On Fri, Dec 20, 2013 at 12:54 PM, Hrvoje Ribicic <[email protected]> wrote:
> On Thu, Dec 19, 2013 at 3:49 PM, Helga Velroyen <[email protected]> wrote: > >> This patch makes Ganeti to correctly handle the client >> > s/to correctly/correctly/ > ACK > certificates when nodes get promoted to master candidates >> or demoted to normal nodes. >> >> Signed-off-by: Helga Velroyen <[email protected]> >> --- >> lib/cmdlib/common.py | 37 +++++++++++++++++++++++++++++++++++++ >> lib/cmdlib/node.py | 16 ++++++++++++++-- >> 2 files changed, 51 insertions(+), 2 deletions(-) >> >> diff --git a/lib/cmdlib/common.py b/lib/cmdlib/common.py >> index b8faee9..6b739b8 100644 >> --- a/lib/cmdlib/common.py >> +++ b/lib/cmdlib/common.py >> @@ -1236,3 +1236,40 @@ def AddNodeCertToCandidateCerts(lu, node_uuid, >> cluster): >> assert crypto_type == constants.CRYPTO_TYPE_SSL >> >> utils.AddNodeToCandidateCerts(node_uuid, digest, >> cluster.candidate_certs) >> + >> + >> +def RemoveNodeCertFromCandidateCerts(node_uuid, cluster): >> + """Removes the node's certificate from the candidate certificates list. >> + >> + @type node_uuid: string >> + @param node_uuid: the node's UUID >> + @type cluster: C{objects.Cluster} >> + @param cluster: the cluster's configuration >> + >> + """ >> + utils.RemoveNodeFromCandidateCerts(node_uuid, cluster.candidate_certs) >> + >> + >> +def CreateNewClientCert(self, node_uuid, filename=None): >> + """Creates a new client SSL certificate for the node. >> + >> + @type node_uuid: string >> + @param node_uuid: the node's UUID >> + @type filename: string >> + @param filename: the certificate's filename >> + @rtype: string >> + @return: the digest of the newly created certificate >> + >> + """ >> + options = {} >> + if filename: >> + options[constants.CRYPTO_OPTION_CERT_FILE] = filename >> + result = self.rpc.call_node_crypto_tokens( >> + node_uuid, >> + [(constants.CRYPTO_TYPE_SSL, constants.CRYPTO_ACTION_CREATE, >> + options)]) >> + result.Raise("Could not create the node's (uuid %s) SSL client" >> + " certificate." % node_uuid) >> + ((crypto_type, new_digest), ) = result.payload >> + assert crypto_type == constants.CRYPTO_TYPE_SSL >> + return new_digest >> diff --git a/lib/cmdlib/node.py b/lib/cmdlib/node.py >> index 09cd9c8..f08555a 100644 >> --- a/lib/cmdlib/node.py >> +++ b/lib/cmdlib/node.py >> @@ -42,7 +42,8 @@ from ganeti.cmdlib.common import CheckParamsNotGlobal, \ >> CheckInstanceState, INSTANCE_DOWN, GetUpdatedParams, \ >> AdjustCandidatePool, CheckIAllocatorOrNode, LoadNodeEvacResult, \ >> GetWantedNodes, MapInstanceLvsToNodes, RunPostHook, \ >> - FindFaultyInstanceDisks, CheckStorageTypeEnabled, >> AddNodeCertToCandidateCerts >> + FindFaultyInstanceDisks, CheckStorageTypeEnabled, CreateNewClientCert, >> \ >> + AddNodeCertToCandidateCerts, RemoveNodeCertFromCandidateCerts >> >> >> def _DecideSelfPromotion(lu, exceptions=None): >> @@ -416,7 +417,10 @@ class LUNodeAdd(LogicalUnit): >> >> cluster = self.cfg.GetClusterInfo() >> if self.new_node.master_candidate: >> - AddNodeCertToCandidateCerts(self, self.new_node.uuid, cluster) >> + # We create a new certificate even if the node is readded >> + digest = CreateNewClientCert(self, self.new_node.uuid) >> + utils.AddNodeToCandidateCerts(self.new_node.uuid, digest, >> + cluster.candidate_certs) >> self.cfg.Update(cluster, feedback_fn) >> else: >> if self.new_node.uuid in cluster.candidate_certs: >> @@ -780,6 +784,14 @@ class LUNodeSetParams(LogicalUnit): >> if self.lock_all: >> AdjustCandidatePool(self, [node.uuid]) >> >> + cluster = self.cfg.GetClusterInfo() >> + # if node gets promoted, grant RPC priviledges >> + if self.new_role == self._ROLE_CANDIDATE: >> + AddNodeCertToCandidateCerts(self, node.uuid, cluster) >> + # if node is demoted, revoke RPC priviledges >> + if self.old_role == self._ROLE_CANDIDATE: >> + RemoveNodeCertFromCandidateCerts(node.uuid, cluster) >> + >> if self.op.secondary_ip: >> node.secondary_ip = self.op.secondary_ip >> result.append(("secondary_ip", self.op.secondary_ip)) >> -- >> 1.8.5.1 >> >> > LGTM, thanks! > Thx -- -- Helga Velroyen | Software Engineer | [email protected] | Google Germany GmbH Dienerstr. 12 80331 München Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores
