From fa200f3c30362b70196ad8f9b04bf352eb6bccf4 Mon Sep 17 00:00:00 2001
From: Isaac Yang <isaacy@nvidia.com>
Date: Wed, 3 Apr 2024 16:18:54 -0700
Subject: [PATCH] Add warning when the same admin in project.yml has different
 role

---
 nvflare/lighter/impl/cert.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/nvflare/lighter/impl/cert.py b/nvflare/lighter/impl/cert.py
index ec86e2abbc..994c94eec3 100644
--- a/nvflare/lighter/impl/cert.py
+++ b/nvflare/lighter/impl/cert.py
@@ -87,6 +87,17 @@ def _build_write_cert_pair(self, participant, base_name, ctx):
             pri_key = serialization.load_pem_private_key(
                 self.persistent_state[subject]["pri_key"].encode("ascii"), password=None, backend=default_backend()
             )
+            if participant.type == "admin":
+                cn_list = cert.subject.get_attributes_for_oid(NameOID.UNSTRUCTURED_NAME)
+                for cn in cn_list:
+                    role = cn.value
+                    new_role = participant.props.get("role")
+                    if role != new_role:
+                        err_msg = (
+                            f"{participant.name}'s previous role is {role} but is now {new_role}.\n"
+                            + "Please delete existing workspace and provision from scratch."
+                        )
+                        raise RuntimeError(err_msg)
         else:
             pri_key, cert = self.get_pri_key_cert(participant)
             self.persistent_state[subject] = dict(