IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make service user name a class member of Service

Browse Source 
This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Martin Babinsky 2016-11-03 17:43:33 +01:00 committed by Jan Cholasta
parent 15f282cf2c
commit 81bf72dc35
7 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ipaserver/install/bindinstance.py
View File

@ -619,10 +619,10 @@ class BindInstance(service.Service):
"named",
service_desc="DNS",
fstore=fstore,
api=api
api=api,
service_user=constants.NAMED_USER
)
self.dns_backup = DnsBackup(self)
self.named_user = None
self.domain = None
self.host = None
self.ip_addresses = []
@ -637,7 +637,7 @@ class BindInstance(service.Service):
forward_policy, reverse_zones,
named_user=constants.NAMED_USER, zonemgr=None,
no_dnssec_validation=False):
self.named_user = named_user
self.service_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
@ -890,7 +890,7 @@ class BindInstance(service.Service):
dns_principal = p
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
os.chmod(paths.NAMED_KEYTAB, 0o400)
@ -1189,4 +1189,4 @@ class BindInstance(service.Service):
self.named_regular.start()
installutils.remove_keytab(paths.NAMED_KEYTAB)
installutils.remove_ccache(run_as=constants.NAMED_USER)
installutils.remove_ccache(run_as=self.service_user)

12
ipaserver/install/cainstance.py
View File

@ -458,7 +458,7 @@ class CAInstance(DogtagInstance):
# Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
# Create CA configuration
@ -534,7 +534,7 @@ class CAInstance(DogtagInstance):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.TMP_CA_P12)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
# Security domain registration
@ -633,7 +633,7 @@ class CAInstance(DogtagInstance):
'ca.enableNonces=false')
if update_result != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
def enable_pkix(self):
@ -865,7 +865,7 @@ class CAInstance(DogtagInstance):
os.mkdir(publishdir)
os.chmod(publishdir, 0o775)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(publishdir, 0, pent.pw_gid)
tasks.restore_context(publishdir)
@ -1231,7 +1231,7 @@ class CAInstance(DogtagInstance):
def __setup_lightweight_ca_key_retrieval_kerberos(self):
service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
principal = '{}/{}@{}'.format(service, api.env.host, self.realm)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
root_logger.info('Creating principal')
installutils.kadmin_addprinc(principal)
@ -1246,7 +1246,7 @@ class CAInstance(DogtagInstance):
def __setup_lightweight_ca_key_retrieval_custodia(self):
service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
root_logger.info('Creating Custodia keys')
custodia_basedn = DN(

3
ipaserver/install/dogtaginstance.py
View File

@ -114,7 +114,8 @@ class DogtagInstance(service.Service):
super(DogtagInstance, self).__init__(
'pki-tomcatd',
service_desc=service_desc,
realm_name=realm
realm_name=realm,
service_user=constants.PKI_USER
)
self.admin_password = None

3
ipaserver/install/dsinstance.py
View File

@ -227,6 +227,7 @@ class DsInstance(service.Service):
"dirsrv",
service_desc="directory server",
fstore=fstore,
service_user=DS_USER,
realm_name=realm_name
)
self.nickname = 'Server-Cert'
@ -1242,7 +1243,7 @@ class DsInstance(service.Service):
replacevars=vardict)
# Keytab must be owned by DS itself
pent = pwd.getpwnam(DS_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __get_ds_cert(self):

12
ipaserver/install/httpinstance.py
View File

@ -123,7 +123,8 @@ class HTTPInstance(service.Service):
super(HTTPInstance, self).__init__(
"httpd",
service_desc="the web interface",
fstore=fstore)
fstore=fstore,
service_user=HTTPD_USER)
self.cert_nickname = cert_nickname
self.ca_is_configured = True
@ -206,7 +207,7 @@ class HTTPInstance(service.Service):
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal)
pent = pwd.getpwnam(HTTPD_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
@ -214,7 +215,8 @@ class HTTPInstance(service.Service):
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
ipautil.run(
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
[paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
env={})
def __configure_http(self):
self.update_httpd_service_ipa_conf()
@ -326,7 +328,7 @@ class HTTPInstance(service.Service):
self.fix_cert_db_perms()
def fix_cert_db_perms(self):
pent = pwd.getpwnam(constants.HTTPD_USER)
pent = pwd.getpwnam(self.service_user)
for filename in NSS_FILES:
nss_path = os.path.join(certs.NSS_DIR, filename)
@ -527,7 +529,7 @@ class HTTPInstance(service.Service):
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
run_as=HTTPD_USER)
run_as=self.service_user)
# Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)

5
ipaserver/install/krainstance.py
View File

@ -28,7 +28,6 @@ from six.moves.configparser import ConfigParser
from ipalib import api
from ipalib import x509
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import ipautil
@ -144,7 +143,7 @@ class KRAInstance(DogtagInstance):
# Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
# Create KRA configuration
@ -235,7 +234,7 @@ class KRAInstance(DogtagInstance):
if self.clone:
krafile = self.pkcs12_info[0]
shutil.copy(krafile, p12_tmpfile_name)
pent = pwd.getpwnam(constants.PKI_USER)
pent = pwd.getpwnam(self.service_user)
os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
# Security domain registration

4
ipaserver/install/service.py
View File

@ -131,7 +131,8 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
class Service(object):
def __init__(self, service_name, service_desc=None, sstore=None,
fstore=None, api=api, realm_name=None):
fstore=None, api=api, realm_name=None,
service_user=None):
self.service_name = service_name
self.service_desc = service_desc
self.service = services.service(service_name)
@ -155,6 +156,7 @@ class Service(object):
self.principal = None
self.dercert = None
self.api = api
self.service_user = service_user
@property
def admin_conn(self):