-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add IPA IPA Trust Topology Controller #119
base: master
Are you sure you want to change the base?
Add IPA IPA Trust Topology Controller #119
Conversation
@justin-stephenson, It looks great, but I do think we should rename the topologies to just IPATrust, ADTrust and then SambaTrust. |
That makes sense for the individual KnownTopology objects. What about Topology groups? My thinking was to have the following:
This handles the case of any trust tests which may only run against IPA - AD trusts (AD and SambaAD specific), but in general we should try to write tests which are green for all trust types (using this What do you think? |
How about about,
TrustAD could be generic, but it'd be confusing with ADTrust and just being the inverse. |
50d1412
to
24b3db4
Compare
Okay do we agree on the following? If yes i'll make this change to the PR. KnownTopology:
KnownTopologyGroup:
|
24b3db4
to
f57543c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, it looks good, in general. See comments inside.
About COPR packages, we can leave it as is for now to simplify local testing. But it certainly should not be merged. If we would like to merge it, then proper downgrade of the packages must be done, otherwise we'd run tests against wip ipa.
sssd_test_framework/topology.py
Outdated
@@ -118,6 +119,17 @@ def test_ldap(client: Client, ldap: LDAP): | |||
.. topology-mark:: KnownTopology.IPATrustSamba | |||
""" | |||
|
|||
IPATrustIPA = SSSDTopologyMark( | |||
name="ipa-trust-ipa", | |||
topology=Topology(TopologyDomain("sssd", client=1, ipa=2)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Second IPA should go into different domain.
If you put two ore more identical roles inside single domain, it should mean that the hosts are identical (i.e. ipa replica).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, along with sssd tests mhc.yaml.
client.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
|
||
ipa.conn.exec(["dnf", "update", "freeipa-server", "sssd-client", "-y"]) | ||
client.conn.exec(["dnf", "update", "sssd-client", "-y"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both PR CI and IDM CI installs SSSD under test, this is not necessary and will probably break in non-local run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
# Add ipa-ipa trust COPR and update packages | ||
self.logger.info("Adding COPR and updating packages") | ||
ipa.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
client.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
|
||
ipa.conn.exec(["dnf", "update", "freeipa-server", "sssd-client", "-y"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be here, if needed as a temporary solution it should be moved before pytest is run. I.e. the CI workflow, or install it manually on local run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My intent was to simplify the steps for QE.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
# F40 sssd-kcm fails to start with 'Invalid option --genconf-section=kcm:' | ||
ipa.conn.exec(["systemctl", "restart", "sssd-kcm"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this fixed/investigated already?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only relevant with install from COPR.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
Please, also add feature detection. |
Thank you for the review. I should have been more clear about the current state. We are still in mid-development phase of IPA IPA trust feature. I created these PRs to involve QE early on in the development. We have some working functionality in sssd/ipa packages from COPR therefore they can start writing some basic tests. Dan + Jakub wanted to see these PRs to start building out the parts needed for IPA IPA Trust downstream testing. I set the |
f57543c
to
be33278
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the trust do both ipa servers need to be changed or only the one trusting?
If so:
- Would it be possible to switch the code around so ipa2 is trusting ipa1?
- That way we can keep ipa1 on the production version for other tests.
As for copr/packages, the code should be in ansible playbook in sssd-ci-containers
and enabled by a switch that is by default off. We do not want anything messing around with tested artifacts.
Currently it is possible to upgrade just the 1 IPA server but with upcoming changes on FreeIPA side in the near future it will be required to upgrade both IPA masters (
Okay I can move this code to SSSD/sssd-ci-containers#106 but I'm not sure how to handle downgrading SSSD packages from COPR after IPA IPA trust tests are run (initially I thought this would be handled by IPA topology controller teardown). |
be33278
to
132cd8b
Compare
Thank you for explaining your plan. There's no need to handle this if we don't intent to merge it in this state. I think we can do two things here:
|
@jakub-vavra-cz are you okay with either of these options? |
@justin-stephenson: We could use some detection for the ipa2ipa trust capability both on client and on the ipa server. That way we can prepare and merge tests before it is available and run them only where it makes a sense. |
132cd8b
to
f12cece
Compare
Rebased, needed some minor changes due to pytest-mh changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me and tested,
collecting ...
Selected tests will use the following hosts:
client: client.test
ad: dc.ad.test
samba: dc.samba.test
ipa: master.ipa.test
ipa: master2.ipa2.test
collected 586 items / 580 deselected / 6 selected
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-samba)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-samba) PASSED [ 16%]PASSED [ 33%]PASSED [ 50%]PASSED [ 66%]PASSED [ 83%]PASSED [100%]
================ 6 passed, 580 deselected in 574.83s (0:09:34) =================
Add "IPATrustIPA" KnownTopology For topology groups some changes are: - Remove "IPATrust" - Add "IPATrustAD" -- includes IPATrustAD and IPATrustSamba - Add "AnyIPATrust" -- includes IPATrustAD, IPATrustSamba, IPATrustIPA
f12cece
to
e66489c
Compare
Add "IPATrustIPA" KnownTopology
For topology groups some changes are:
Linked PRs:
SSSD/sssd-ci-containers#106
SSSD/sssd#7517