URL: https://github.com/freeipa/freeipa/pull/553 Author: stlaz Title: #553: Add check for removing last KRA server Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/553/head:pr553 git checkout pr553
From 27b50f5d77382459f7495dd07ecaeea4852fb0a9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 8 Mar 2017 09:58:38 +0100 Subject: [PATCH 1/2] Add check to prevent removal of last KRA https://pagure.io/freeipa/issue/6538 --- install/tools/man/ipa-kra-install.1 | 5 +---- ipaserver/install/ipa_kra_install.py | 28 ++++------------------------ ipaserver/install/kra.py | 17 +++-------------- ipaserver/install/server/install.py | 2 +- ipaserver/plugins/server.py | 13 +++++++++++++ 5 files changed, 22 insertions(+), 43 deletions(-) diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1 index e3133ee..0aa9073 100644 --- a/install/tools/man/ipa-kra-install.1 +++ b/install/tools/man/ipa-kra-install.1 @@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates. -The uninstall option can be used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected. The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall. +KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall. .SH "OPTIONS" \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password @@ -39,9 +39,6 @@ Directory Manager (existing master) password \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP -\fB\-\-uninstall\fR -Uninstall the KRA from the local IPA server. -.TP \fB\-v\fR, \fB\-\-verbose\fR Enable debug output when more verbose output is needed .TP diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 99ff4a6..7d7ece4 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -70,7 +70,7 @@ def add_options(cls, parser, debug_option=True): "--uninstall", dest="uninstall", action="store_true", default=False, help="uninstall an existing installation. The uninstall can " - "be run with --unattended option") + "be run with --unattended option", deprecated=True) def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) @@ -83,33 +83,13 @@ def validate_options(self, needs_root=True): @classmethod def get_command_class(cls, options, args): if options.uninstall: - return KRAUninstaller + raise RuntimeError( + 'Standalone KRA uninstalling was removed in FreeIPA 4.5 as it ' + 'had never worker properly and only caused issues.') else: return KRAInstaller -class KRAUninstaller(KRAInstall): - log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG - - def validate_options(self, needs_root=True): - super(KRAUninstaller, self).validate_options(needs_root=True) - - if self.args: - self.option_parser.error("Too many parameters provided.") - - _kra = krainstance.KRAInstance(api) - if not _kra.is_installed(): - self.option_parser.error( - "Cannot uninstall. There is no KRA installed on this system." - ) - - def run(self): - super(KRAUninstaller, self).run() - api.Backend.ldap2.connect() - kra.uninstall(True) - api.Backend.ldap2.disconnect() - - class KRAInstaller(KRAInstall): log_file_name = paths.IPASERVER_KRA_INSTALL_LOG diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 5a7a6ef..c39472a 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -9,12 +9,11 @@ import os import shutil -from ipalib import api, errors +from ipalib import api from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb from ipapython import ipautil -from ipapython.dn import DN from ipaserver.install import custodiainstance from ipaserver.install import cainstance from ipaserver.install import krainstance @@ -124,19 +123,9 @@ def install(api, replica_config, options): services.knownservices.httpd.restart(capture_output=True) -def uninstall(standalone): +def uninstall(): kra = krainstance.KRAInstance(api.env.realm) - - if standalone: - try: - api.Backend.ldap2.delete_entry( - DN(('cn', 'KRA'), ('cn', api.env.host), - ('cn', 'masters'), ('cn', 'ipa'), - ('cn', 'etc'), api.env.basedn)) - except errors.NotFound: - pass - - kra.stop_tracking_certificates(stop_certmonger=not standalone) + kra.stop_tracking_certificates() if kra.is_installed(): kra.uninstall() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1e6aad9..7a8767b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -1045,7 +1045,7 @@ def uninstall(installer): ntpinstance.NTPInstance(fstore).uninstall() - kra.uninstall(False) + kra.uninstall() ca.uninstall() diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index 08caa1c..b1ee472 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -494,6 +494,19 @@ def handler(msg, ignore_last_of_role): "without a DNS."), ignore_last_of_role) if self.api.Command.ca_is_enabled()['result']: + try: + vault_config = self.api.Command.vaultconfig_show()['result'] + kra_servers = vault_config.get('kra_server_server', []) + except errors.InvocationError: + # KRA is not configured + pass + else: + if kra_servers == [hostname]: + handler( + _("Deleting this server is not allowed as it would " + "leave your installation without a KRA."), + ignore_last_of_role) + ca_servers = ipa_config.get('ca_server_server', []) ca_renewal_master = ipa_config.get( 'ca_renewal_master_server', []) From 8f1a084d9329436ff9cb3cda548e46ef27499183 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 8 Mar 2017 13:07:12 +0100 Subject: [PATCH 2/2] Add message about last KRA to WebUI Topology view https://pagure.io/freeipa/issue/6538 --- install/ui/src/freeipa/topology.js | 37 ++++++++++++++++++++++++------------- install/ui/test/data/ipa_init.json | 3 ++- ipaserver/plugins/internal.py | 3 ++- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js index c33adba..c4f3f65 100644 --- a/install/ui/src/freeipa/topology.js +++ b/install/ui/src/freeipa/topology.js @@ -497,23 +497,40 @@ topology.servers_search_facet = function(spec, no_init) { on_success(data, text_status, xhr); var result = data.result.results; - var counter = 0; + var ca_counter = 0; + var kra_counter = 0; for (var i=0, l=result.length; i<l; i++) { var current = result[i]; var roles = current.result.enabled_role_servrole; for (var k=0, m=roles.length; k<m; k++) { - if (roles[k] === 'CA server') counter++; + if (roles[k] === 'CA server') ca_counter++; + if (roles[k] === 'KRA server') kra_counter++; } } // Create dialog and show it only when there is only one CA server - if (counter != 1) return; + if (ca_counter != 1 && kra_counter != 1) return; + + var messages = []; + if (ca_counter == 1) + messages.push( + { + field: false, + $type: 'html', + html: text.get('@i18n:objects.servers.ca_warning_message') + }); + if (kra_counter == 1) + messages.push( + { + field: false, + $type: 'html', + html: text.get('@i18n:objects.servers.kra_warning_message') + }); - var message = text.get('@i18n:objects.servers.ca_warning_message'); var dialog = IPA.dialog({ - name: 'ca_warning', - title: '@i18n:objects.servers.ca_warning_title', + name: 'dogtag_warning', + title: '@i18n:objects.servers.dogtag_warning_title', sections: [ { show_header: false, @@ -523,13 +540,7 @@ topology.servers_search_facet = function(spec, no_init) { widget_cls: "col-sm-12 controls", label_cls: "hide" }, - fields: [ - { - field: false, - $type: 'html', - html: message - } - ] + fields: messages } ] }); diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 2fe0ef4..f3c5b7d 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -552,8 +552,9 @@ "label_singular": "Server Role", }, "servers": { + "dogtag_warning_title": "Warning: Only One CA/KRA Server Detected", "ca_warning_message": "It is strongly recommended to keep the CA services installed on more than one server.", - "ca_warning_title": "Warning: Only One CA Server Detected", + "kra_warning_message": "It is strongly recommended to keep the KRA services installed on more than one server.", "remove_server": "Delete Server", "remove_server_msg": "Deleting a server removes it permanently from the topology. Note that this is a non-reversible action." }, diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index e82e5fc..617aea3 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -704,8 +704,9 @@ class i18n_messages(Command): "label_singular": _("Server Role"), }, "servers": { + "dogtag_warning_title": _("Warning: Only One CA/KRA Server Detected"), "ca_warning_message": _("It is strongly recommended to keep the CA services installed on more than one server."), - "ca_warning_title": _("Warning: Only One CA Server Detected"), + "kra_warning_message": _("It is strongly recommended to keep the KRA services installed on more than one server."), "remove_server": _("Delete Server"), "remove_server_msg": _("Deleting a server removes it permanently from the topology. Note that this is a non-reversible action.") },
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
