Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2010 11:05 PM, Simo Sorce wrote: > I guess it work properly if you kdestroy and use the DM password ? > > Simo. > Yes is does. ipa-replica-manage del works, plus I inspected the directory contents before adding and after removing a replica - the only difference is nsDS5ReplicaId: attrbute which is expected. I filed a separate ticket about the ACI problem and ACK to this patch. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0QqNwACgkQHsardTLnvCVSBgCeMZsW2m1UnUxiFTfavAuFCxig YJEAn0o4dWqMufHscJFpBtBj+pKShq0Z =90+a -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Mon, 20 Dec 2010 22:40:50 +0100 Jakub Hrozek wrote: > >> The rest of the code looks OK, but I'm currently not able to test > >> as the deletion fails with "Insufficient access". In my setup, > >> vm-061 is the master and vm-038 is the replica: > >> > >> [r...@vm-061 ~]# ipa-replica-manage list > >> vm-061.idm.lab.bos.redhat.com vm-038.idm.lab.bos.redhat.com > >> [r...@vm-061 ~]# ipa-replica-manage del > >> vm-038.idm.lab.bos.redhat.com Unable to remove agreement on > >> vm-038.idm.lab.bos.redhat.com: Insufficient access: > > > > Do you have a ticket as admin when you try this ? > > > > Simo. > > > > I do. The traceback looks like this (I inserted and extra > traceback.print_exc() call to get it): > > > Traceback (most recent call last): >File "/usr/sbin/ipa-replica-manage", line 269, in del_master > other_replman.delete_agreement(replman.conn.host) >File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 408, in delete_agreement > return self.conn.deleteEntry(dn) >File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 563, in deleteEntry > self.__handle_errors(e, **kw) >File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line > 316, in __handle_errors > raise errors.ACIError(info=info) > ACIError: Insufficient access: > > > So this seems to be an ACI problem. I have your 4 patches applied on > top of the current origin/master and was calling "ipa-replica-manage > del ". > I guess it work properly if you kdestroy and use the DM password ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On 12/20/2010 09:02 PM, Simo Sorce wrote:
On Mon, 20 Dec 2010 18:02:02 +0100
Jakub Hrozek wrote:
On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote:
Clean up records related to the master being deleted in the shared
tree.
This also avoid issues later on if you want to rejoin the server as
a master. It is also needed in order to give back valid information
for patch 0035
Simo.
--
Simo Sorce * Red Hat, Inc * New York
def del_master(replman, hostname, force=False):
+has_repl_agreement = True
try:
t = replman.get_agreement_type(hostname)
except ldap.NO_SUCH_OBJECT:
print "No replication agreement found for '%s'" % hostname
-return
+if force:
+has_repl_agreement = False
+else:
+return
except errors.NotFound:
print "No replication agreement found for '%s'" % hostname
-return
+if force:
+has_repl_agreement = False
+else:
+return
This is just a nitpick but the above except: blocks are exactly the
same. One could remove the redundancy by just using:
except (errors.NotFound, ldap.NO_SUCH_OBJECT):
+
+def replica_cleanup(self, replica, realm, force=False):
+
+err = None
+
+if replica == self.hostname:
+raise RuntimeError("Can't cleanup self")
+
+if not self.suffix or self.suffix == "":
+self.suffix = util.realm_to_suffix(realm)
+self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix)
This looks suspicious. Should one of these be in else: perhaps?
No, I just reused the same var to keep a temporary value, instead of
having a long line. not pretty but it is correct.
I can use a temp var if you think it makes for more readable code
though.
Oh, that's OK, I was just too lazy to read the methods before. It makes
sense now, thanks.
The rest of the code looks OK, but I'm currently not able to test as
the deletion fails with "Insufficient access". In my setup, vm-061 is
the master and vm-038 is the replica:
[r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com
vm-038.idm.lab.bos.redhat.com
[r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com
Unable to remove agreement on vm-038.idm.lab.bos.redhat.com:
Insufficient access:
Do you have a ticket as admin when you try this ?
Simo.
I do. The traceback looks like this (I inserted and extra
traceback.print_exc() call to get it):
Traceback (most recent call last):
File "/usr/sbin/ipa-replica-manage", line 269, in del_master
other_replman.delete_agreement(replman.conn.host)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 408, in delete_agreement
return self.conn.deleteEntry(dn)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
563, in deleteEntry
self.__handle_errors(e, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
316, in __handle_errors
raise errors.ACIError(info=info)
ACIError: Insufficient access:
So this seems to be an ACI problem. I have your 4 patches applied on top
of the current origin/master and was calling "ipa-replica-manage del
".
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Mon, 20 Dec 2010 18:02:02 +0100
Jakub Hrozek wrote:
> On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote:
> >
> > Clean up records related to the master being deleted in the shared
> > tree.
> >
> > This also avoid issues later on if you want to rejoin the server as
> > a master. It is also needed in order to give back valid information
> > for patch 0035
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
>
> > def del_master(replman, hostname, force=False):
> > +has_repl_agreement = True
> > try:
> > t = replman.get_agreement_type(hostname)
> > except ldap.NO_SUCH_OBJECT:
> > print "No replication agreement found for '%s'" % hostname
> > -return
> > +if force:
> > +has_repl_agreement = False
> > +else:
> > +return
> > except errors.NotFound:
> > print "No replication agreement found for '%s'" % hostname
> > -return
> > +if force:
> > +has_repl_agreement = False
> > +else:
> > +return
>
> This is just a nitpick but the above except: blocks are exactly the
> same. One could remove the redundancy by just using:
>
> except (errors.NotFound, ldap.NO_SUCH_OBJECT):
>
> > +
> > +def replica_cleanup(self, replica, realm, force=False):
> > +
> > +err = None
> > +
> > +if replica == self.hostname:
> > +raise RuntimeError("Can't cleanup self")
> > +
> > +if not self.suffix or self.suffix == "":
> > +self.suffix = util.realm_to_suffix(realm)
> > +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix)
>
> This looks suspicious. Should one of these be in else: perhaps?
No, I just reused the same var to keep a temporary value, instead of
having a long line. not pretty but it is correct.
I can use a temp var if you think it makes for more readable code
though.
> The rest of the code looks OK, but I'm currently not able to test as
> the deletion fails with "Insufficient access". In my setup, vm-061 is
> the master and vm-038 is the replica:
>
> [r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com
> vm-038.idm.lab.bos.redhat.com
> [r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com
> Unable to remove agreement on vm-038.idm.lab.bos.redhat.com:
> Insufficient access:
Do you have a ticket as admin when you try this ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
On Wed, Dec 15, 2010 at 08:01:10PM -0500, Simo Sorce wrote:
>
> Clean up records related to the master being deleted in the shared tree.
>
> This also avoid issues later on if you want to rejoin the server as a
> master. It is also needed in order to give back valid information for
> patch 0035
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
> def del_master(replman, hostname, force=False):
> +has_repl_agreement = True
> try:
> t = replman.get_agreement_type(hostname)
> except ldap.NO_SUCH_OBJECT:
> print "No replication agreement found for '%s'" % hostname
> -return
> +if force:
> +has_repl_agreement = False
> +else:
> +return
> except errors.NotFound:
> print "No replication agreement found for '%s'" % hostname
> -return
> +if force:
> +has_repl_agreement = False
> +else:
> +return
This is just a nitpick but the above except: blocks are exactly the
same. One could remove the redundancy by just using:
except (errors.NotFound, ldap.NO_SUCH_OBJECT):
> +
> +def replica_cleanup(self, replica, realm, force=False):
> +
> +err = None
> +
> +if replica == self.hostname:
> +raise RuntimeError("Can't cleanup self")
> +
> +if not self.suffix or self.suffix == "":
> +self.suffix = util.realm_to_suffix(realm)
> +self.suffix = ipaldap.IPAdmin.normalizeDN(self.suffix)
This looks suspicious. Should one of these be in else: perhaps?
The rest of the code looks OK, but I'm currently not able to test as the
deletion fails with "Insufficient access". In my setup, vm-061 is the
master and vm-038 is the replica:
[r...@vm-061 ~]# ipa-replica-manage list vm-061.idm.lab.bos.redhat.com
vm-038.idm.lab.bos.redhat.com
[r...@vm-061 ~]# ipa-replica-manage del vm-038.idm.lab.bos.redhat.com
Unable to remove agreement on vm-038.idm.lab.bos.redhat.com:
Insufficient access:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0032 Cleanup when deleting a replica
Clean up records related to the master being deleted in the shared tree.
This also avoid issues later on if you want to rejoin the server as a
master. It is also needed in order to give back valid information for
patch 0035
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 270b9335fd6ead2b49c1ec4b93aedb1392f73fff Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Fri, 10 Dec 2010 09:48:06 -0500
Subject: [PATCH 1/4] Remove common entries when deleting a master.
Fixes: https://fedorahosted.org/freeipa/ticket/550
---
install/share/default-aci.ldif |5 ++
install/tools/ipa-replica-manage | 78 --
ipaserver/install/replication.py | 73 +++
ipaserver/ipaldap.py | 29 ++
ipaserver/plugins/ldap2.py |7 ++-
5 files changed, 152 insertions(+), 40 deletions(-)
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index d725cd5c13b0ef7b45ee9607a2968c55d156b44c..4b29aa7dd2446b86e9887940072c733fd6a6db60 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -23,6 +23,11 @@ changetype: modify
add: aci
aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+dn: cn=ipa,cn=etc,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+
dn: cn=accounts,$SUFFIX
changetype: modify
add: aci
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 720fe6777abcee23e1884125f95a826ef03d9a80..9b5aad5ce93bd1ed58c603a1156bd33cb0fb96a2 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -76,16 +76,6 @@ def get_suffix():
suffix = l.normalize_dn(util.realm_to_suffix(get_realm_name()))
return suffix
-def get_host_name():
-hostname = installutils.get_fqdn()
-try:
-installutils.verify_fqdn(hostname)
-except RuntimeError, e:
-logging.error(str(e))
-sys.exit(1)
-
-return hostname
-
def test_connection(host):
"""
Make a GSSAPI connection to the remote LDAP server to test out credentials.
@@ -114,41 +104,55 @@ def list_masters(replman, verbose):
print " last init ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastinitend))
print " last update status: %s" % entry.nsds5replicalastupdatestatus
print " last update ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastupdateend))
-
+
def del_master(replman, hostname, force=False):
+has_repl_agreement = True
try:
t = replman.get_agreement_type(hostname)
except ldap.NO_SUCH_OBJECT:
print "No replication agreement found for '%s'" % hostname
-return
+if force:
+has_repl_agreement = False
+else:
+return
except errors.NotFound:
print "No replication agreement found for '%s'" % hostname
-return
+if force:
+has_repl_agreement = False
+else:
+return
-# Delete the remote agreement first
-if t == replication.IPA_REPLICA:
-failed = False
-try:
-other_replman = replication.ReplicationManager(hostname, replman.dirman_passwd)
-other_replman.suffix = get_suffix()
-other_replman.delete_agreement(replman.conn.host)
-except ldap.LDAPError, e:
-desc = e.args[0]['desc'].strip()
-info = e.args[0].get('info', '').strip()
-print "Unable to remove agreement on %s: %s: %s" % (hostname, desc, info)
-failed = True
-except Exception, e:
-print "Unable to remove agreement on %s: %s" % (hostname, str(e))
-failed = True
+if has_repl_agreement:
+# Delete the remote agreement first
+if t == replication.IPA_REPLICA:
+failed = False
+try:
+other_replman = replication.ReplicationManager(hostname, replman.dirman_passwd)
+other_replman.suffix = get_suffix()
+other_replman.delete_agreement(replman.conn.host)
+except ldap.LDAPError, e:
+desc = e.args[0]['desc'].strip()
+info = e.args[0].get('info', '').strip()
+print "Unable to remove agreement on %s: %s: %s" % (hostname, desc, info)
+failed = True
+except Exception, e:
+print "Unable to remove agreement on %s: %s" % (hostname, str(e))
+failed = True
-if failed:
-if force:
-print "Forcing removal on local server"
-else:
-
