Bug 1719767

Summary: Extend IPA to support unadvertised replicas
Product: Red Hat Enterprise Linux 8 Reporter: Fran├žois Cami <fcami>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 8.0CC: abokovoy, batkisso, fcami, fhanzelk, frenaud, ipa-maint, ipa-qe, ksiddiqu, mkosek, mmuehlfe, ndehadra, pasik, pcech, pvoborni, rcritten, saime, tmihinto, tscherf, twoerner
Target Milestone: rcKeywords: TechPreview
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.0-1 Doc Type: Enhancement
Doc Text:
.Setting up IdM as a hidden replica is now fully supported Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden replicas. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no `SRV` records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas. Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries. To install a new hidden replica, use the `ipa-replica-install --hidden-replica` command. To change the state of an existing replica, use the `ipa server-state` command. For further details, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-replica_installing-identity-management#installing-an-idm-hidden-replica_install-replica[Installing an IdM hidden replica].
Story Points: ---
Clone Of: 1518939 Environment:
Last Closed: 2019-11-05 20:53:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1518939    
Bug Blocks: 1647919, 1720120    

Comment 1 Fran├žois Cami 2019-06-12 14:06:42 UTC
Fixed upstream:
ipa-4-6:

    cb85342 Add hidden replica feature
    016c47f ipatests: Exercise hidden replica feature
    7691162 Simplify and improve tests
    da9f62d Implement server-state --state=enabled/hidden
    d12cca4 Consider hidden servers as role provider
    ed00466 Improve config-show to show hidden servers
    131c1ab More test fixes
    bcf70c5 Don't allow to hide last server for a role
    d8d6799 Synchronize hidden state from IPA master role
    e40d92f Test replica installation from hidden replica
    d1eb4c7 Add design draft
    a0f00e6 Don't fail if config-show does not return servers
    aa3f60b Unify and simplify LDAP service discovery
    aba0fce Use api.env.container_masters
    ec94a68 Consolidate container_masters queries

ipa-4-7:
    ddf8e16 Add hidden replica feature
    f96f4a1 ipatests: Exercise hidden replica feature
    585bc52 Simplify and improve tests
    f3daa45 Implement server-state --state=enabled/hidden
    0bf26c5 Consider hidden servers as role provider
    de1a075 Improve config-show to show hidden servers
    3e2fb21 More test fixes
    dc2a5ec Don't allow to hide last server for a role
    87f9119 Synchronize hidden state from IPA master role
    467ceaf Test replica installation from hidden replica
    66c961d Add design draft
    c76620e Don't fail if config-show does not return servers


master:
    025facb Add hidden replica feature
    0770d8a ipatests: Exercise hidden replica feature
    99133eb Simplify and improve tests
    94b8635 Implement server-state --state=enabled/hidden
    d810e1f Consider hidden servers as role provider
    56d97f9 Improve config-show to show hidden servers
    f839d3c More test fixes
    e7e0f19 Don't allow to hide last server for a role
    8b1bb21 Synchronize hidden state from IPA master role
    e04dc9a Test replica installation from hidden replica
    d727321 Add design draft
    713c9b0 Don't fail if config-show does not return servers

Comment 4 Alexander Bokovoy 2019-07-25 11:40:55 UTC
Removing RFE. The introduction of this feature happened in RHEL 7.7.

Comment 8 Nikhil Dehadrai 2019-09-09 07:42:46 UTC
ipa-server-version:ipa-4.8.0-10.module+el8.1.0+4107+4a66eb87

Tested the bug with following scenarios:

1.Verify that Hidden replica can be setup as a direct replica installation: PASS
2.Verify that Hidden replica can be setup using replica promotion: PASS
3.Verify that Replica can be setup from another Replica already configured as Hidden Replica: PASS
4.Verify that Error message is displayed when state of all master is changed to 'hidden'.: PASS
5.Verify that replica can be demoted to be a hidden replica.: PASS
6.Verify that hidden replica can be promoted.: PASS
7.Verify that KRA installation works on replica setup as hidden Replica: PASS

8. Verified that replica state can be changed to hidden after upgrade
[root@kvm-04-guest01 ~]# kdestroy -A
[root@kvm-04-guest01 ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@kvm-04-guest01 ~]# klist
Ticket cache: KCM:0
Default principal: admin@TESTRELM.TEST

Valid starting Expires Service principal
09/04/2019 10:52:37 09/05/2019 10:52:34 krbtgt/TESTRELM.TEST@TESTRELM.TEST
[root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=enabled
ipa: ERROR: no modifications to be performed
[root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=disabled
ipa: ERROR: invalid 'state': must be one of 'enabled', 'hidden'
[root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=hidden
-------------------------------------------------------
Changed server state of "kvm-04-guest01.testrelm.test".
-------------------------------------------------------
[root@kvm-04-guest01 ~]#

9. Verify that Automatic CRL configuration works for hidden REPLICA: PASS
[root@vm-idm-025 ~]# ipa config-show | grep "CA renewal master"
IPA CA renewal master: vm-idm-010.testrelm.test

[root@vm-idm-025 ~]# ipa-crlgen-manage enable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
Forcing CRL update
CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
The ipa-crlgen-manage command was successful

[root@vm-idm-025 ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2019-09-05 09:56:33
Last CRL Number: 7
The ipa-crlgen-manage command was successful

[root@vm-idm-025 ~]# ipa config-show | grep Hidden
Hidden IPA masters: vm-idm-025.testrelm.test
Hidden IPA CA servers: vm-idm-025.testrelm.test
Hidden IPA DNS servers: vm-idm-025.testrelm.test

[root@vm-idm-025 ~]# ipa config-show | grep "CA renewal master"
IPA CA renewal master: vm-idm-010.testrelm.test
10. Verified that hidden replica can be installed against upgraded server : PASS
11. Verified that UI is accessible for hidden Replica when state is changed from hidden to enable and vice-versa: PASS

Thus on the basis of above observations, marking status of bug to 'VERIFIED'

Comment 12 errata-xmlrpc 2019-11-05 20:53:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348

Comment 13 Marc Muehlfeld 2019-11-06 08:42:34 UTC
I moved the RN to the Tech Preview section. Unfortunately, our publishing system is currently down. We will republish the RHEL 8.1 RNs as soon as possible.