Add workaround for slow host/service del

host-del and service-del are slow because cert revokation is implemented inefficiently. The internal cert_find() call retrieves all certificates from Dogtag. The workaround special cases service and host find without additional RA search options. A search for service and host certs limits the scope to certificate with matching subject common name. See: https://pagure.io/freeipa/issue/7835 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-01-25 16:12:11 +01:00 · 2019-01-25 16:12:11 +01:00 · ae74d348c3
commit ae74d348c3
parent 2ba969da07
1 changed files with 16 additions and 0 deletions
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@ -1466,6 +1466,22 @@ class cert_find(Search, CertMethod):
        result = collections.OrderedDict()
        complete = bool(ra_options)

+        # workaround for RHBZ#1669012
+        # Improve performance for service and host case by also searching
+        # for subject. This limits the amount of certificate retrieved from
+        # Dogtag. The special case is only used, when no ra_options are set
+        # and exactly one service or host is supplied.
+        # The complete flag is left to False.
+        if not ra_options:
+            services = options.get('service', ())
+            hosts = options.get('host', ())
+            if len(services) == 1 and not hosts:
+                principal = kerberos.Principal(options['service'][0])
+                if principal.is_service:
+                    ra_options['subject'] = principal.hostname
+            elif len(hosts) == 1 and not services:
+                ra_options['subject'] = options['host'][0]
+
        try:
            ca_enabled_check(self.api)
        except errors.NotFound: