d7b02057af
- Use new method in check to prevent removal of last KRA (#1985072) - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952) - Fix index definition for memberOf (#1952028) Resolves: #1985072, #1982952, #1952028
59 lines
2.2 KiB
Diff
59 lines
2.2 KiB
Diff
From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Mon, 19 Jul 2021 17:51:44 -0400
|
|
Subject: [PATCH] Use new method in check to prevent removal of last KRA
|
|
|
|
It previously used a vault connection to determine if any
|
|
KRA servers were installed. This would fail if the last KRA
|
|
was not available.
|
|
|
|
Use server roles instead to determine if the last KRA server
|
|
is to be removed.
|
|
|
|
https://pagure.io/freeipa/issue/8397
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
---
|
|
ipaserver/plugins/server.py | 24 +++++++++++++-----------
|
|
1 file changed, 13 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
|
|
index b3dda8469..5fa7a58bd 100644
|
|
--- a/ipaserver/plugins/server.py
|
|
+++ b/ipaserver/plugins/server.py
|
|
@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
|
|
|
|
if self.api.Command.ca_is_enabled()['result']:
|
|
try:
|
|
- vault_config = self.api.Command.vaultconfig_show()['result']
|
|
- kra_servers = vault_config.get('kra_server_server', [])
|
|
- except errors.InvocationError:
|
|
- # KRA is not configured
|
|
- pass
|
|
- else:
|
|
- if kra_servers == [hostname]:
|
|
- handler(
|
|
- _("Deleting this server is not allowed as it would "
|
|
- "leave your installation without a KRA."),
|
|
- ignore_last_of_role)
|
|
+ roles = self.api.Command.server_role_find(
|
|
+ server_server=hostname,
|
|
+ role_servrole='KRA server',
|
|
+ status='enabled',
|
|
+ include_master=True,
|
|
+ )['result']
|
|
+ except errors.NotFound:
|
|
+ roles = ()
|
|
+ if len(roles) == 1 and roles[0]['server_server'] == hostname:
|
|
+ handler(
|
|
+ _("Deleting this server is not allowed as it would "
|
|
+ "leave your installation without a KRA."),
|
|
+ ignore_last_of_role)
|
|
|
|
ca_servers = ipa_config.get('ca_server_server', [])
|
|
ca_renewal_master = ipa_config.get(
|
|
--
|
|
2.26.3
|
|
|