Use novajoin's kerberos realm for instances
This is useful in cases where the kerberos realm isn't the same as the domain. It gets the kerberos realm that novajoin is using, and gets the instance to register using that. Closes-Bug: #1711312 Change-Id: Ic8a32a0ace69b32e1bb66145ac460175c4508a17
This commit is contained in:
parent
038e17027d
commit
61346df6c8
|
@ -1 +1 @@
|
|||
{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n # Get the instance hostname out of the metadata\n #data=`curl http://169.254.169.254/openstack/latest/meta_data.json 2>/dev/null`\n sleep $[ ( $RANDOM % 10 ) + 1 ]s\n data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`\n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata\"\n exit 1\n fi\n \n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"hostname\", \"\")'`\n \n if [ -z \"$fqdn\" ]; then\n echo \"Unable to determine hostname\"\n exit 1\n fi\n \n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"ipaotp\", \"\")'`\n\n hostname=`/bin/hostname -f`\n\n # run ipa-client-install\n OPTS=\"-U -w $otp\"\n if [ $hostname != $fqdn ]; then\n OPTS=\"$OPTS --hostname $fqdn\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"}
|
||||
{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n # Get the instance hostname out of the metadata\n #data=`curl http://169.254.169.254/openstack/latest/meta_data.json 2>/dev/null`\n sleep $[ ( $RANDOM % 10 ) + 1 ]s\n data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`\n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata\"\n exit 1\n fi\n \n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"hostname\", \"\")'`\n \n if [ -z \"$fqdn\" ]; then\n echo \"Unable to determine hostname\"\n exit 1\n fi\n \n realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"krb_realm\", \"\")'`\n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"ipaotp\", \"\")'`\n\n hostname=`/bin/hostname -f`\n\n # run ipa-client-install\n OPTS=\"-U -w $otp\"\n if [ $hostname != $fqdn ]; then\n OPTS=\"$OPTS --hostname $fqdn\"\n fi\n if [ -n \"$realm\" ]; then\n OPTS=\"$OPTS --realm=$realm\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"}
|
||||
|
|
|
@ -202,6 +202,8 @@ class JoinController(Controller):
|
|||
|
||||
data['ipaotp'] = ipaotp
|
||||
data['hostname'] = get_fqdn(hostname_short, project_name)
|
||||
_, realm = self.ipaclient.get_host_and_realm()
|
||||
data['krb_realm'] = realm
|
||||
|
||||
try:
|
||||
res = self.ipaclient.add_host(data['hostname'], ipaotp,
|
||||
|
|
|
@ -163,15 +163,21 @@ class JoinTest(test.TestCase):
|
|||
else:
|
||||
assert(False)
|
||||
|
||||
@mock.patch('novajoin.ipa.SafeConfigParser')
|
||||
@mock.patch('novajoin.join.get_instance')
|
||||
@mock.patch('novajoin.join.get_default_image_service')
|
||||
@mock.patch('novajoin.util.get_domain')
|
||||
def test_valid_request(self, mock_get_domain, mock_get_image,
|
||||
mock_get_instance):
|
||||
mock_get_instance, mock_conf_parser):
|
||||
mock_get_image.return_value = FakeImageService()
|
||||
mock_get_instance.return_value = fake.fake_instance
|
||||
mock_get_domain.return_value = "test"
|
||||
|
||||
mock_conf_parser_instance = mock.MagicMock()
|
||||
mock_conf_parser_instance.get = mock.Mock(
|
||||
side_effect=["novajoin", "REALM"])
|
||||
mock_conf_parser.return_value = mock_conf_parser_instance
|
||||
|
||||
body = {"metadata": {"ipa_enroll": "True"},
|
||||
"instance-id": fake.INSTANCE_ID,
|
||||
"project-id": fake.PROJECT_ID,
|
||||
|
@ -190,23 +196,31 @@ class JoinTest(test.TestCase):
|
|||
MatchesRegex('^[a-z0-9]{32}'))
|
||||
self.assertEqual(len(res_dict.get('ipaotp', 0)), 32)
|
||||
self.assertEqual(res_dict.get('hostname'), 'test.test')
|
||||
self.assertEqual(res_dict.get('krb_realm'), 'REALM')
|
||||
|
||||
# Note that on failures this will generate to stdout a Krb5Error
|
||||
# because in all likelihood the keytab cannot be read (and
|
||||
# probably doesn't exist. This can be ignored.
|
||||
|
||||
@mock.patch('novajoin.ipa.SafeConfigParser')
|
||||
@mock.patch('novajoin.keystone_client.get_project_name')
|
||||
@mock.patch('novajoin.join.get_instance')
|
||||
@mock.patch('novajoin.join.get_default_image_service')
|
||||
@mock.patch('novajoin.util.get_domain')
|
||||
def test_valid_hostclass_request(self, mock_get_domain, mock_get_image,
|
||||
mock_get_instance,
|
||||
mock_get_project_name):
|
||||
mock_get_project_name,
|
||||
mock_conf_parser):
|
||||
mock_get_image.return_value = FakeImageService()
|
||||
mock_get_instance.return_value = fake.fake_instance
|
||||
mock_get_domain.return_value = "test"
|
||||
mock_get_project_name.return_value = "test"
|
||||
|
||||
mock_conf_parser_instance = mock.MagicMock()
|
||||
mock_conf_parser_instance.get = mock.Mock(
|
||||
side_effect=["novajoin", "REALM"])
|
||||
mock_conf_parser.return_value = mock_conf_parser_instance
|
||||
|
||||
body = {"metadata": {"ipa_enroll": "True"},
|
||||
"instance-id": fake.INSTANCE_ID,
|
||||
"project-id": fake.PROJECT_ID,
|
||||
|
@ -225,6 +239,7 @@ class JoinTest(test.TestCase):
|
|||
MatchesRegex('^[a-z0-9]{32}'))
|
||||
self.assertEqual(len(res_dict.get('ipaotp', 0)), 32)
|
||||
self.assertEqual(res_dict.get('hostname'), 'test.test')
|
||||
self.assertEqual(res_dict.get('krb_realm'), 'REALM')
|
||||
|
||||
# Note that on failures this will generate to stdout a Krb5Error
|
||||
# because in all likelihood the keytab cannot be read (and
|
||||
|
|
Loading…
Reference in New Issue