Jump to: navigation, search

V4/Replica Promotion/Test Plan

Name: V4/Replica Promotion/Test Plan
Target version: 4.3
Design: V4/Replica_Promotion
Reviewer: Incomplete.png missing
Last updated: 2016-08-18 by Ofayans

Overview

New workflow of replica creation: enroll a client and then promote it to replica: we no longer create replica gpg files on master and distribute them to potential replicas

Test Plan

Test case: Make sure the feature is unavailable under domain level 0

Autotest

Setup

  1. install ipa master with domainlevel 0:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip> --domain-level 0
  2. on a client machine set the ipa master as the first dns server in resolv.conf

Actions

  1. Enroll a client machine
    ipa-client-install
  2. On a client run ipa-replica-install without specifying gpg file

Expected results

  1. The operation succeeds
  2. The operation fails and an error message informs you, that you need a pre-generated replica file

Test case: Make sure the old workflow is disabled at domain level 1

Autotest

Setup

  1. install ipa master with domainlevel 1:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip>
  2. on a client machine set the ipa master as the first dns server in resolv.conf

Actions

  1. issue a ipa-replica-prepare command on master

Expected results

  1. The operation fails and the error message contains
    The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client.

Test case: Unprivileged users are not allowed to enroll and promote clients

Autotest

Setup

  1. install ipa master with domainlevel 1:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip> --domain-level 1
  2. create a non-privileged user
    ipa user-add testuser --first Vasya --last Pupkin --password
  3. on a client machine set the ipa master as the first dns server in resolv.conf

Actions

  1. Enroll a client machine using non-privileged account
    ipa-client-install -p testuser -w <testuserpass>
  2. Enroll a client machine using admin account
    ipa-client-install -p admin -w <adminpass>
  3. Promote the client to replica using unprivileged account
    ipa-replica-install -P testuser
  4. Add the unprivileged user to admins group
    ipa group-add-member --user=testuser admins
  5. Repeat step 3

Expected results

  1. The operation fails and the following error message is displayed
    Joining realm failed: No permission to join this host to the IPA domain
  2. The operation succeeds
  3. The operation fails and the error message should inform that this user is not authorized to promote the client
  4. The operation succeeds
  5. The operation succeeds

Test case: Replica created using old workflow is functional after domain upgrade

Autotest

Setup

  1. install ipa master with domainlevel 0:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip> --domain-level 0
  2. prepare a replica using ipa-replica-prepare and install it
  3. add a user named testuser to master, wait till the change gets pushed to replica

Actions

  1. raise domain level on master
    ipa domainlevel-set 1
  2. issue the following command on the master
    ipa topologysegment-find realm
  3. issue the same command on replica
  4. run the command on replica
    ipa user-show testuser
  5. create another user on replica, make sure it replicates to master

Expected results

  1. The operation succeeds
  2. It should show one segment, master<->replica
  3. the same segment is shown
  4. the command succeeds
  5. The step should succeed

Test case: ipa-kra-install with replica file works only on domain level 0

Autotest

Setup

  1. You need 1 master and 2 replicas
  2. install ipa master with domainlevel 0:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip> --setup-ca --domain-level 0
  3. setup kra on master
  4. prepare a replica file for using ipa-replica-prepare and install it on replica1
  5. prepare a replica file for using ipa-replica-prepare and install it on replica2

Actions

  1. run
    ipa-kra-install -U -p %dirman_password%
    on replica1 machine
  2. run ipa-kra-install on replica1 with the replica file generated at step 4 of setup section:
    ipa-kra-install -U -p %dirman_password% %replica_file%
  3. raise domain level to 1 on master:
    ipa domainlevel-set 1
  4. run ipa-kra-install on replica2 with the replica file generated at step 5 of setup section:
    ipa-kra-install -U -p %dirman_password% %replica_file%
  5. Run
    ipa-kra-install -U -p %dirman_password%
    on replica2

Expected results

  1. The step should fail
  2. The step should succeed
  3. The step should succeed
  4. The step should fail and the error message should contain "No replica file is required"
  5. The step should succeed

Test case: ipa-ca-install with replica file works only on domain level 0

Autotest

Setup

  1. You need 1 master and 2 replicas
  2. install ipa master with domainlevel 0:
    ipa-server-install --setup-dns --forwarder=<forwarder_ip> --domain-level 0 --setup-ca
  3. setup ca on master
  4. prepare a replica file for using ipa-replica-prepare and install it on replica1 without setting up ca
    ipa-replica-install --setup-dns --forwarder=%forwarder_ip% %replica_file%
  5. prepare a replica file for using ipa-replica-prepare and install it on replica2 without setting up ca

Actions

  1. run
    ipa-ca-install -U -p %dirman_password%
    on replica1 machine
  2. run ipa-ca-install on replica1 with the replica file generated at step 4 of setup section:
    ipa-ca-install -U -p %dirman_password% %replica_file%
  3. raise domain level to 1 on master:
    ipa domainlevel-set 1
  4. run ipa-ca-install on replica2 with the replica file generated at step 4 of setup section:
    ipa-ca-install -U -p %dirman_password% %replica_file%
  5. run ipa-ca-install on replica2 without the replica file:
    ipa-ca-install -U -p %dirman_password%

Expected results

  1. The step should fail
  2. The step should succeed
  3. The step should succeed
  4. The step should fail and the error message should contain "No replica file is required"
  5. The step should succeed

Test case: ipa-replica-manage connect is deprecated in domain level 1

Autotest

Setup

  1. Setup a master and 2 replicas with domain level 0

Actions

  1. issue
    ipa-replica-manage connect %replica1_hostname% %replica2_hostname%
  2. issue
    ipa-replica-manage disconnect %replica1_hostname% %replica2_hostname%
  3. raise domain level to 1
  4. repeat step 1
  5. create a topology segment between the two replicas using
    ipa topologysegment-add realm --leftnode=%replica1_hostname% --rightnode=%replica2_hostname% --name=newsegment
  6. repeat step 2

Expected results

  1. The step succeeds
  2. The step succeeds
  3. The step succeeds
  4. The step fails and the error message is
    Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.
  5. The step succeeds
  6. The step fails and the error message is
    Removal of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.

Test case: ipa-csreplica-manage connect is deprecated in domain level 1

Autotest

Setup

  1. Setup a master and 2 replicas with domain level 0

Actions

  1. issue
    ipa-csreplica-manage connect %replica1_hostname% %replica2_hostname%
  2. issue
    ipa-csreplica-manage disconnect %replica1_hostname% %replica2_hostname%
  3. raise domain level to 1
  4. repeat step 1
  5. create a topology segment between the two replicas using
    ipa topologysegment-add ipaca --leftnode=%replica1_hostname% --rightnode=%replica2_hostname% --name=newsegment
  6. repeat step 2

Expected results

  1. The step succeeds
  2. The step succeeds
  3. The step succeeds
  4. The step fails and the error message is
    Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.
  5. The step succeeds
  6. The step fails and the error message is
    Removal of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology.

Test case: ipa-restore after domainlevel raise restores original domain level

Autotest

{{{autotest}}}

Setup

  1. Setup a master with domain-level=0 and one replica

Actions

  1. run
    ipa-backup
  2. run
    ipa domainlevel-set 1
  3. run
    ipa-restore
  4. run
    ipa topologysegment-find realm
  5. run
    ipa domainlevel-get

Expected results

  1. command succeeds
  2. command succeeds
  3. command succeeds
  4. should return 0 segments
  5. should show domain-level 0

Test case: Replica can be installed using one command

Autotest

{{{autotest}}}

Setup

  1. Install ipa master with domain-level 1

Actions

  1. setup a replica on a spare host with a single command
    ipa-replica-install
  2. run
    ipa topologysegment-find realm
    on master

Expected results

  1. 1 segment should be displayed
  2. The command should succeed

Test case: Prohibit ipa server uninstallation from disconnecting topology segment

Autotest

{{{autotest}}}

Setup

  1. install an ipa master with domain level 1
  2. install one replica

Actions

  1. run
    ipa-server-install --uninstall -U
    on replica
  2. run
    ipa-server-install --uninstall -U --ignore-topology-disconnect
    on replica

Expected results

  1. The step should fail and the message should be displayed
Uninstallation leads to disconnected topology
Use '--ignore-topology-disconnect' to skip this check
Aborting uninstallation
  1. The step should succeed

Test case: KRA installation works on master on both domain levels

Autotest

{{{autotest}}}

Setup

  1. install master with domain level 0 and another one with domain level 1

Actions

  1. install kra on the first master
    ipa-kra-install -U -p <dirman_password>
  2. kinit admin
  3. Verify that "vault-find" ipa command is available and working
    ipa vault-find
  4. Repeat the above steps on the second master

Expected results

  1. Success
  2. Success
  3. The result must contain "0 vaults found"
  4. The results of all steps should be the same as on master 1

Test case: Replica installation using one-time password

Autotest

{{{autotest}}}

Setup

  1. Install master with domain level 1

Actions

  1. Add a replica host on master with '--random' option:
    ipa host-add %replica_hostname% --force --random
  2. Copy the temporary password from the command output to the clipboard
  3. On master add the replica hostname to the 'ipaservers' hostgroup:
    ipa hostgroup-add-member ipaservers --hosts %replica_hostname%
  4. On replica host run
    ipa-replica-install -p %temporary_password_from_clipboard% -n %domain_name% -r %realm% --server %master_hostname% -U

Expected results

  1. The command succeeds and the output contains random one-time password
  2. Well, the password should be copied to your clipboard ;)
  3. The host should be added to the ipaservers group successfully
  4. The replica should be installed successfully