On Thu, Dec 19, 2013 at 3:49 PM, Helga Velroyen <[email protected]> wrote:
> This patch makes Ganeti to correctly handle the client > s/to correctly/correctly/ > certificates when nodes get promoted to master candidates > or demoted to normal nodes. > > Signed-off-by: Helga Velroyen <[email protected]> > --- > lib/cmdlib/common.py | 37 +++++++++++++++++++++++++++++++++++++ > lib/cmdlib/node.py | 16 ++++++++++++++-- > 2 files changed, 51 insertions(+), 2 deletions(-) > > diff --git a/lib/cmdlib/common.py b/lib/cmdlib/common.py > index b8faee9..6b739b8 100644 > --- a/lib/cmdlib/common.py > +++ b/lib/cmdlib/common.py > @@ -1236,3 +1236,40 @@ def AddNodeCertToCandidateCerts(lu, node_uuid, > cluster): > assert crypto_type == constants.CRYPTO_TYPE_SSL > > utils.AddNodeToCandidateCerts(node_uuid, digest, > cluster.candidate_certs) > + > + > +def RemoveNodeCertFromCandidateCerts(node_uuid, cluster): > + """Removes the node's certificate from the candidate certificates list. > + > + @type node_uuid: string > + @param node_uuid: the node's UUID > + @type cluster: C{objects.Cluster} > + @param cluster: the cluster's configuration > + > + """ > + utils.RemoveNodeFromCandidateCerts(node_uuid, cluster.candidate_certs) > + > + > +def CreateNewClientCert(self, node_uuid, filename=None): > + """Creates a new client SSL certificate for the node. > + > + @type node_uuid: string > + @param node_uuid: the node's UUID > + @type filename: string > + @param filename: the certificate's filename > + @rtype: string > + @return: the digest of the newly created certificate > + > + """ > + options = {} > + if filename: > + options[constants.CRYPTO_OPTION_CERT_FILE] = filename > + result = self.rpc.call_node_crypto_tokens( > + node_uuid, > + [(constants.CRYPTO_TYPE_SSL, constants.CRYPTO_ACTION_CREATE, > + options)]) > + result.Raise("Could not create the node's (uuid %s) SSL client" > + " certificate." % node_uuid) > + ((crypto_type, new_digest), ) = result.payload > + assert crypto_type == constants.CRYPTO_TYPE_SSL > + return new_digest > diff --git a/lib/cmdlib/node.py b/lib/cmdlib/node.py > index 09cd9c8..f08555a 100644 > --- a/lib/cmdlib/node.py > +++ b/lib/cmdlib/node.py > @@ -42,7 +42,8 @@ from ganeti.cmdlib.common import CheckParamsNotGlobal, \ > CheckInstanceState, INSTANCE_DOWN, GetUpdatedParams, \ > AdjustCandidatePool, CheckIAllocatorOrNode, LoadNodeEvacResult, \ > GetWantedNodes, MapInstanceLvsToNodes, RunPostHook, \ > - FindFaultyInstanceDisks, CheckStorageTypeEnabled, > AddNodeCertToCandidateCerts > + FindFaultyInstanceDisks, CheckStorageTypeEnabled, CreateNewClientCert, \ > + AddNodeCertToCandidateCerts, RemoveNodeCertFromCandidateCerts > > > def _DecideSelfPromotion(lu, exceptions=None): > @@ -416,7 +417,10 @@ class LUNodeAdd(LogicalUnit): > > cluster = self.cfg.GetClusterInfo() > if self.new_node.master_candidate: > - AddNodeCertToCandidateCerts(self, self.new_node.uuid, cluster) > + # We create a new certificate even if the node is readded > + digest = CreateNewClientCert(self, self.new_node.uuid) > + utils.AddNodeToCandidateCerts(self.new_node.uuid, digest, > + cluster.candidate_certs) > self.cfg.Update(cluster, feedback_fn) > else: > if self.new_node.uuid in cluster.candidate_certs: > @@ -780,6 +784,14 @@ class LUNodeSetParams(LogicalUnit): > if self.lock_all: > AdjustCandidatePool(self, [node.uuid]) > > + cluster = self.cfg.GetClusterInfo() > + # if node gets promoted, grant RPC priviledges > + if self.new_role == self._ROLE_CANDIDATE: > + AddNodeCertToCandidateCerts(self, node.uuid, cluster) > + # if node is demoted, revoke RPC priviledges > + if self.old_role == self._ROLE_CANDIDATE: > + RemoveNodeCertFromCandidateCerts(node.uuid, cluster) > + > if self.op.secondary_ip: > node.secondary_ip = self.op.secondary_ip > result.append(("secondary_ip", self.op.secondary_ip)) > -- > 1.8.5.1 > > LGTM, thanks!
