[Freeipa-devel] [PATCH 0329] ipa-replica-manage: Do not allow topology altering commands

[Petr Vobornik]

On 06/15/2015 02:59 PM, Martin Babinsky wrote:
> On 06/10/2015 07:23 PM, Petr Vobornik wrote:
>> On 06/10/2015 04:39 PM, Petr Vobornik wrote:
>>> On 06/10/2015 04:06 PM, Petr Vobornik wrote:
>>>> On 06/02/2015 02:24 PM, Ludwig Krispenz wrote:
>>>>> hi,
>>>>>
>>>>> is there a real replacement for "del", it is not in the scope of the
>>>>> topology commands, the removal of teh agreement is rejected and later
>>>>> done by the plugin, but what about removal of the host, services,
>>>>> cleanruv ?
>>>>>
>>>>> Ludwig
>>>>> On 06/02/2015 02:10 PM, Tomas Babej wrote:
>>>>>> Hi,
>>>>>>
>>>>>> With Domain Level 1 and above, the usage of ipa-replica-manage
>>>>>> commands
>>>>>> that alter the replica topology is deprecated. Following commands
>>>>>> are prohibited:
>>>>>>
>>>>>> * connect
>>>>>> * disconnect
>>>>>> * del
>>>>>>
>>>>>> Upon executing any of these commands, users are pointed out to the
>>>>>> ipa topologysegment-* replacements.
>>>>>>
>>>>>> Part of: https://fedorahosted.org/freeipa/ticket/4302
>>>>>>
>>>>
>>>>
>>>> Tomas is on vacation. I've removed 'del' from his patch and will create
>>>> a new one for handling of 'del'.
>>>>
>>>> If that's OK, we can push this one.
>>>>
>>>>
>>>
>>> NACK
>>>
>>> 'connect' and 'disconnect' serve also for setting up/removing of winsync
>>> replication agreements. This patch forbids it.
>>
>> attaching patch which addresses this issue and replaces Tomas'
>> patch(which was used as a basis). Patch for 'del' will follow.
>>
>>>
>>> I've not tested if topology plugin ignores winsync agreements. Does it?
>>
>>
>>
> ACK for the patch.
>
> I think that winsync agreements should be ignored because they live in
> 'cn=replicas,cn=ipa,cn=etc,$SUFFIX', not among cn=masters (but I may be
> wrong).
>
> I have just now setup winsync agreement and it doesn't show up in
> cn=topology at all.
>

Pushed to master: 45dccedd12e6d26e146ad9c30c2c304e6b2eded1

-- 
Petr Vobornik