[Freeipa-devel] [PATCH] 968 don't allow reconnection to deleted master
Martin Kosek
mkosek at redhat.com
Wed Feb 29 15:24:05 UTC 2012
On Wed, 2012-02-29 at 09:13 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2012-02-28 at 16:36 -0500, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Sat, 2012-02-25 at 17:43 -0500, Rob Crittenden wrote:
> >>>> This patch does two things:
> >>>>
> >>>> 1. Prompts when deleting a master to make clear that this is irreversible
> >>>> 2. Does not allow a deleted master to be reconnected.
> >>>>
> >>>> Reconnecting to a deleted master causes all heck to break loose because
> >>>> we delete principals as part of deletion process. If you reconnect to a
> >>>> deleted master then we replicate those deletes and the connected master
> >>>> is now unusable (no principals).
> >>>>
> >>>> A simple test is:
> >>>>
> >>>> Install master
> >>>> Install replica
> >>>> ipa-replica-manage del replica
> >>>> ipa-replica-manage connect replica
> >>>> ipa-server-uninstall -U on replica
> >>>> re-install replica
> >>>>
> >>>> The re-install should be successful.
> >>>>
> >>>> rob
> >>>
> >>> Generally, it looks and works well. I just miss some unattended way to
> >>> deleted a replica, from other script for example.
> >>>
> >>> I think we may either re-use --force flag for this purpose or introduce
> >>> an --unattended flag.
> >>>
> >>> I also found an issue with S4U2Proxy memberPrincipal added for each
> >>> replica. Since the memberPrincipal values for deleted replica are not
> >>> removed when a replica is being deleted, ipa-replica-install reports a
> >>> (benign) error when it tries to add a duplicate value afterwards. I
> >>> filed a ticket for this one:
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/2451
> >>>
> >>> Martin
> >>>
> >>
> >> OK, went with --force.
> >>
> >> rob
> >
> > The approach should be OK, but the patch you included is wrong.
> >
> > Martin
> >
>
> OK, this should be right.
>
> rob
Yup, that's better.
ACK. Pushed to master, ipa-2-2.
I raised Affects Tests flag in Trac, --force flag need to be added to
"ipa-replica-manage del $REPLICA" tests.
Martin
More information about the Freeipa-devel
mailing list