Bug 1518939 - RFE: Extend IPA to support unadvertised replicas
Summary: RFE: Extend IPA to support unadvertised replicas
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1647919 1719767
TreeView+ depends on / blocked
 
Reported: 2017-11-29 19:59 UTC by Brian J. Atkisson
Modified: 2019-10-14 20:09 UTC (History)
12 users (show)

Fixed In Version: ipa-4.6.5-2.el7
Doc Type: Technology Preview
Doc Text:
.Setting up IdM as a hidden replica is now available as a Technology Preview This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no `SRV` records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas. Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries. To install a new hidden replica, use the `ipa-replica-install --hidden-replica` command. To change the state of an existing replica, use the `ipa server-state` command.
Clone Of:
: 1719767 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:09:05 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3687541 None None None 2018-11-13 11:15:34 UTC
Red Hat Product Errata RHBA-2019:2241 None None None 2019-08-06 13:09:20 UTC

Description Brian J. Atkisson 2017-11-29 19:59:01 UTC
Description of problem:

For background: http://post-office.corp.redhat.com/archives/idm-tech/2017-November/msg00441.html

As part of our deployment, we have a few IPA replicas that we do not
want users hitting directly for IPA client registration and day to day
queries (hosts designed as backup servers, KRA, etc). There appears to be no way to exclude servers from being returned to clients during auto-discovery.

Even with using DNS Locations, all replicas are returned to the client, just at a higher priority value.  There should be some way to mark an IPA server as 'unadvertised' and not included in any SRV records.

This would be useful for replicas dedicated to backups, CRL, KRA or other admin activities.

Thanks!

Comment 3 Florence Blanc-Renaud 2017-12-06 13:34:49 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7307

Comment 6 Florence Blanc-Renaud 2019-03-29 09:11:29 UTC
Fixed upstream:
ipa-4-6:

    cb85342 Add hidden replica feature
    016c47f ipatests: Exercise hidden replica feature
    7691162 Simplify and improve tests
    da9f62d Implement server-state --state=enabled/hidden
    d12cca4 Consider hidden servers as role provider
    ed00466 Improve config-show to show hidden servers
    131c1ab More test fixes
    bcf70c5 Don't allow to hide last server for a role
    d8d6799 Synchronize hidden state from IPA master role
    e40d92f Test replica installation from hidden replica
    d1eb4c7 Add design draft
    a0f00e6 Don't fail if config-show does not return servers
    aa3f60b Unify and simplify LDAP service discovery
    aba0fce Use api.env.container_masters
    ec94a68 Consolidate container_masters queries

ipa-4-7:
    ddf8e16 Add hidden replica feature
    f96f4a1 ipatests: Exercise hidden replica feature
    585bc52 Simplify and improve tests
    f3daa45 Implement server-state --state=enabled/hidden
    0bf26c5 Consider hidden servers as role provider
    de1a075 Improve config-show to show hidden servers
    3e2fb21 More test fixes
    dc2a5ec Don't allow to hide last server for a role
    87f9119 Synchronize hidden state from IPA master role
    467ceaf Test replica installation from hidden replica
    66c961d Add design draft
    c76620e Don't fail if config-show does not return servers


master:
    025facb Add hidden replica feature
    0770d8a ipatests: Exercise hidden replica feature
    99133eb Simplify and improve tests
    94b8635 Implement server-state --state=enabled/hidden
    d810e1f Consider hidden servers as role provider
    56d97f9 Improve config-show to show hidden servers
    f839d3c More test fixes
    e7e0f19 Don't allow to hide last server for a role
    8b1bb21 Synchronize hidden state from IPA master role
    e04dc9a Test replica installation from hidden replica
    d727321 Add design draft
    713c9b0 Don't fail if config-show does not return servers

Comment 7 Florence Blanc-Renaud 2019-03-29 09:49:59 UTC
ipa-4-7:
    b4bade0 Unify and simplify LDAP service discovery
    885cb17 Use api.env.container_masters
    99eb7e0 Consolidate container_masters queries

Comment 9 Nikhil Dehadrai 2019-05-07 11:52:44 UTC
ipa-server version: ipa-server-4.6.5-7.el7.x86_64

Tested the bug with following scenarios:
1.Verify that Hidden replica can be setup as a direct replica installation
2.Verify that Hidden replica can be setup using replica promotion
3.Verify that Replica can be setup from another Replica already configured as Hidden Replica
4.Verify that Error message is displayed when state of all master is changed to 'hidden'.
5.Verify that replica can be demoted to be a hidden replica.
6.Verify that hidden replica can be promoted.
7.Verify that KRA installation works on replica setup as hidden Replica

Comment 16 Nikhil Dehadrai 2019-05-17 09:25:44 UTC
IPA-Version: ipa-server-4.6.5-8.el7.x86_64


All the Tier1 Tests PASSED successfully related to following scenarios:

Tested the bug with following scenarios:
1.Verify that Hidden replica can be setup as a direct replica installation
2.Verify that Hidden replica can be setup using replica promotion
3.Verify that Replica can be setup from another Replica already configured as Hidden Replica
4.Verify that Error message is displayed when state of all master is changed to 'hidden'.
5.Verify that replica can be demoted to be a hidden replica.
6.Verify that hidden replica can be promoted.
7.Verify that KRA installation works on replica setup as hidden Replica
8.Verify that Backup / Restore feature runs successfully against hidden replica


Thus on the basis of above observations and comments#9, Comment#13, Comment#14, Comment#15, marking status of this bug to 'VERIFIED'

Comment 19 errata-xmlrpc 2019-08-06 13:09:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Comment 20 Florence Blanc-Renaud 2019-09-13 12:48:24 UTC
Upstream test added in
master:
https://pagure.io/freeipa/c/6064365aa09c9fcee01cb9be2bbe994adc361263

Comment 21 Florence Blanc-Renaud 2019-09-13 16:16:01 UTC
Upstream test added
ipa-4-7:
https://pagure.io/freeipa/c/90c22dbc46910739b1ed43c5a1e94afdc464fe75

ipa-4-8:
https://pagure.io/freeipa/c/f2fb2208c13a21dfe24f4944691af09159cde8f2

ipa-4-6:
https://pagure.io/freeipa/c/ad3ddbb80d9f1dd3556afdc9cf506f3bae7f6783

The test is in ipatests/test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_automatic_crl


Note You need to log in before you can comment on or make changes to this bug.