Patch attached
-- 
Martin^2 Basti
>From f7e6c6d17562d4d5bcdbddaefbaf279fd1b901db Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 3 Jul 2014 15:50:27 +0200
Subject: [PATCH] Restore privileges after forward zones  update

Ticket: https://fedorahosted.org/freeipa/ticket/3210
---
 ipaserver/install/plugins/dns.py | 43 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index d2a9500c5bb58a81950bc2077fa611fcfd0c973a..07c0325d7a7c6062c1827d08f211d317bdc63db4 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -210,6 +210,10 @@ class update_master_to_dnsforwardzones(PostUpdate):
             # add time to filename
             self.backup_path = time.strftime(self.backup_path)
 
+            # DNs of privileges which contain dns managed permissions
+            privileges_to_ldif = set()  # store priviledges only once
+            zone_to_privileges = {}  # zone: [privileges cn]
+
             self.log.info('Zones with specified forwarders with policy different'
                           ' than none will be transformed to forward zones.')
             self.log.info('Original zones will be saved in LDIF format in '
@@ -228,8 +232,14 @@ class update_master_to_dnsforwardzones(PostUpdate):
 
                             if 'managedBy' in zone:
                                 entry = ldap.get_entry(DN(zone['managedBy'][0]))
+                                for privilege_member_dn in entry.get('member', []):
+                                    privileges_to_ldif.add(privilege_member_dn)
                                 writer.unparse(str(entry.dn), dict(entry.raw))
 
+                                # privileges where permission is used
+                                if entry.get('member'):
+                                    zone_to_privileges[zone['idnsname'][0]] = entry['member']
+
                             # raw values are required to store into ldif
                             records = api.Command['dnsrecord_find'](
                                         zone['idnsname'][0],
@@ -249,6 +259,17 @@ class update_master_to_dnsforwardzones(PostUpdate):
                                            zone['idnsname'][0])
                             self.log.error(traceback.format_exc())
                             return (False, False, [])
+
+                    for privilege_dn in privileges_to_ldif:
+                        try:
+                            entry = ldap.get_entry(privilege_dn)
+                            writer.unparse(str(entry.dn), dict(entry.raw))
+                        except Exception, e:
+                            self.log.error('Unable to backup privilege %s' %
+                                           privilege_dn)
+                            self.log.error(traceback.format_exc())
+                            return (False, False, [])
+
                     f.close()
             except Exception:
                 self.log.error('Unable to create backup file')
@@ -285,7 +306,8 @@ class update_master_to_dnsforwardzones(PostUpdate):
                 # create permission if original zone has one
                 if 'managedBy' in zone:
                     try:
-                        api.Command['dnsforwardzone_add_permission'](zone['idnsname'][0])
+                        perm_name = api.Command['dnsforwardzone_add_permission'](
+                                        zone['idnsname'][0])['value']
                     except Exception, e:
                         self.log.error('Transform to forwardzone terminated: '
                                        'Adding managed by permission to forward zone'
@@ -296,9 +318,28 @@ class update_master_to_dnsforwardzones(PostUpdate):
                                       zone['idnsname'][0])
                         continue
 
+                    else:
+                        if zone['idnsname'][0] in zone_to_privileges:
+                            privileges = [
+                                dn[0].value for dn in zone_to_privileges[zone['idnsname'][0]]
+                            ]
+                            try:
+                                api.Command['permission_add_member'](perm_name,
+                                                    privilege=privileges)
+                            except Exception, e:
+                                self.log.error('Unable to restore privileges for '
+                                       'permission %s, for zone %s'
+                                        % (perm_name, zone['idnsname']))
+                                self.log.error(traceback.format_exc())
+                                self.log.info('Zone %s was transformed to forward zone'
+                                              ' without restored privileges',
+                                              zone['idnsname'][0])
+                                continue
+
                 self.log.info('Zone %s was sucessfully transformed to forward zone',
                               zone['idnsname'][0])
 
+
         sysupgrade.set_upgrade_state('dns', 'update_to_forward_zones', False)
 
         return (False, False, [])
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to