Use novajoin's kerberos realm for instances

This is useful in cases where the kerberos realm isn't the same as
the domain. It gets the kerberos realm that novajoin is using, and gets
the instance to register using that.

Closes-Bug: #1711312
Change-Id: Ic8a32a0ace69b32e1bb66145ac460175c4508a17
This commit is contained in:
Juan Antonio Osorio Robles 2017-09-06 08:59:45 +03:00
parent 038e17027d
commit 61346df6c8
3 changed files with 20 additions and 3 deletions

View File

@ -1 +1 @@
{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n # Get the instance hostname out of the metadata\n #data=`curl http://169.254.169.254/openstack/latest/meta_data.json 2>/dev/null`\n sleep $[ ( $RANDOM % 10 ) + 1 ]s\n data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`\n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata\"\n exit 1\n fi\n \n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"hostname\", \"\")'`\n \n if [ -z \"$fqdn\" ]; then\n echo \"Unable to determine hostname\"\n exit 1\n fi\n \n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"ipaotp\", \"\")'`\n\n hostname=`/bin/hostname -f`\n\n # run ipa-client-install\n OPTS=\"-U -w $otp\"\n if [ $hostname != $fqdn ]; then\n OPTS=\"$OPTS --hostname $fqdn\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"}
{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n # Get the instance hostname out of the metadata\n #data=`curl http://169.254.169.254/openstack/latest/meta_data.json 2>/dev/null`\n sleep $[ ( $RANDOM % 10 ) + 1 ]s\n data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`\n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata\"\n exit 1\n fi\n \n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"hostname\", \"\")'`\n \n if [ -z \"$fqdn\" ]; then\n echo \"Unable to determine hostname\"\n exit 1\n fi\n \n realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"krb_realm\", \"\")'`\n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get(\"join\", {}).get(\"ipaotp\", \"\")'`\n\n hostname=`/bin/hostname -f`\n\n # run ipa-client-install\n OPTS=\"-U -w $otp\"\n if [ $hostname != $fqdn ]; then\n OPTS=\"$OPTS --hostname $fqdn\"\n fi\n if [ -n \"$realm\" ]; then\n OPTS=\"$OPTS --realm=$realm\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"}

View File

@ -202,6 +202,8 @@ class JoinController(Controller):
data['ipaotp'] = ipaotp
data['hostname'] = get_fqdn(hostname_short, project_name)
_, realm = self.ipaclient.get_host_and_realm()
data['krb_realm'] = realm
try:
res = self.ipaclient.add_host(data['hostname'], ipaotp,

View File

@ -163,15 +163,21 @@ class JoinTest(test.TestCase):
else:
assert(False)
@mock.patch('novajoin.ipa.SafeConfigParser')
@mock.patch('novajoin.join.get_instance')
@mock.patch('novajoin.join.get_default_image_service')
@mock.patch('novajoin.util.get_domain')
def test_valid_request(self, mock_get_domain, mock_get_image,
mock_get_instance):
mock_get_instance, mock_conf_parser):
mock_get_image.return_value = FakeImageService()
mock_get_instance.return_value = fake.fake_instance
mock_get_domain.return_value = "test"
mock_conf_parser_instance = mock.MagicMock()
mock_conf_parser_instance.get = mock.Mock(
side_effect=["novajoin", "REALM"])
mock_conf_parser.return_value = mock_conf_parser_instance
body = {"metadata": {"ipa_enroll": "True"},
"instance-id": fake.INSTANCE_ID,
"project-id": fake.PROJECT_ID,
@ -190,23 +196,31 @@ class JoinTest(test.TestCase):
MatchesRegex('^[a-z0-9]{32}'))
self.assertEqual(len(res_dict.get('ipaotp', 0)), 32)
self.assertEqual(res_dict.get('hostname'), 'test.test')
self.assertEqual(res_dict.get('krb_realm'), 'REALM')
# Note that on failures this will generate to stdout a Krb5Error
# because in all likelihood the keytab cannot be read (and
# probably doesn't exist. This can be ignored.
@mock.patch('novajoin.ipa.SafeConfigParser')
@mock.patch('novajoin.keystone_client.get_project_name')
@mock.patch('novajoin.join.get_instance')
@mock.patch('novajoin.join.get_default_image_service')
@mock.patch('novajoin.util.get_domain')
def test_valid_hostclass_request(self, mock_get_domain, mock_get_image,
mock_get_instance,
mock_get_project_name):
mock_get_project_name,
mock_conf_parser):
mock_get_image.return_value = FakeImageService()
mock_get_instance.return_value = fake.fake_instance
mock_get_domain.return_value = "test"
mock_get_project_name.return_value = "test"
mock_conf_parser_instance = mock.MagicMock()
mock_conf_parser_instance.get = mock.Mock(
side_effect=["novajoin", "REALM"])
mock_conf_parser.return_value = mock_conf_parser_instance
body = {"metadata": {"ipa_enroll": "True"},
"instance-id": fake.INSTANCE_ID,
"project-id": fake.PROJECT_ID,
@ -225,6 +239,7 @@ class JoinTest(test.TestCase):
MatchesRegex('^[a-z0-9]{32}'))
self.assertEqual(len(res_dict.get('ipaotp', 0)), 32)
self.assertEqual(res_dict.get('hostname'), 'test.test')
self.assertEqual(res_dict.get('krb_realm'), 'REALM')
# Note that on failures this will generate to stdout a Krb5Error
# because in all likelihood the keytab cannot be read (and