diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-02-21 13:58:15 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-12 12:17:08 +0100 |
commit | d3a34591a807f1420042ddbb53b3d5ac846927aa (patch) | |
tree | 699a555689ee571759e028b51175d689ae85934d /ipalib/plugins/permission.py | |
parent | 0be66e9a67e433d36b9e4c00a17b45393d51a888 (diff) | |
download | freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.tar.gz freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.tar.xz freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.zip |
permission_add: Remove permission entry if adding the ACI fails
https://fedorahosted.org/freeipa/ticket/4187
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index d4181a6b4..bd7f5da6a 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -830,7 +830,26 @@ class permission_add(baseldap.LDAPCreate): return dn def post_callback(self, ldap, dn, entry, *keys, **options): - self.obj.add_aci(entry) + try: + self.obj.add_aci(entry) + except Exception: + # Adding the ACI failed. + # We want to be 100% sure the ACI is not there, so try to + # remove it. (This is a no-op if the ACI was not added.) + self.obj.remove_aci(entry) + # Remove the entry. + # The permission entry serves as a "lock" tho prevent + # permission-add commands started at the same time from + # interfering. As long as the entry is there, the other + # permission-add will fail with DuplicateEntry. + # So deleting entry ("releasing the lock") must be the last + # thing we do here. + try: + self.api.Backend['ldap2'].delete_entry(entry) + except errors.NotFound: + pass + # Re-raise original exception + raise self.obj.postprocess_result(entry, options) return dn |