[Freeipa-devel] [PATCH] 0089 Clarify trust-add help regarding multiple runs against the same domain

Alexander Bokovoy abokovoy at redhat.com
Fri Nov 2 12:19:40 UTC 2012 

On Wed, 17 Oct 2012, Martin Kosek wrote:
>On 10/17/2012 12:52 PM, Sumit Bose wrote:
>> On Wed, Oct 10, 2012 at 06:05:02PM +0300, Alexander Bokovoy wrote:
>>> Hi,
>>>
>>> this patch originated from off-list discussion regarding multiple runs
>>> of ipa trust-add against the same domain.
>>>
>>> Since trust-add re-establishes the trust every time it is run and all
>>> the other information fetched from the remote domain controller stays
>>> the same, it can be run multiple times. The only change would occur is
>>> update of trust relationship credentials -- they are supposed to be
>>> updated periodically by underlying infrastructure anyway.
>>>
>>> So the patch adds some clarity to the help and changes summary message
>>> when trust was re-established instead of created.
>>> --
>>> / Alexander Bokovoy
>>
>> ACK
>>
>> Btw, another useful feature of allowing to run trust-add multiple times
>> is to re-established the trust if it was deleted only on one side, AD or
>> IPA. Having a separate command for this would make no sense because it
>> would be basically be an alias to trust-add.
>>
>> bye,
>> Sumit
>>
>
>I am still a bit worried about our consistency with IPA command help
>indentation. You have it indented with trust-add command:
>
># ipa help trust-add
>Purpose: Add new trust to use.
>
>    This command establishes trust relationship to another domain
>    which becomes 'trusted'. As result, users of the trusted domain
>    may access resources of this domain.
>...
A fix is attached.


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 44550cf83aac289363e3ca2acc789bc81cef351d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 10 Oct 2012 15:33:50 +0300
Subject: [PATCH 5/5] Clarify trust-add help regarding multiple runs against
 the same domain

Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
---
 ipalib/plugins/trust.py | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 845f96e1fdd09d1e85f6f900d3f1c241445b9c6b..8632d42df578d81b6fdbcd9e5be8979994699206 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -179,7 +179,19 @@ def make_trust_dn(env, trust_type, dn):
     return dn
 
 class trust_add(LDAPCreate):
-    __doc__ = _('Add new trust to use')
+    __doc__ = _('''
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+    ''')
 
     takes_options = LDAPCreate.takes_options + (
         StrEnum('trust_type',
@@ -309,6 +321,11 @@ class trust_add(LDAPCreate):
                   reason=_('''Cannot perform join operation without own domain configured.
                               Make sure you have run ipa-adtrust-install on the IPA server first'''))
 
+        try:
+            existing_trust = api.Command['trust_show'](keys[-1])
+            summary = _('Re-established trust to domain "%(value)s"')
+        except errors.NotFound:
+            summary = self.msg_summary
         # 1. Full access to the remote domain. Use admin credentials and
         # generate random trustdom password to do work on both sides
         if 'realm_admin' in options:
@@ -360,14 +377,19 @@ class trust_add(LDAPCreate):
                 raise errors.ValidationError(name=_('AD Trust setup'),
                                              error=_('Unable to verify write permissions to the AD'))
 
-            return dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified'])
+            ret = dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified'])
+            ret['summary'] = summary % ret
+            return ret
+
 
         # 2. We don't have access to the remote domain and trustdom password
         # is provided. Do the work on our side and inform what to do on remote
         # side.
         if 'trust_secret' in options:
             result = trustinstance.join_ad_ipa_half(keys[-1], realm_server, options['trust_secret'])
-            return dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified'])
+            ret = dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified'])
+            ret['summary'] = summary % ret
+            return ret
         raise errors.ValidationError(name=_('AD Trust setup'),
                                      error=_('Not enough arguments specified to perform trust setup'))
 
-- 
1.7.12

More information about the Freeipa-devel mailing list