odsexporterinstance: use late binding for UID/GID resolution

Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.

We use common pattern of checking the service during uninstall:

 svc = SVCClass()
 if svc.is_configured():
    svc.uninstall()

Thus, service class constructor must not do UID/GID resolution

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
This commit is contained in:
Alexander Bokovoy 2020-12-22 09:25:01 +02:00
parent b6a645338c
commit 4c4f16fc9c

View File

@ -31,8 +31,6 @@ class ODSExporterInstance(service.Service):
keytab=paths.IPA_ODS_EXPORTER_KEYTAB,
service_prefix=u'ipa-ods-exporter'
)
self.ods_uid = constants.ODS_USER.uid
self.ods_gid = constants.ODS_GROUP.gid
self.enable_if_exists = False
suffix = ipautil.dn_attribute_property('_suffix')
@ -71,7 +69,7 @@ class ODSExporterInstance(service.Service):
quotes=False, separator='=')
def __setup_principal(self):
assert self.ods_uid is not None
assert constants.ODS_GROUP.gid is not None
for f in [paths.IPA_ODS_EXPORTER_CCACHE, self.keytab]:
try:
@ -95,7 +93,7 @@ class ODSExporterInstance(service.Service):
# Make sure access is strictly reserved to the ods user
os.chmod(self.keytab, 0o440)
os.chown(self.keytab, 0, self.ods_gid)
os.chown(self.keytab, 0, constants.ODS_GROUP.gid)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)