Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/10/2015 07:23 PM, Petr Vobornik wrote: On 06/10/2015 04:39 PM, Petr Vobornik wrote: On 06/10/2015 04:06 PM, Petr Vobornik wrote: On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. attaching patch which addresses this issue and replaces Tomas' patch(which was used as a basis). Patch for 'del' will follow. I've not tested if topology plugin ignores winsync agreements. Does it? ACK for the patch. I think that winsync agreements should be ignored because they live in 'cn=replicas,cn=ipa,cn=etc,$SUFFIX', not among cn=masters (but I may be wrong). I have just now setup winsync agreement and it doesn't show up in cn=topology at all. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/15/2015 02:59 PM, Martin Babinsky wrote: On 06/10/2015 07:23 PM, Petr Vobornik wrote: On 06/10/2015 04:39 PM, Petr Vobornik wrote: On 06/10/2015 04:06 PM, Petr Vobornik wrote: On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. attaching patch which addresses this issue and replaces Tomas' patch(which was used as a basis). Patch for 'del' will follow. I've not tested if topology plugin ignores winsync agreements. Does it? ACK for the patch. I think that winsync agreements should be ignored because they live in 'cn=replicas,cn=ipa,cn=etc,$SUFFIX', not among cn=masters (but I may be wrong). I have just now setup winsync agreement and it doesn't show up in cn=topology at all. Pushed to master: 45dccedd12e6d26e146ad9c30c2c304e6b2eded1 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. -- Petr Vobornik From 0d49c689c69acffa060934589090f246b2342d2c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 2 Jun 2015 14:06:26 +0200 Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands from DL 1 With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 22 -- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 0d2688e6d73b1591c5e386656b7198c20d71558a..a55ca7a89435aa79733b6edbf72d7c51b219d23c 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -747,12 +747,6 @@ def del_master(realm, hostname, options): try: if bindinstance.dns_container_exists(options.host, thisrepl.suffix, dm_password=options.dirman_passwd): -if options.dirman_passwd: -api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) -else: -ccache = krbV.default_context().default_ccache() -api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) @@ -1209,6 +1203,22 @@ def main(): options.dirman_passwd = dirman_passwd +# Initialize the LDAP connection +if options.dirman_passwd: +api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=options.dirman_passwd) +else: +ccache = krbV.default_context().default_ccache() +api.Backend.ldap2.connect(ccache=ccache) + +# Check the domain level +if args[0] in (connect, disconnect): +domainlevel = api.Command['domainlevel_get']().get('result', 0) +if domainlevel 0: +sys.exit(The {0} command is deprecated with domain level 1. + Please use ipa topologysegment-* commands to manage + IPA replication topology..format(args[0])) + if args[0] == list: replica = None if len(args) == 2: -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/10/2015 04:39 PM, Petr Vobornik wrote: On 06/10/2015 04:06 PM, Petr Vobornik wrote: On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. I've not tested if topology plugin ignores winsync agreements. Does it? yes. it only manages normal agreements -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/10/2015 04:06 PM, Petr Vobornik wrote: On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. I've not tested if topology plugin ignores winsync agreements. Does it? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/10/2015 04:39 PM, Petr Vobornik wrote: On 06/10/2015 04:06 PM, Petr Vobornik wrote: On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Tomas is on vacation. I've removed 'del' from his patch and will create a new one for handling of 'del'. If that's OK, we can push this one. NACK 'connect' and 'disconnect' serve also for setting up/removing of winsync replication agreements. This patch forbids it. attaching patch which addresses this issue and replaces Tomas' patch(which was used as a basis). Patch for 'del' will follow. I've not tested if topology plugin ignores winsync agreements. Does it? -- Petr Vobornik From 5a1ff2debb2b529e03a668d15aabc2cb40cd9f8d Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 10 Jun 2015 18:23:37 +0200 Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands from DL 1 With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Exception is creation/deletion of winsync agreement. Part of: https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 53 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 0d2688e6d73b1591c5e386656b7198c20d71558a..36efda88cf24c5692faf6d948270622350cbd56e 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): repl2 = None +what = Removal of IPA replication agreement +managed_topology = has_managed_topology() try: repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd) - type1 = repl1.get_agreement_type(replica2) - -repl_list = repl1.find_ipa_replication_agreements() -if not force and len(repl_list) = 1 and type1 == replication.IPA_REPLICA: -print Cannot remove the last replication link of '%s' % replica1 -print Please use the 'del' command to remove it from the domain -return False - except errors.NotFound: -print '%s' has no replication agreement for '%s' % (replica1, replica2) +# it's possible that the agreement could not have been found because of +# the new topology plugin naming convention: A-to-B instead of +# meToB. +if managed_topology: +print '%s' has no winsync replication agreement for '%s' % (replica1, replica2) +exit_on_managed_topology(what) +else: +print '%s' has no replication agreement for '%s' % (replica1, replica2) return False except Exception, e: -print Failed to determine agreement type for '%s': %s % (replica1, e) +print Failed to determine agreement type for '%s': %s % (replica2, e) + +if type1 == replication.IPA_REPLICA and managed_topology: +exit_on_managed_topology(what) + +repl_list = repl1.find_ipa_replication_agreements() +if not force and len(repl_list) = 1 and type1 == replication.IPA_REPLICA: +print Cannot remove the last replication link of '%s' % replica1 +print Please use the 'del' command to remove it from the domain return False if type1 == replication.IPA_REPLICA: @@ -747,12 +756,6 @@ def del_master(realm, hostname, options): try: if bindinstance.dns_container_exists(options.host, thisrepl.suffix, dm_password=options.dirman_passwd): -if options.dirman_passwd: -api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) -else: -ccache = krbV.default_context().default_ccache() -api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) @@ -777,6 +780,8 @@ def add_link(realm, replica1,
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Works for me, ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 From e96c3b045ced1773def444ffee9a45f813abb954 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 2 Jun 2015 14:06:26 +0200 Subject: [PATCH] ipa-replica-manage: Do not allow topology altering commands from DL 1 With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 22 -- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 0d2688e6d73b1591c5e386656b7198c20d71558a..a27360c002433e5f1b8133b98055cb757468ad0a 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -747,12 +747,6 @@ def del_master(realm, hostname, options): try: if bindinstance.dns_container_exists(options.host, thisrepl.suffix, dm_password=options.dirman_passwd): -if options.dirman_passwd: -api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) -else: -ccache = krbV.default_context().default_ccache() -api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) @@ -1209,6 +1203,22 @@ def main(): options.dirman_passwd = dirman_passwd +# Initialize the LDAP connection +if options.dirman_passwd: +api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=options.dirman_passwd) +else: +ccache = krbV.default_context().default_ccache() +api.Backend.ldap2.connect(ccache=ccache) + +# Check the domain level +if args[0] in (connect, disconnect, del): +domainlevel = api.Command['domainlevel_get']().get('result', 0) +if domainlevel 0: +sys.exit(The {0} command is deprecated with domain level 1. + Please use ipa topologysegment-* commands to manage + IPA replication topology..format(args[0])) + if args[0] == list: replica = None if len(args) == 2: -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
On 06/02/2015 02:19 PM, Martin Babinsky wrote: On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 Works for me, ACK. Not that fast... connect and disconnect is clear. However, del does more actions than just removing the agreement. It may need to - check domain level - if 0, continue doing what it always did - if 1, call the topology API command - continue with the cleanup (CLEANALLRUV and friends) Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of: https://fedorahosted.org/freeipa/ticket/4302 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands
I agree. Maybe we should think about some wrapper that would call topologysegment-del command before actually cleaning the services etc., upon each `ipa-replica-manage del` rather than prohibiting the usage of the command at all. My 2 cents (maybe, too late) On 06/02/2015 02:24 PM, Ludwig Krispenz wrote: hi, is there a real replacement for del, it is not in the scope of the topology commands, the removal of teh agreement is rejected and later done by the plugin, but what about removal of the host, services, cleanruv ? Ludwig On 06/02/2015 02:10 PM, Tomas Babej wrote: Hi, With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect * del Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Part of:https://fedorahosted.org/freeipa/ticket/4302 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code