Commit Graph

38 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
68c72e344a Privilege: add a helper checking if a principal has a given privilege
server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py

Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Christian Heimes
713c9b0ce8 Don't fail if config-show does not return servers
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
e7e0f190bb Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
94b86354b5 Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
7c2ca14118 Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Rob Crittenden
8ea227451f
Drop attr defaultServerList if removing the last server
This otherwise returns a syntax error if trying to set
an empty value.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 08:38:03 +02:00
Petr Vobornik
7c5ee4e8fc server-del do not return early if CA renewal master cannot be changed
Early return prevented adding last warning message in the method:
   "Ignoring these warnings and proceeding with removal"

And thus `check_master_removal` in `test_server_del` did not work.

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-15 14:15:34 -04:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Alexander Koksharov
1235f5958d preventing ldap principal to be deleted
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.

https://pagure.io/freeipa/issue/7371

This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-31 12:35:03 +01:00
Christian Heimes
f60b2c5906 LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.

It's OK to raise here because handle_not_found() always raises an
exception.

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Stanislav Laznicka
6ca8787cc7 Uninstall: fix BytesWarning exception
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:42:51 +02:00
Stanislav Laznicka
d147948fcc server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-03 13:50:10 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Florence Blanc-Renaud
a02a0a95f2 server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 18:45:52 +02:00
Stanislav Laznicka
670f8fb1db Add check to prevent removal of last KRA
https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-13 16:10:28 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Martin Babinsky
7a183bad66 server-del: fix incorrect check for one IPA master
https://fedorahosted.org/freeipa/ticket/6417

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-07 12:42:12 +01:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Stanislav Laznicka
f0487946cd Don't ignore --ignore-last-of-role for last CA
Use a handler created for the purpose of deciding whether
to raise exception or not.

https://fedorahosted.org/freeipa/ticket/6259

Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2016-08-29 13:46:47 +02:00
Christian Heimes
c346a2d1d1 Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:26:57 +02:00
Martin Babinsky
9392b21271 Fix incorrect construction of service principal during replica cleanup
https://fedorahosted.org/freeipa/ticket/5985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-27 12:59:48 +02:00
Martin Basti
c6f7d94d5b DNS Locations: server-mod: fix if statement
Statement used for detection if objeclass change is needed was logically
wrong, this fixes it.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-27 10:22:39 +02:00
Martin Basti
926462d335 Server-del: fix system records removal
Services on replica to be removed  must be deleted first, otherwise
update of system records will not take this change into account

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-23 12:33:43 +02:00
Martin Babinsky
be3ad1ed7a server-del: harden check for last roles
The current implementation of check for last CA/DNS server and DNSSec key
master in `server-del` is quite fragile and wroks with quite a few assumptions
which may not be always true (CA and DNS is always configured etc.).

This patch hardens the check so that it does not break when the above
assuptions do not hold.

https://fedorahosted.org/freeipa/ticket/5960

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-22 17:26:56 +02:00
Martin Babinsky
a540c909a7 Fix listing of enabled roles in server-find
The roles can be thought of as membership attributes so we should only
list
them if `--all` is specified and `--no-members` is not.

Also do not show them if `--raw` is passed in.

https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 19:00:14 +02:00
Martin Babinsky
a6eb87bd68 server-del: perform full master removal in managed topology
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.

`server-del` nows performs these actions:
  * check topology connectivity
  * check that at least one CA/DNS server and DNSSec masters are left
    after removal
  * cleanup all LDAP entries/attributes exposing information about the master
  * cleanup master DNS records
  * remove master and service principals
  * remove master entry from LDAP
  * check that all segments pointing to the master were removed

  `server-del` now accepts the following options:
  * `--force`: force master removal even if it doesn't exist
  * `--ignore-topology-disconnect`: ignore errors arising from disconnected
    topology before and after master removal
  * `--ignore-last-of-role`: remove master even if it is last DNS server,
    and DNSSec key master. The last CA will *not* be removed regardless of
    this option.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Basti
4155eb7b13 DNS Locations: Rename ipalocationweight to ipaserviceweight
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
8dde1201ed DNS Locations: show warning if there is no DNS servers in location
DNS servers must be in each location, otherwise DNS location without DNS
server assigned will not work.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
1997733cdf DNS Locations: require to restart named-pkcs11 affter location change
Send a warning message that named-pkcs11 service must be restarted after
changes related to locations or server weight

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
ef12cad30b DNS Locations: set proper substitution variable
DNS Server (bind-dyndb-ldap) needs to have set
'idnsSubstitutionVariable;ipalocation' in ldap to the proper location

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
2157ea0e6d DNS Locations: dnsserver-* commands
New commands for manipulation with DNS server configuration were added:
 * dnsserver-show
 * dnsserver-mod
 * dnsserver-find

https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
4076e8e4e5 DNS Locations: server-mod: add automatic records update
For any location or server weight change is required to update records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
394b094fc2 DNS Locations: permission: allow to read status of services
New permission was added: "System: Read Status of Services on IPA Servers"
This permission is needed for detection which records should be created
on which servers.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Babinsky
b9aa31191b Server Roles: make server-{show,find} utilize role information
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).

server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Basti
79544aa51a DNS Location: location-show: return list of servers in location
location-show returns list of servers curently assigned to the location

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Martin Basti
15abfcf0f7 DNS Locations: extend server-* command with locations
Server find, server show, server mod should work with IPA locations.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00