IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-28 09:06:44 -06:00
Code Issues Packages Projects Releases Wiki Activity

Adapt cert-find performance workaround for users

Browse Source 
ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.

Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Christian Heimes 2019-04-03 18:07:43 +02:00
parent cb0f24bfe2
commit 8a5dc1b375
1 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ipaserver/plugins/cert.py
View File

@ -1643,21 +1643,26 @@ class cert_find(Search, CertMethod):
result = collections.OrderedDict() result = collections.OrderedDict()
complete = bool(ra_options) complete = bool(ra_options)
# workaround for RHBZ#1669012 # workaround for RHBZ#1669012 and RHBZ#1695685
# Improve performance for service and host case by also searching # Improve performance for service, host and user case by also
# for subject. This limits the amount of certificate retrieved from # searching for subject. This limits the amount of certificate
# Dogtag. The special case is only used, when no ra_options are set # retrieved from Dogtag. The special case is only used, when
# and exactly one service or host is supplied. # no ra_options are set and exactly one service, host, or user is
# The complete flag is left to False. # supplied.
# IPA enforces that subject CN is either a hostname or a username.
# The complete flag is left to False to catch overrides.
if not ra_options: if not ra_options:
services = options.get('service', ()) services = options.get('service', ())
hosts = options.get('host', ()) hosts = options.get('host', ())
if len(services) == 1 and not hosts: users = options.get('user', ())
principal = kerberos.Principal(options['service'][0]) if len(services) == 1 and not hosts and not users:
principal = kerberos.Principal(services[0])
if principal.is_service: if principal.is_service:
ra_options['subject'] = principal.hostname ra_options['subject'] = principal.hostname
elif len(hosts) == 1 and not services: elif len(hosts) == 1 and not services and not users:
ra_options['subject'] = options['host'][0] ra_options['subject'] = hosts[0]
elif len(users) == 1 and not services and not hosts:
ra_options['subject'] = users[0]
try: try:
ca_enabled_check(self.api) ca_enabled_check(self.api)