IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make service user name a class member of Service

Browse Source 
This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Martin Babinsky 2016-11-03 17:43:33 +01:00 committed by Jan Cholasta
parent 15f282cf2c
commit 81bf72dc35
7 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ipaserver/install/bindinstance.py
View File

@ -619,10 +619,10 @@ class BindInstance(service.Service):
"named", "named",
service_desc="DNS", service_desc="DNS",
fstore=fstore, fstore=fstore,
api=api api=api,
service_user=constants.NAMED_USER
) )
self.dns_backup = DnsBackup(self) self.dns_backup = DnsBackup(self)
self.named_user = None
self.domain = None self.domain = None
self.host = None self.host = None
self.ip_addresses = [] self.ip_addresses = []
@ -637,7 +637,7 @@ class BindInstance(service.Service):
forward_policy, reverse_zones, forward_policy, reverse_zones,
named_user=constants.NAMED_USER, zonemgr=None, named_user=constants.NAMED_USER, zonemgr=None,
no_dnssec_validation=False): no_dnssec_validation=False):
self.named_user = named_user self.service_user = named_user
self.fqdn = fqdn self.fqdn = fqdn
self.ip_addresses = ip_addresses self.ip_addresses = ip_addresses
self.realm = realm_name self.realm = realm_name
@ -890,7 +890,7 @@ class BindInstance(service.Service):
dns_principal = p dns_principal = p
# Make sure access is strictly reserved to the named user # Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user) pent = pwd.getpwnam(self.service_user)
os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid) os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
os.chmod(paths.NAMED_KEYTAB, 0o400) os.chmod(paths.NAMED_KEYTAB, 0o400)
@ -1189,4 +1189,4 @@ class BindInstance(service.Service):
self.named_regular.start() self.named_regular.start()
installutils.remove_keytab(paths.NAMED_KEYTAB) installutils.remove_keytab(paths.NAMED_KEYTAB)
installutils.remove_ccache(run_as=constants.NAMED_USER) installutils.remove_ccache(run_as=self.service_user)

12
ipaserver/install/cainstance.py
View File

@ -458,7 +458,7 @@ class CAInstance(DogtagInstance):
# Create an empty and secured file # Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp() (cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd) os.close(cfg_fd)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid) os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
# Create CA configuration # Create CA configuration
@ -534,7 +534,7 @@ class CAInstance(DogtagInstance):
cafile = self.pkcs12_info[0] cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.TMP_CA_P12) shutil.copy(cafile, paths.TMP_CA_P12)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid) os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
# Security domain registration # Security domain registration
@ -633,7 +633,7 @@ class CAInstance(DogtagInstance):
'ca.enableNonces=false') 'ca.enableNonces=false')
if update_result != 0: if update_result != 0:
raise RuntimeError("Disabling nonces failed") raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid) os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
def enable_pkix(self): def enable_pkix(self):
@ -865,7 +865,7 @@ class CAInstance(DogtagInstance):
os.mkdir(publishdir) os.mkdir(publishdir)
os.chmod(publishdir, 0o775) os.chmod(publishdir, 0o775)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(publishdir, 0, pent.pw_gid) os.chown(publishdir, 0, pent.pw_gid)
tasks.restore_context(publishdir) tasks.restore_context(publishdir)
@ -1231,7 +1231,7 @@ class CAInstance(DogtagInstance):
def __setup_lightweight_ca_key_retrieval_kerberos(self): def __setup_lightweight_ca_key_retrieval_kerberos(self):
service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
principal = '{}/{}@{}'.format(service, api.env.host, self.realm) principal = '{}/{}@{}'.format(service, api.env.host, self.realm)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
root_logger.info('Creating principal') root_logger.info('Creating principal')
installutils.kadmin_addprinc(principal) installutils.kadmin_addprinc(principal)
@ -1246,7 +1246,7 @@ class CAInstance(DogtagInstance):
def __setup_lightweight_ca_key_retrieval_custodia(self): def __setup_lightweight_ca_key_retrieval_custodia(self):
service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
root_logger.info('Creating Custodia keys') root_logger.info('Creating Custodia keys')
custodia_basedn = DN( custodia_basedn = DN(

3
ipaserver/install/dogtaginstance.py
View File

@ -114,7 +114,8 @@ class DogtagInstance(service.Service):
super(DogtagInstance, self).__init__( super(DogtagInstance, self).__init__(
'pki-tomcatd', 'pki-tomcatd',
service_desc=service_desc, service_desc=service_desc,
realm_name=realm realm_name=realm,
service_user=constants.PKI_USER
) )
self.admin_password = None self.admin_password = None

3
ipaserver/install/dsinstance.py
View File

@ -227,6 +227,7 @@ class DsInstance(service.Service):
"dirsrv", "dirsrv",
service_desc="directory server", service_desc="directory server",
fstore=fstore, fstore=fstore,
service_user=DS_USER,
realm_name=realm_name realm_name=realm_name
) )
self.nickname = 'Server-Cert' self.nickname = 'Server-Cert'
@ -1242,7 +1243,7 @@ class DsInstance(service.Service):
replacevars=vardict) replacevars=vardict)
# Keytab must be owned by DS itself # Keytab must be owned by DS itself
pent = pwd.getpwnam(DS_USER) pent = pwd.getpwnam(self.service_user)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid) os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __get_ds_cert(self): def __get_ds_cert(self):

12
ipaserver/install/httpinstance.py
View File

@ -123,7 +123,8 @@ class HTTPInstance(service.Service):
super(HTTPInstance, self).__init__( super(HTTPInstance, self).__init__(
"httpd", "httpd",
service_desc="the web interface", service_desc="the web interface",
fstore=fstore) fstore=fstore,
service_user=HTTPD_USER)
self.cert_nickname = cert_nickname self.cert_nickname = cert_nickname
self.ca_is_configured = True self.ca_is_configured = True
@ -206,7 +207,7 @@ class HTTPInstance(service.Service):
installutils.create_keytab(paths.IPA_KEYTAB, self.principal) installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal) self.move_service(self.principal)
pent = pwd.getpwnam(HTTPD_USER) pent = pwd.getpwnam(self.service_user)
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid) os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self): def remove_httpd_ccache(self):
@ -214,7 +215,8 @@ class HTTPInstance(service.Service):
# Make sure that empty env is passed to avoid passing KRB5CCNAME from # Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env # current env
ipautil.run( ipautil.run(
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
env={})
def __configure_http(self): def __configure_http(self):
self.update_httpd_service_ipa_conf() self.update_httpd_service_ipa_conf()
@ -326,7 +328,7 @@ class HTTPInstance(service.Service):
self.fix_cert_db_perms() self.fix_cert_db_perms()
def fix_cert_db_perms(self): def fix_cert_db_perms(self):
pent = pwd.getpwnam(constants.HTTPD_USER) pent = pwd.getpwnam(self.service_user)
for filename in NSS_FILES: for filename in NSS_FILES:
nss_path = os.path.join(certs.NSS_DIR, filename) nss_path = os.path.join(certs.NSS_DIR, filename)
@ -527,7 +529,7 @@ class HTTPInstance(service.Service):
installutils.remove_keytab(paths.IPA_KEYTAB) installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
run_as=HTTPD_USER) run_as=self.service_user)
# Remove the configuration files we create # Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)

5
ipaserver/install/krainstance.py
View File

@ -28,7 +28,6 @@ from six.moves.configparser import ConfigParser
from ipalib import api from ipalib import api
from ipalib import x509 from ipalib import x509
from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import certdb from ipapython import certdb
from ipapython import ipautil from ipapython import ipautil
@ -144,7 +143,7 @@ class KRAInstance(DogtagInstance):
# Create an empty and secured file # Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp() (cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd) os.close(cfg_fd)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid) os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
# Create KRA configuration # Create KRA configuration
@ -235,7 +234,7 @@ class KRAInstance(DogtagInstance):
if self.clone: if self.clone:
krafile = self.pkcs12_info[0] krafile = self.pkcs12_info[0]
shutil.copy(krafile, p12_tmpfile_name) shutil.copy(krafile, p12_tmpfile_name)
pent = pwd.getpwnam(constants.PKI_USER) pent = pwd.getpwnam(self.service_user)
os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid) os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
# Security domain registration # Security domain registration

4
ipaserver/install/service.py
View File

@ -131,7 +131,8 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
class Service(object): class Service(object):
def __init__(self, service_name, service_desc=None, sstore=None, def __init__(self, service_name, service_desc=None, sstore=None,
fstore=None, api=api, realm_name=None): fstore=None, api=api, realm_name=None,
service_user=None):
self.service_name = service_name self.service_name = service_name
self.service_desc = service_desc self.service_desc = service_desc
self.service = services.service(service_name) self.service = services.service(service_name)
@ -155,6 +156,7 @@ class Service(object):
self.principal = None self.principal = None
self.dercert = None self.dercert = None
self.api = api self.api = api
self.service_user = service_user
@property @property
def admin_conn(self): def admin_conn(self):