Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/31/2011 04:29 PM, Rob Crittenden wrote:
Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/05/2011 04:38 PM, Rob Crittenden wrote:
This patch adds a plugin and tools for managing entitlements for host
machines.
Testing is rather complex so I've attached a script to help set up the
Candlepin server. You'll need to ping me out of band for the backend
data. This configures the Candlepin server with an in-memory database so
any time tomcat6 is restarted you'll need to reload the data.
You have to run candlepin.setup as root. This will configure your Fedora
tomcat6 instance.
Once your candlepin server is setup and IPA is installed do something
like:
$ ipa entitle-register admin
(password is admin)
$ ipa entitle-consume 25
$ ipa entitle-status
(verify that it is 25)
# ipa-compliance
(should be 1 of 50)
Our tools can consume only, not return entitlements.
tickets 28, 79 and 278.
rob
can you rebase the patch so it applies cleanly on the current master?
attached
rob
Functionally, the patch seems to be working fine -- great job!.
I just have a couple of minor comments:
* I think a recent change to delegation.ldif conflicts with the patch.
I was able to do a 3-way merge, but please check it merges OK.
* During build, rpm-build complains about /etc/cron.d/ipa-compliance
being listed twice
* the two commented lines in ipa-compliance that test Bind using DM and
Bind using GSSAPI should be removed
* I think that the ipa-compliance tool never deletes the directory with
the ccache (tmpdir)
* in ipa-compliance:
+ if not truncated:
+ hostcount = len(entries)
+ else:
+ # FIXME: raise an error
+ pass
I'm not opposed to FIXMEs in the code, but maybe there should be a
ticket so we don't forget them. Also, hostcount should be initialized in
the else: branch, later on, the code accesses it and would blow up.
* In the entitlement plugin, the 'hidden' attributes could have
flags=['no_option', 'no_output'] so they don't show up in the UI
* If I consume all the entitlements with ipa entitle-consume and ask
for more, I get an internal server error - we should probably catch the
RestlibException from candlepin
* when I started testing I made a typo in the candlepin instance
hostname. ipa entitle-register then blew up.. The traceback looks like
it comes from rhsm. I don't think we absolutely need to fix it now, but
we should at least track it in a ticket.
Here is a diff of the changes you suggested, I think they cover all the
bases.
rob
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1190fff..7e91c42 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -406,7 +406,6 @@ fi
%dir %{_localstatedir}/cache/ipa
%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
-%{_sysconfdir}/cron.d/ipa-compliance
%{_mandir}/man1/ipa-replica-install.1.gz
%{_mandir}/man1/ipa-replica-manage.1.gz
%{_mandir}/man1/ipa-replica-prepare.1.gz
diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance
index 5c21336..6c91ef4 100644
--- a/install/tools/ipa-compliance
+++ b/install/tools/ipa-compliance
@@ -29,6 +29,7 @@ try:
import tempfile
import krbV
import base64
+ import shutil
from rhsm.certificate import EntitlementCertificate
@@ -69,7 +70,7 @@ def parse_options():
options, args = parser.parse_args()
return options, args
-def check_compliance(debug=False):
+def check_compliance(tmpdir, debug=False):
cfg = dict(
context='cli',
in_server=False,
@@ -85,7 +86,6 @@ def check_compliance(debug=False):
try:
# Create a new credentials cache for this tool. This executes
# using the systems host principal.
- tmpdir = tempfile.mkdtemp(prefix = "tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
krbcontext = krbV.default_context()
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
@@ -109,17 +109,10 @@ def check_compliance(debug=False):
ldapuri = 'ldap://%s' % api.env.host
conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
- # Pick one of these bind methods
-
- # Bind using DM
- #conn.connect(bind_dn='cn=directory manager', bind_pw='password')
-
# Bind using GSSAPI
- #conn.connect(ccache='FILE:/tmp/krb5cc_500')
-
- # Bind anonymously
- conn.connect()
+ conn.connect(ccache=ccache_file)
+ hostcount = 0
# Get the hosts first
try:
(entries, truncated) = conn.find_entries('(krblastpwdchange=*)',
['dn'],
@@ -127,13 +120,17 @@ def check_compliance(debug=False):
conn.SCOPE_ONELEVEL,
size_limit = -1)
except errors.NotFound:
- hostcount = 0
+ # No hosts
+ pass
if not truncated:
hostcount = len(entries)
else:
- # FIXME: raise an error
- pass
+ # This will not happen unless we bump into a server-side limit.
+ msg = 'The host count result was truncated, they will be underreported'
+ syslog.syslog(syslog.LOG_ERR, msg)
+ if sys.stdin.isatty():
+ print msg
available = 0
try:
@@ -178,7 +175,11 @@ def main():
options, args = parse_options()
try:
- check_compliance(options.debug)
+ tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+ try:
+ check_compliance(tmpdir, options.debug)
+ finally:
+ shutil.rmtree(tmpdir)
except KeyboardInterrupt:
return 1
except (StandardError, errors.PublicError), e:
diff --git a/ipalib/plugins/entitle.py b/ipalib/plugins/entitle.py
index c4beb52..88bab4a 100644
--- a/ipalib/plugins/entitle.py
+++ b/ipalib/plugins/entitle.py
@@ -293,14 +293,16 @@ class entitle_consume(LDAPUpdate):
),
)
- takes_options = LDAPUpdate.takes_options + (
+ # We don't want rights or add/setattr
+ takes_options = (
# LDAPUpdate requires at least one option so autofill one
# This isn't otherwise used.
Int('hidden',
label=_('Quantity'),
minvalue=1,
autofill=True,
- default=1
+ default=1,
+ flags=['no_option', 'no_output']
),
)
@@ -338,11 +340,17 @@ class entitle_consume(LDAPUpdate):
try:
(pool, uuid) = get_pool(ldap)
- if quantity > pool['quantity']:
- raise errors.ValidationError(name='quantity', error='There are
only %d entitlements left' % pool['quantity'])
+ result=api.Command['entitle_status']()['result']
+ available = result['quantity'] - result['consumed']
- cp = UEPConnection(handler='/candlepin', cert_file=certfile,
key_file=keyfile)
- cp.bindByEntitlementPool(uuid, pool['id'], quantity=quantity)
+ if quantity > available:
+ raise errors.ValidationError(name='quantity', error='There are
only %d entitlements left' % available)
+
+ try:
+ cp = UEPConnection(handler='/candlepin', cert_file=certfile,
key_file=keyfile)
+ cp.bindByEntitlementPool(uuid, pool['id'], quantity=quantity)
+ except RestlibException, e:
+ raise errors.ACIError(info=e.msg)
results = cp.getCertificates(uuid)
usercertificate = []
for cert in results:
@@ -551,6 +559,8 @@ class entitle_register(LDAPCreate):
raise errors.ACIError(info=e.msg)
else:
raise e
+ except socket.gaierror:
+ raise errors.ACIError(info=e.args[1])
dn = ldap.make_dn(
entry_attrs, self.obj.uuid_attribute, self.obj.container_dn
@@ -667,14 +677,16 @@ class entitle_sync(LDAPUpdate):
msg_summary = _('Entitlement(s) synchronized.')
- takes_options = LDAPUpdate.takes_options + (
+ # We don't want rights or add/setattr
+ takes_options = (
# LDAPUpdate requires at least one option so autofill one
# This isn't otherwise used.
Int('hidden',
label=_('Quantity'),
minvalue=1,
autofill=True,
- default=1
+ default=1,
+ flags=['no_option', 'no_output']
),
)
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
