ipaserver.install: Consolidate system user creation

Sytem users and their groups are always created together. Also, users & groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-07-15 13:31:01 +02:00 · 2014-07-15 13:31:01 +02:00 · 5dfa1116c2
commit 5dfa1116c2
parent 846123cfc2
6 changed files with 68 additions and 69 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@ -568,9 +568,8 @@ def main():
    api.bootstrap(in_server=True, context='installer')
    api.finalize()

-    # Create DS group if it doesn't exist yet
-    group_exists = dsinstance.create_ds_group()
-    sstore.backup_state("install", "group_exists", group_exists)
+    # Create DS user/group if it doesn't exist yet
+    dsinstance.create_ds_user()

    #Automatically disable pkinit w/ dogtag until that is supported
    options.setup_pkinit = False
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -556,7 +556,8 @@ def uninstall():

    ipaclient.ntpconf.restore_forced_ntpd(sstore)

-    group_exists = sstore.restore_state("install", "group_exists")
+    # Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
+    sstore.restore_state("install", "group_exists")

    services.knownservices.ipa.disable()

@ -1061,8 +1062,8 @@ def main():
        # configure /etc/sysconfig/network to contain the custom hostname
        tasks.backup_and_replace_hostname(fstore, sstore, host_name)

-    # Create DS group if it doesn't exist yet
-    dsinstance.create_ds_group()
+    # Create DS user/group if it doesn't exist yet
+    dsinstance.create_ds_user()

    # Create a directory server instance
    if external != 2:
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -249,6 +249,16 @@ def is_ca_installed_locally():
    return os.path.exists(path)


+def create_ca_user():
+    """Create PKI user/group if it doesn't exist yet."""
+    installutils.create_system_user(
+        name=PKI_USER,
+        group=PKI_USER,
+        homedir=paths.VAR_LIB,
+        shell=paths.NOLOGIN,
+    )
+
+
 class CADSInstance(service.Service):
    """Certificate Authority DS instance

@ -396,7 +406,7 @@ class CAInstance(DogtagInstance):
            self.cert_chain_file = cert_chain_file
            self.external = 2

-        self.step("creating certificate server user", self.__create_ca_user)
+        self.step("creating certificate server user", create_ca_user)
        if self.dogtag_constants.DOGTAG_VERSION >= 10:
            self.step("configuring certificate server instance", self.__spawn_instance)
        else:
@ -605,22 +615,6 @@ class CAInstance(DogtagInstance):
        self.backup_state('installed', True)
        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})

-    def __create_ca_user(self):
-        try:
-            pwd.getpwnam(PKI_USER)
-            self.log.debug("ca user %s exists", PKI_USER)
-        except KeyError:
-            self.log.debug("adding ca user %s", PKI_USER)
-            args = [paths.USERADD, "-c", "CA System User",
-                                         "-d", paths.VAR_LIB,
-                                         "-s", paths.NOLOGIN,
-                                         "-M", "-r", PKI_USER]
-            try:
-                ipautil.run(args)
-                self.log.debug("done adding user")
-            except ipautil.CalledProcessError, e:
-                self.log.critical("failed to add user %s", e)
-
    def __configure_instance(self):
        # Only used for Dogtag 9
        preop_pin = get_preop_pin(
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -26,7 +26,6 @@ import re
 import time
 import tempfile
 import stat
-import grp

 from ipapython.ipa_log_manager import *
 from ipapython import ipautil, sysrestore, ipaldap
@ -152,50 +151,15 @@ def is_ds_running(server_id=''):


 def create_ds_user():
-    """
-    Create DS user if it doesn't exist yet.
-    """
-    try:
-        pwd.getpwnam(DS_USER)
-        root_logger.debug('DS user %s exists', DS_USER)
-    except KeyError:
-        root_logger.debug('Adding DS user %s', DS_USER)
-        args = [
-            paths.USERADD,
-            '-g', DS_GROUP,
-            '-c', 'DS System User',
-            '-d', paths.VAR_LIB_DIRSRV,
-            '-s', paths.NOLOGIN,
-            '-M', '-r', DS_USER
-        ]
-        try:
-            ipautil.run(args)
-            root_logger.debug('Done adding DS user')
-        except ipautil.CalledProcessError, e:
-            root_logger.critical('Failed to add DS user: %s', e)
+    """Create DS user/group if it doesn't exist yet."""
+    installutils.create_system_user(
+        name=DS_USER,
+        group=DS_USER,
+        homedir=paths.VAR_LIB_DIRSRV,
+        shell=paths.NOLOGIN,
+    )


-def create_ds_group():
-    """
-    Create DS group if it doesn't exist yet.
-    Returns True if the group already exists.
-    """
-    try:
-        grp.getgrnam(DS_GROUP)
-        root_logger.debug('DS group %s exists', DS_GROUP)
-        group_exists = True
-    except KeyError:
-        group_exists = False
-        root_logger.debug('Adding DS group %s', DS_GROUP)
-        args = [paths.GROUPADD, '-r', DS_GROUP]
-        try:
-            ipautil.run(args)
-            root_logger.debug('Done adding DS group')
-        except ipautil.CalledProcessError, e:
-            root_logger.critical('Failed to add DS group: %s', e)
-
-    return group_exists
-
 INF_TEMPLATE = """
 [General]
 FullMachineName=   $FQDN
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -29,6 +29,8 @@ from ConfigParser import SafeConfigParser, NoOptionError
 import traceback
 import textwrap
 from contextlib import contextmanager
+import pwd
+import grp

 from dns import resolver, rdatatype
 from dns.exception import DNSException
@ -37,7 +39,7 @@ from nss.error import NSPRError

 from ipapython import ipautil, sysrestore, admintool, dogtag, version
 from ipapython.admintool import ScriptError
-from ipapython.ipa_log_manager import root_logger
+from ipapython.ipa_log_manager import root_logger, log_mgr
 from ipalib.util import validate_hostname
 from ipapython import config
 from ipalib import errors, x509
@ -82,6 +84,8 @@ class ReplicaConfig:

    subject_base = ipautil.dn_attribute_property('_subject_base')

+log = log_mgr.get_logger(__name__)
+
 def get_fqdn():
    fqdn = ""
    try:
@ -982,3 +986,41 @@ def validate_external_cert(cert_file, ca_file, subject_base):
            raise ValueError(
                "The external CA chain is incomplete (%s is missing from the "
                "chain)." % certsubject)
+
+
+def create_system_user(name, group, homedir, shell):
+    """Create a system user with a corresponding group"""
+    try:
+        grp.getgrnam(group)
+    except KeyError:
+        log.debug('Adding group %s', group)
+        args = [paths.GROUPADD, '-r', group]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding group')
+        except ipautil.CalledProcessError as e:
+            log.critical('Failed to add group: %s', e)
+            raise
+    else:
+        log.debug('group %s exists', group)
+
+    try:
+        pwd.getpwnam(name)
+    except KeyError:
+        log.debug('Adding user %s', name)
+        args = [
+            paths.USERADD,
+            '-g', group,
+            '-c', 'DS System User',
+            '-d', homedir,
+            '-s', shell,
+            '-M', '-r', name,
+        ]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding user')
+        except ipautil.CalledProcessError as e:
+            log.critical('Failed to add user: %s', e)
+            raise
+    else:
+        log.debug('user %s exists', name)
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@ -30,7 +30,7 @@ from ipapython import version
 from ipapython.ipautil import run, user_input
 from ipapython import admintool
 from ipapython.dn import DN
-from ipaserver.install.dsinstance import (realm_to_serverid, create_ds_group,
+from ipaserver.install.dsinstance import (realm_to_serverid,
                                          create_ds_user, DS_USER)
 from ipaserver.install.cainstance import PKI_USER
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
@ -188,7 +188,6 @@ class Restore(admintool.AdminTool):
        if options.data_only and not instances:
            raise admintool.ScriptError('No instances to restore to')

-        create_ds_group()
        create_ds_user()
        pent = pwd.getpwnam(DS_USER)