URL: https://github.com/freeipa/freeipa/pull/556 Author: stlaz Title: #556: Don't allow standalone KRA uninstalls Action: opened
PR body: """ KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/556/head:pr556 git checkout pr556
From b6e514f2e04629d350c8545bc31c5efa7a0c26bf Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 8 Mar 2017 16:38:12 +0100 Subject: [PATCH] Don't allow standalone KRA uninstalls KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 --- install/tools/man/ipa-kra-install.1 | 5 +---- ipaserver/install/ipa_kra_install.py | 30 +++++------------------------- ipaserver/install/kra.py | 17 +++-------------- ipaserver/install/server/install.py | 2 +- 4 files changed, 10 insertions(+), 44 deletions(-) diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1 index e3133ee..0aa9073 100644 --- a/install/tools/man/ipa-kra-install.1 +++ b/install/tools/man/ipa-kra-install.1 @@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates. -The uninstall option can be used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected. The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall. +KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall. .SH "OPTIONS" \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password @@ -39,9 +39,6 @@ Directory Manager (existing master) password \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP -\fB\-\-uninstall\fR -Uninstall the KRA from the local IPA server. -.TP \fB\-v\fR, \fB\-\-verbose\fR Enable debug output when more verbose output is needed .TP diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 99ff4a6..a6cdb1e 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -21,6 +21,7 @@ from __future__ import print_function import tempfile +from optparse import SUPPRESS_HELP from textwrap import dedent from ipalib import api @@ -69,8 +70,7 @@ def add_options(cls, parser, debug_option=True): parser.add_option( "--uninstall", dest="uninstall", action="store_true", default=False, - help="uninstall an existing installation. The uninstall can " - "be run with --unattended option") + help=SUPPRESS_HELP) def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) @@ -83,33 +83,13 @@ def validate_options(self, needs_root=True): @classmethod def get_command_class(cls, options, args): if options.uninstall: - return KRAUninstaller + raise RuntimeError( + 'Standalone KRA uninstalling was removed in FreeIPA 4.5 as it ' + 'had never worker properly and only caused issues.') else: return KRAInstaller -class KRAUninstaller(KRAInstall): - log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG - - def validate_options(self, needs_root=True): - super(KRAUninstaller, self).validate_options(needs_root=True) - - if self.args: - self.option_parser.error("Too many parameters provided.") - - _kra = krainstance.KRAInstance(api) - if not _kra.is_installed(): - self.option_parser.error( - "Cannot uninstall. There is no KRA installed on this system." - ) - - def run(self): - super(KRAUninstaller, self).run() - api.Backend.ldap2.connect() - kra.uninstall(True) - api.Backend.ldap2.disconnect() - - class KRAInstaller(KRAInstall): log_file_name = paths.IPASERVER_KRA_INSTALL_LOG diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 5a7a6ef..c39472a 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -9,12 +9,11 @@ import os import shutil -from ipalib import api, errors +from ipalib import api from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb from ipapython import ipautil -from ipapython.dn import DN from ipaserver.install import custodiainstance from ipaserver.install import cainstance from ipaserver.install import krainstance @@ -124,19 +123,9 @@ def install(api, replica_config, options): services.knownservices.httpd.restart(capture_output=True) -def uninstall(standalone): +def uninstall(): kra = krainstance.KRAInstance(api.env.realm) - - if standalone: - try: - api.Backend.ldap2.delete_entry( - DN(('cn', 'KRA'), ('cn', api.env.host), - ('cn', 'masters'), ('cn', 'ipa'), - ('cn', 'etc'), api.env.basedn)) - except errors.NotFound: - pass - - kra.stop_tracking_certificates(stop_certmonger=not standalone) + kra.stop_tracking_certificates() if kra.is_installed(): kra.uninstall() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1e6aad9..7a8767b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -1045,7 +1045,7 @@ def uninstall(installer): ntpinstance.NTPInstance(fstore).uninstall() - kra.uninstall(False) + kra.uninstall() ca.uninstall()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
