IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't run kra.configure_instance if not necessary

Browse Source 
If kra should not be set up, don't run the code as it would only
prolong the installations.

Previously, krainstance configuration would be performed just to
export the client certificate and private key to authenticate to
certificate server. This is now performed somewhere else therefore
there's no need to run KRAInstance.configure_instance.

The kra.install() method still performs actions on replicas and
we're keeping it in server installer to conform to the installers
design.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-01-04 08:41:26 +01:00 committed by Jan Cholasta
parent 2a1494c9ae
commit 1e89d28aaf
2 changed files with 37 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ipaserver/install/kra.py
View File

@ -69,6 +69,8 @@ def install_check(api, replica_config, options):
def install(api, replica_config, options): def install(api, replica_config, options):
if replica_config is None: if replica_config is None:
if not options.setup_kra:
return
realm_name = api.env.realm realm_name = api.env.realm
dm_password = options.dm_password dm_password = options.dm_password
host_name = api.env.host host_name = api.env.host
@ -76,9 +78,10 @@ def install(api, replica_config, options):
pkcs12_info = None pkcs12_info = None
master_host = None master_host = None
ra_only = not options.setup_kra
promote = False promote = False
else: else:
if not replica_config.setup_kra:
return
krafile = os.path.join(replica_config.dir, 'kracert.p12') krafile = os.path.join(replica_config.dir, 'kracert.p12')
if options.promote: if options.promote:
custodia = custodiainstance.CustodiaInstance( custodia = custodiainstance.CustodiaInstance(
@ -103,7 +106,6 @@ def install(api, replica_config, options):
pkcs12_info = (krafile,) pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name master_host = replica_config.kra_host_name
ra_only = not replica_config.setup_kra
promote = options.promote promote = options.promote
kra = krainstance.KRAInstance(realm_name) kra = krainstance.KRAInstance(realm_name)
@ -111,18 +113,15 @@ def install(api, replica_config, options):
subject_base=subject_base, subject_base=subject_base,
pkcs12_info=pkcs12_info, pkcs12_info=pkcs12_info,
master_host=master_host, master_host=master_host,
ra_only=ra_only,
promote=promote) promote=promote)
_service.print_msg("Restarting the directory server") _service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance() ds = dsinstance.DsInstance()
ds.restart() ds.restart()
kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
if not ra_only: # Restart apache for new proxy config file
kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) services.knownservices.httpd.restart(capture_output=True)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
def uninstall(standalone): def uninstall(standalone):

61
ipaserver/install/krainstance.py
View File

@ -77,7 +77,7 @@ class KRAInstance(DogtagInstance):
def configure_instance(self, realm_name, host_name, dm_password, def configure_instance(self, realm_name, host_name, dm_password,
admin_password, pkcs12_info=None, master_host=None, admin_password, pkcs12_info=None, master_host=None,
subject_base=None, subject=None, subject_base=None, subject=None,
ra_only=False, promote=False): promote=False):
"""Create a KRA instance. """Create a KRA instance.
To create a clone, pass in pkcs12_info. To create a clone, pass in pkcs12_info.
@ -99,38 +99,37 @@ class KRAInstance(DogtagInstance):
self.realm = realm_name self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name) self.suffix = ipautil.realm_to_suffix(realm_name)
if not ra_only: # Confirm that a KRA does not already exist
# Confirm that a KRA does not already exist if self.is_installed():
if self.is_installed(): raise RuntimeError(
raise RuntimeError( "KRA already installed.")
"KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists
# Confirm that a Dogtag 10 CA instance already exists ca = cainstance.CAInstance(self.realm)
ca = cainstance.CAInstance(self.realm) if not ca.is_installed():
if not ca.is_installed(): raise RuntimeError(
raise RuntimeError( "KRA configuration failed. "
"KRA configuration failed. " "A Dogtag CA must be installed first")
"A Dogtag CA must be installed first")
if promote: if promote:
self.step("creating installation admin user", self.setup_admin) self.step("creating installation admin user", self.setup_admin)
self.step("configuring KRA instance", self.__spawn_instance) self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone: if not self.clone:
self.step("create KRA agent", self.step("create KRA agent",
self.__create_kra_agent) self.__create_kra_agent)
if not ra_only: if promote:
if promote: self.step("destroying installation admin user",
self.step("destroying installation admin user", self.teardown_admin) self.teardown_admin)
self.step("restarting KRA", self.restart_instance) self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals", self.step("configure certmonger for renewals",
self.configure_certmonger_renewal) self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal) self.step("configure certificate renewals", self.configure_renewal)
self.step("configure HTTP to proxy connections", self.step("configure HTTP to proxy connections",
self.http_proxy) self.http_proxy)
if not self.clone: if not self.clone:
self.step("add vault container", self.__add_vault_container) self.step("add vault container", self.__add_vault_container)
self.step("apply LDAP updates", self.__apply_updates) self.step("apply LDAP updates", self.__apply_updates)
self.step("enabling KRA instance", self.__enable_instance) self.step("enabling KRA instance", self.__enable_instance)
try: try:
self.start_creation(runtime=126) self.start_creation(runtime=126)