|
 |
a54f03 |
From ad3022b24462cc7bc33f810c2d20b4b00006a14c Mon Sep 17 00:00:00 2001
|
|
|
a54f03 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
a54f03 |
Date: Mon, 29 Apr 2019 11:12:30 +0200
|
|
|
a54f03 |
Subject: [PATCH] Consider configured servers as valid
|
|
|
a54f03 |
|
|
|
a54f03 |
Under some conditions, ipa config-show and several other commands were
|
|
|
a54f03 |
failing with error message:
|
|
|
a54f03 |
|
|
|
a54f03 |
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
|
|
|
a54f03 |
|
|
|
a54f03 |
Amongst others the issue can be caused by a broken installation, when
|
|
|
a54f03 |
some services are left in state 'configuredServices'. The problem even
|
|
|
a54f03 |
block uninstallation or removal of replicas. Now configured servers are
|
|
|
a54f03 |
also consider valid providers for associated roles.
|
|
|
a54f03 |
|
|
|
a54f03 |
A new test verifies that config-show works with hidden and configured HTTP
|
|
|
a54f03 |
service.
|
|
|
a54f03 |
|
|
|
a54f03 |
Remark: The original intent of the sanity check is no longer clear to me. I
|
|
|
a54f03 |
think it was used to very that all services can be started by ipactl.
|
|
|
a54f03 |
Since ipactl starts hidden, configured, and enabled services, the new
|
|
|
a54f03 |
logic reflect the fact, too.
|
|
|
a54f03 |
|
|
|
a54f03 |
Fixes: https://pagure.io/freeipa/issue/7929
|
|
|
a54f03 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
a54f03 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
a54f03 |
---
|
|
|
a54f03 |
ipaserver/servroles.py | 12 +++++---
|
|
|
a54f03 |
ipatests/test_integration/test_commands.py | 33 ++++++++++++++++++++++
|
|
|
a54f03 |
2 files changed, 41 insertions(+), 4 deletions(-)
|
|
|
a54f03 |
|
|
|
a54f03 |
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
|
|
|
a54f03 |
index bf33923ded4ca6559fba504e1b447086e87d2083..756ce91a8164144978363f04f6abd8de18b93524 100644
|
|
|
a54f03 |
--- a/ipaserver/servroles.py
|
|
|
a54f03 |
+++ b/ipaserver/servroles.py
|
|
|
a54f03 |
@@ -338,12 +338,16 @@ class ServerAttribute(LDAPBasedProperty):
|
|
|
a54f03 |
ldap.update_entry(service_entry)
|
|
|
a54f03 |
|
|
|
a54f03 |
def _get_assoc_role_providers(self, api_instance):
|
|
|
a54f03 |
- """
|
|
|
a54f03 |
- get list of all servers on which the associated role is enabled
|
|
|
a54f03 |
+ """get list of all servers on which the associated role is enabled
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+ Consider a configured server as a valid provider for a
|
|
|
a54f03 |
+ role, as all services are started.
|
|
|
a54f03 |
"""
|
|
|
a54f03 |
return [
|
|
|
a54f03 |
- r[u'server_server'] for r in self.associated_role.status(
|
|
|
a54f03 |
- api_instance) if r[u'status'] == ENABLED]
|
|
|
a54f03 |
+ r[u'server_server']
|
|
|
a54f03 |
+ for r in self.associated_role.status(api_instance)
|
|
|
a54f03 |
+ if r[u'status'] in {ENABLED,CONFIGURED}
|
|
|
a54f03 |
+ ]
|
|
|
a54f03 |
|
|
|
a54f03 |
def _remove(self, api_instance, masters):
|
|
|
a54f03 |
"""
|
|
|
a54f03 |
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
|
a54f03 |
index b2c0d5c710c9810cfd74216983f793808f4cf3c4..4237de4eea2981c52ecb664d132e6607cb2ac25d 100644
|
|
|
a54f03 |
--- a/ipatests/test_integration/test_commands.py
|
|
|
a54f03 |
+++ b/ipatests/test_integration/test_commands.py
|
|
|
a54f03 |
@@ -6,6 +6,11 @@
|
|
|
a54f03 |
from __future__ import absolute_import
|
|
|
a54f03 |
|
|
|
a54f03 |
from ipatests.test_integration.base import IntegrationTest
|
|
|
a54f03 |
+from ipapython.dn import DN
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+from ipaserver.masters import (
|
|
|
a54f03 |
+ CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE
|
|
|
a54f03 |
+)
|
|
|
a54f03 |
|
|
|
a54f03 |
|
|
|
a54f03 |
class TestIPACommand(IntegrationTest):
|
|
|
a54f03 |
@@ -46,3 +51,31 @@ class TestIPACommand(IntegrationTest):
|
|
|
a54f03 |
assert result.returncode == 0
|
|
|
a54f03 |
assert "SELinux user map order: {}".format(
|
|
|
a54f03 |
maporder) in result.stdout_text
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+ def test_config_show_configured_services(self):
|
|
|
a54f03 |
+ # https://pagure.io/freeipa/issue/7929
|
|
|
a54f03 |
+ states = {CONFIGURED_SERVICE, ENABLED_SERVICE}
|
|
|
a54f03 |
+ dn = DN(
|
|
|
a54f03 |
+ ('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'),
|
|
|
a54f03 |
+ ('cn', 'ipa'), ('cn', 'etc'),
|
|
|
a54f03 |
+ self.master.domain.basedn # pylint: disable=no-member
|
|
|
a54f03 |
+ )
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+ conn = self.master.ldap_connect()
|
|
|
a54f03 |
+ entry = conn.get_entry(dn) # pylint: disable=no-member
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+ # original setting and all settings without state
|
|
|
a54f03 |
+ orig_cfg = list(entry['ipaConfigString'])
|
|
|
a54f03 |
+ other_cfg = [item for item in orig_cfg if item not in states]
|
|
|
a54f03 |
+
|
|
|
a54f03 |
+ try:
|
|
|
a54f03 |
+ # test with configured
|
|
|
a54f03 |
+ cfg = [CONFIGURED_SERVICE]
|
|
|
a54f03 |
+ cfg.extend(other_cfg)
|
|
|
a54f03 |
+ entry['ipaConfigString'] = cfg
|
|
|
a54f03 |
+ conn.update_entry(entry) # pylint: disable=no-member
|
|
|
a54f03 |
+ self.master.run_command(['ipa', 'config-show'])
|
|
|
a54f03 |
+ finally:
|
|
|
a54f03 |
+ # reset
|
|
|
a54f03 |
+ entry['ipaConfigString'] = orig_cfg
|
|
|
a54f03 |
+ conn.update_entry(entry) # pylint: disable=no-member
|
|
|
a54f03 |
--
|
|
|
a54f03 |
2.20.1
|
|
|
a54f03 |
|