ipa-csreplica-manage: disable connect/disconnect/del with domain level > 0

* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa topologysegment-*' commands * ipa-csreplica-manage del - a user should use ipa-replica-manage del https://fedorahosted.org/freeipa/ticket/5405 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-10-30 13:06:21 +01:00 · 2015-10-30 13:06:21 +01:00 · 6119dbb9a9
commit 6119dbb9a9
parent 7ef827eeb6
3 changed files with 36 additions and 8 deletions
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@ -30,6 +30,7 @@ from ipaserver.install import (replication, installutils, bindinstance,
    cainstance, certs)
 from ipalib import api, errors
 from ipalib.constants import CACERT
+from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN

@ -392,6 +393,19 @@ def set_renewal_master(realm, replica):

    print("%s is now the renewal master" % replica)

+
+def exit_on_managed_topology(what, hint="topologysegment"):
+    if hint == "topologysegment":
+        hinttext = ("Please use `ipa topologysegment-*` commands to manage "
+                   "the topology.")
+    elif hint == "ipa-replica-manage-del":
+        hinttext = ("Please use the `ipa-replica-manage del` command.")
+    else:
+        assert False, "Unexpected value"
+    sys.exit("{0} is deprecated with managed IPA replication topology. {1}"
+             .format(what, hinttext))
+
+
 def main():
    options, args = parse_options()

@ -427,12 +441,19 @@ def main():

    options.dirman_passwd = dirman_passwd

+    api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                              bind_pw=options.dirman_passwd)
+
    if args[0] == "list":
        replica = None
        if len(args) == 2:
            replica = args[1]
        list_replicas(realm, host, replica, dirman_passwd, options.verbose)
    elif args[0] == "del":
+        if has_managed_topology(api):
+            exit_on_managed_topology(
+                "Removal of IPA CS replication agreement and replication data",
+                hint="ipa-replica-manage-del")
        del_master(realm, args[1], options)
    elif args[0] == "re-initialize":
        re_initialize(realm, options)
@ -441,6 +462,8 @@ def main():
            sys.exit("force-sync requires the option --from <host name>")
        force_sync(realm, host, options.fromhost, options.dirman_passwd)
    elif args[0] == "connect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Creation of IPA CS replication agreement")
        if len(args) == 3:
            replica1 = args[1]
            replica2 = args[2]
@ -449,6 +472,8 @@ def main():
            replica2 = args[1]
        add_link(realm, replica1, replica2, dirman_passwd, options)
    elif args[0] == "disconnect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Removal of IPA CS replication agreement")
        if len(args) == 3:
            replica1 = args[1]
            replica2 = args[2]
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -37,8 +37,9 @@ from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
-from ipalib.constants import CACERT, DOMAIN_LEVEL_0
-from ipalib.util import create_topology_graph, get_topology_connection_errors
+from ipalib.constants import CACERT
+from ipalib.util import (create_topology_graph,
+    get_topology_connection_errors, has_managed_topology)
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
@ -247,7 +248,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):

    repl2 = None
    what = "Removal of IPA replication agreement"
-    managed_topology = has_managed_topology()
+    managed_topology = has_managed_topology(api)

    try:
        repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
@ -698,7 +699,7 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):

 def del_master(realm, hostname, options):

-    if has_managed_topology():
+    if has_managed_topology(api):
        del_master_managed(realm, hostname, options)
    else:
        del_master_direct(realm, hostname, options)
@ -957,7 +958,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
        if os.getegid() != 0:
            root_logger.error("winsync agreements need to be created as root")
            sys.exit(1)
-    elif has_managed_topology():
+    elif has_managed_topology(api):
        exit_on_managed_topology("Creation of IPA replication agreement")

    try:
@ -1349,9 +1350,6 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
        except Exception as e:
            sys.exit("Updating range failed: %s" % e)

-def has_managed_topology():
-    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
-    return domainlevel > DOMAIN_LEVEL_0

 def exit_on_managed_topology(what):
    sys.exit("{0} is deprecated with managed IPA replication topology. "
--- a/ipalib/util.py
+++ b/ipalib/util.py
@ -39,6 +39,7 @@ from netaddr.core import AddrFormatError
 import six

 from ipalib import errors, messages
+from ipalib.constants import DOMAIN_LEVEL_0
 from ipalib.text import _
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN, RDN
@ -856,3 +857,7 @@ def detect_dns_zone_realm_type(api, domain):

    # If we could not detect type with certainity, return unknown
    return 'unknown'
+
+def has_managed_topology(api):
+    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
+    return domainlevel > DOMAIN_LEVEL_0