the code based on your last comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Allow 'Force' without IP address (Hosts page only) carma12/freeipa-webui
2 participants
@abbra @carma12