mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Remove DL0 specific code from kra in ipaserver/install
The code to add missing KRA certificates has been removed from install_check as it was only reached if replica_config is not None and promote was False for DL0 replica installations. Also the other places. Promote is now hard set to True if replica_config is not None in install for later use in krainstance. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
eaae9935f4
commit
71e19f11b4
@ -9,13 +9,11 @@ KRA installer module
|
|||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import shutil
|
|
||||||
|
|
||||||
from ipalib import api
|
from ipalib import api
|
||||||
from ipalib.install.kinit import kinit_keytab
|
from ipalib.install.kinit import kinit_keytab
|
||||||
from ipaplatform import services
|
from ipaplatform import services
|
||||||
from ipaplatform.paths import paths
|
from ipaplatform.paths import paths
|
||||||
from ipapython import certdb
|
|
||||||
from ipapython import ipautil
|
from ipapython import ipautil
|
||||||
from ipapython.install.core import group
|
from ipapython.install.core import group
|
||||||
from ipaserver.install import cainstance
|
from ipaserver.install import cainstance
|
||||||
@ -52,22 +50,6 @@ def install_check(api, replica_config, options):
|
|||||||
"KRA is not installed on the master system. Please use "
|
"KRA is not installed on the master system. Please use "
|
||||||
"'ipa-kra-install' command to install the first instance.")
|
"'ipa-kra-install' command to install the first instance.")
|
||||||
|
|
||||||
if options.promote:
|
|
||||||
return
|
|
||||||
|
|
||||||
with certdb.NSSDatabase() as tmpdb:
|
|
||||||
tmpdb.create_db()
|
|
||||||
tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
|
|
||||||
replica_config.dirman_password)
|
|
||||||
kra_cert_nicknames = [
|
|
||||||
"storageCert cert-pki-kra", "transportCert cert-pki-kra",
|
|
||||||
"auditSigningCert cert-pki-kra"
|
|
||||||
]
|
|
||||||
if not all(tmpdb.has_nickname(nickname)
|
|
||||||
for nickname in kra_cert_nicknames):
|
|
||||||
raise RuntimeError("Missing KRA certificates, please create a "
|
|
||||||
"new replica file.")
|
|
||||||
|
|
||||||
|
|
||||||
def install(api, replica_config, options, custodia):
|
def install(api, replica_config, options, custodia):
|
||||||
if replica_config is None:
|
if replica_config is None:
|
||||||
@ -85,23 +67,15 @@ def install(api, replica_config, options, custodia):
|
|||||||
if not replica_config.setup_kra:
|
if not replica_config.setup_kra:
|
||||||
return
|
return
|
||||||
krafile = os.path.join(replica_config.dir, 'kracert.p12')
|
krafile = os.path.join(replica_config.dir, 'kracert.p12')
|
||||||
if options.promote:
|
with ipautil.private_ccache():
|
||||||
with ipautil.private_ccache():
|
ccache = os.environ['KRB5CCNAME']
|
||||||
ccache = os.environ['KRB5CCNAME']
|
kinit_keytab(
|
||||||
kinit_keytab(
|
'host/{env.host}@{env.realm}'.format(env=api.env),
|
||||||
'host/{env.host}@{env.realm}'.format(env=api.env),
|
paths.KRB5_KEYTAB,
|
||||||
paths.KRB5_KEYTAB,
|
ccache)
|
||||||
ccache)
|
custodia.get_kra_keys(
|
||||||
custodia.get_kra_keys(
|
krafile,
|
||||||
krafile,
|
replica_config.dirman_password)
|
||||||
replica_config.dirman_password)
|
|
||||||
else:
|
|
||||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
|
||||||
if not os.path.isfile(cafile):
|
|
||||||
raise RuntimeError(
|
|
||||||
"Unable to clone KRA."
|
|
||||||
" cacert.p12 file not found in replica file")
|
|
||||||
shutil.copy(cafile, krafile)
|
|
||||||
|
|
||||||
realm_name = replica_config.realm_name
|
realm_name = replica_config.realm_name
|
||||||
dm_password = replica_config.dirman_password
|
dm_password = replica_config.dirman_password
|
||||||
@ -110,7 +84,7 @@ def install(api, replica_config, options, custodia):
|
|||||||
|
|
||||||
pkcs12_info = (krafile,)
|
pkcs12_info = (krafile,)
|
||||||
master_host = replica_config.kra_host_name
|
master_host = replica_config.kra_host_name
|
||||||
promote = options.promote
|
promote = True
|
||||||
|
|
||||||
kra = krainstance.KRAInstance(realm_name)
|
kra = krainstance.KRAInstance(realm_name)
|
||||||
kra.configure_instance(realm_name, host_name, dm_password, dm_password,
|
kra.configure_instance(realm_name, host_name, dm_password, dm_password,
|
||||||
|
Loading…
Reference in New Issue
Block a user