Hello,
attached are patches fixing the logic mentioned in
https://fedorahosted.org/freeipa/ticket/5967.
From 7d833bf0018f4b3e85bae88cbe383568f6d9c3f4 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 23 Jun 2016 16:04:04 +0200
Subject: [PATCH 1/2] Raise exception on incorrect segment addition
This patch removes the ability to add CA segment between hosts where
either is not yet managed by the CA suffix.
https://fedorahosted.org/freeipa/ticket/5967
---
ipaserver/plugins/topology.py | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index c1848f0cc699f84b40be3623e956780d65de8619..1c54d187342bfdc830fd650f24bf5720a5135ea1 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -89,6 +89,37 @@ def validate_domain_level(api):
)
+def validate_ca_connectivity(api, left_node, right_node):
+ """
+ Validate whether two nodes may create a CA replication agreement
+ """
+ ca_hosts = api.Command.topologysegment_find(u'ca', sizelimit=0)['result']
+ left_found = False
+ right_found = False
+ for ca_host in ca_hosts:
+ if (not left_found and left_node in
+ (ca_host['iparepltoposegmentleftnode'][0],
+ ca_host['iparepltoposegmentrightnode'][0])):
+ left_found = True
+ if (not right_found and right_node in
+ (ca_host['iparepltoposegmentleftnode'][0],
+ ca_host['iparepltoposegmentrightnode'][0])):
+ right_found = True
+
+ if left_found and right_found:
+ return
+
+ invalid_nodes = {}
+ if not left_found:
+ invalid_nodes['leftnode'] = left_node
+ if not right_found:
+ invalid_nodes['rightnode'] = right_node
+ raise errors.ValidationError(
+ name=', '.join(invalid_nodes.keys()),
+ error=_("The following nodes are not yet in the 'ca' suffix: {hosts}"
+ .format(hosts=', '.join(invalid_nodes.values()))))
+
+
@register()
class topologysegment(LDAPObject):
"""
@@ -266,6 +297,12 @@ class topologysegment_add(LDAPCreate):
assert isinstance(dn, DN)
validate_domain_level(self.api)
self.obj.validate_nodes(ldap, dn, entry_attrs)
+ if keys[0] == 'ca':
+ validate_ca_connectivity(
+ self.api,
+ entry_attrs['iparepltoposegmentleftnode'],
+ entry_attrs['iparepltoposegmentrightnode']
+ )
return dn
--
2.5.5
From b146c6bec3e99b06ce86d931a22ce038b1807a02 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 23 Jun 2016 16:07:18 +0200
Subject: [PATCH 2/2] Fix topologysuffix-verify failing connections
topologysuffix-verify would have checked connectivity even between hosts that
are not managed by the given suffix.
https://fedorahosted.org/freeipa/ticket/5967
---
ipaserver/plugins/topology.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index 1c54d187342bfdc830fd650f24bf5720a5135ea1..5cf2927c6da36dbb93b241450c05a0bb87d759aa 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -14,7 +14,8 @@ from ipalib import _, ngettext
from ipalib import output
from ipalib.constants import DOMAIN_LEVEL_1
from ipaserver.topology import (
- create_topology_graph, get_topology_connection_errors)
+ create_topology_graph, get_topology_connection_errors,
+ _map_masters_to_suffixes)
from ipapython.dn import DN
if six.PY3:
@@ -513,6 +514,7 @@ Checks done:
masters = self.api.Command.server_find(
'', sizelimit=0, no_members=False)['result']
+ masters = _map_masters_to_suffixes(masters).get(keys[0], [])
segments = self.api.Command.topologysegment_find(
keys[0], sizelimit=0)['result']
graph = create_topology_graph(masters, segments)
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
