replica promotion: automatically add the local host to ipaservers

If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2015-11-18 09:00:34 +0100
committer: Jan Cholasta <jcholast@redhat.com> 2015-12-07 08:14:13 +0100
commit: 42544484dc1fe6797adb72b4177a0de8dc79a032 (patch)
tree: 13dce6e97adef3324b87721d2307f518e438d1c8
parent: c2af4095177d5c884a58917b7ad5b13dc782cc51 (diff)
1 files changed, 46 insertions, 2 deletions
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aed97263f..8a9120a34 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -969,9 +969,35 @@ def promote_check(installer):
             cn=u'ipaservers',
             host=[unicode(api.env.host)]
         )['result']
+        add_to_ipaservers = not result
 
-        if not result:
-            raise errors.ACIError(info="Not authorized")
+        if add_to_ipaservers:
+            if installer._ccache is None:
+                del os.environ['KRB5CCNAME']
+            else:
+                os.environ['KRB5CCNAME'] = installer._ccache
+
+            try:
+                installutils.check_creds(options, config.realm_name)
+                installer._ccache = os.environ.get('KRB5CCNAME')
+            finally:
+                os.environ['KRB5CCNAME'] = ccache
+
+            conn.disconnect()
+            conn.connect(ccache=installer._ccache)
+
+            try:
+                result = remote_api.Command['hostgroup_show'](
+                    u'ipaservers',
+                    all=True,
+                    rights=True
+                )['result']
+
+                if 'w' not in result['attributelevelrights']['member']:
+                    raise errors.ACIError(info="Not authorized")
+            finally:
+                conn.disconnect()
+                conn.connect(ccache=ccache)
 
         # Check that we don't already have a replication agreement
         try:
@@ -1136,6 +1162,8 @@ def promote_check(installer):
     installer._fstore = fstore
     installer._sstore = sstore
     installer._config = config
+    installer._remote_api = remote_api
+    installer._add_to_ipaservers = add_to_ipaservers
     installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file
     installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info
     installer._http_pkcs12_file = http_pkcs12_file
@@ -1157,6 +1185,22 @@ def promote(installer):
     pkinit_pkcs12_file = installer._pkinit_pkcs12_file
     pkinit_pkcs12_info = installer._pkinit_pkcs12_info
 
+    if installer._add_to_ipaservers:
+        ccache = os.environ['KRB5CCNAME']
+        remote_api = installer._remote_api
+        conn = remote_api.Backend.ldap2
+        try:
+            conn.connect(ccache=installer._ccache)
+
+            remote_api.Command['hostgroup_add_member'](
+                u'ipaservers',
+                host=[unicode(api.env.host)],
+            )
+        finally:
+            if conn.isconnected():
+                conn.disconnect()
+            os.environ['KRB5CCNAME'] = ccache
+
     # Save client file and merge in server directives
     target_fname = paths.IPA_DEFAULT_CONF
     fstore.backup_file(target_fname)
author	Jan Cholasta <jcholast@redhat.com>	2015-11-18 09:00:34 +0100
committer	Jan Cholasta <jcholast@redhat.com>	2015-12-07 08:14:13 +0100
commit	42544484dc1fe6797adb72b4177a0de8dc79a032 (patch)
tree	13dce6e97adef3324b87721d2307f518e438d1c8
parent	c2af4095177d5c884a58917b7ad5b13dc782cc51 (diff)