vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2015-06-10 08:50:42 +00:00
parent cbcd86b500
commit e7ac57e139
11 changed files with 102 additions and 96 deletions

View File

@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
output: Output('commands', <type 'dict'>, None)
output: Output('methods', <type 'dict'>, None)
output: Output('objects', <type 'dict'>, None)
command: kra_is_enabled
args: 0,1,3
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: krbtpolicy_mod
args: 1,9,3
arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)

View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=126
# Last change: edewata - added vault-archive and vault-retrieve
IPA_API_VERSION_MINOR=127
# Last change: jcholast - add kra_is_enabled

View File

@ -33,7 +33,7 @@ from ipalib import output
from ipalib.crud import PKQuery, Retrieve, Update
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
LDAPSearch, LDAPUpdate, LDAPRetrieve
LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
from ipalib.request import context
from ipalib.plugins.user import split_principal
from ipalib import _, ngettext
@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
**options):
assert isinstance(dn, DN)
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
**options):
assert isinstance(base_dn, DN)
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
assert isinstance(dn, DN)
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
def execute(self, *args, **options):
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
def execute(self, *args, **options):
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
def execute(self, *args, **options):
if not self.api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
kra_account.logout()
return result
@register()
class kra_is_enabled(Command):
NO_CLI = True
has_output = output.standard_value
def execute(self, *args, **options):
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
try:
self.api.Backend.ldap2.find_entries(
base_dn=base_dn, filter=filter, attrs_list=[])
except errors.NotFound:
result = False
else:
result = True
return dict(result=result, value=pkey_to_value(None, options))

View File

@ -309,6 +309,8 @@ class BasePathNamespace(object):
IPARESTORE_LOG = "/var/log/iparestore.log"
IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
KADMIND_LOG = "/var/log/kadmind.log"
@ -316,8 +318,6 @@ class BasePathNamespace(object):
PKI_CA_LOG_DIR = "/var/log/pki-ca"
PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
VAR_LOG_PKI_DIR = "/var/log/pki/"
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"

View File

@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
return dogtag_master_ds_port
def read_replica_info_kra_enabled(config_dir):
"""
Check the replica info to determine if a KRA has been installed
on the master
"""
default_file = config_dir + "/default.conf"
if not ipautil.file_exists(default_file):
return False
else:
with open(default_file) as fd:
config = SafeConfigParser()
config.readfp(fd)
enable_kra = config.getboolean("global", "enable_kra")
return enable_kra
def create_replica_config(dirman_password, filename, options):
top_dir = None

View File

@ -23,7 +23,10 @@ from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import admintool
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import krainstance
from ipaserver.install import installutils
from ipaserver.install.installutils import create_replica_config
from ipaserver.install import dogtaginstance
@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
class KRAUninstaller(KRAInstall):
log_file_name = paths.PKI_KRA_UNINSTALL_LOG
log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
def validate_options(self, needs_root=True):
super(KRAUninstaller, self).validate_options(needs_root=True)
@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
if self.args:
self.option_parser.error("Too many parameters provided.")
if not api.env.enable_kra:
dogtag_constants = dogtag.configured_constants(api)
_kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
if not _kra.is_installed():
self.option_parser.error(
"Cannot uninstall. There is no KRA installed on this system."
)
def run(self):
super(KRAUninstaller, self).run()
kra.uninstall()
kra.uninstall(True)
class KRAInstaller(KRAInstall):
log_file_name = paths.PKI_KRA_INSTALL_LOG
log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
INSTALLER_START_MESSAGE = '''
===================================================================
@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
self.replica_file,
self.options)
self.options.dm_password = self.options.password
self.options.setup_ca = False
api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
bind_pw=self.options.dm_password)
try:
kra.install_check(replica_config, self.options, api.env.enable_kra,
int(api.env.dogtag_version))
kra.install_check(api, replica_config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
kra.install(replica_config, self.options, self.options.password)
kra.install(api, replica_config, self.options)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)

View File

@ -2,25 +2,25 @@
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
import os
from ConfigParser import RawConfigParser
from ipalib import api
from ipaplatform.paths import paths
from ipalib import api, errors
from ipapython import dogtag
from ipapython.dn import DN
from ipaserver.install import cainstance
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
from ipaserver.install import service
from ipaserver.install.installutils import read_replica_info_kra_enabled
def install_check(replica_config, options, enable_kra, dogtag_version):
if enable_kra:
def install_check(api, replica_config, options):
dogtag_constants = dogtag.configured_constants(api=api)
kra = krainstance.KRAInstance(api.env.realm,
dogtag_constants=dogtag_constants)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if dogtag_version >= 10:
if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not read_replica_info_kra_enabled(replica_config.dir):
raise RuntimeError(
"Either KRA is not installed on the master system or "
"your replica file is out of date"
)
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError("KRA is not installed on the master system")
def install(replica_config, options, dm_password):
def install(api, replica_config, options):
subject = dsinstance.DsInstance().find_subject_base()
if replica_config is None:
kra = krainstance.KRAInstance(
@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
ds = dsinstance.DsInstance()
ds.restart()
kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
# Update config file
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_kra', 'True')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
def uninstall(standalone):
dogtag_constants = dogtag.configured_constants(api)
kra = krainstance.KRAInstance(api.env.realm,
dogtag_constants=dogtag_constants)
if standalone:
kra.ldap_connect()
try:
kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), api.env.basedn))
except errors.NotFound:
pass
def uninstall():
dogtag_constants = dogtag.configured_constants(api=api)
kra_instance = krainstance.KRAInstance(
api.env.realm, dogtag_constants=dogtag_constants)
kra_instance.stop_tracking_certificates()
if kra_instance.is_installed():
kra_instance.uninstall()
# Check if config file exists, then update it
if os.path.exists(paths.IPA_DEFAULT_CONF):
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_kra', 'False')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
kra.stop_tracking_certificates()
if kra.is_installed():
kra.uninstall()

View File

@ -602,8 +602,7 @@ def install_check(installer):
if setup_kra:
try:
kra.install_check(None, options, False,
dogtag.install_constants.DOGTAG_VERSION)
kra.install_check(api, None, options)
except RuntimeError as e:
print str(e)
sys.exit(1)
@ -865,7 +864,7 @@ def install(installer):
http.restart()
if setup_kra:
kra.install(None, options, dm_password)
kra.install(api, None, options)
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
@ -1060,7 +1059,7 @@ def uninstall(installer):
ntpinstance.NTPInstance(fstore).uninstall()
kra.uninstall()
kra.uninstall(False)
ca.uninstall(dogtag_constants)

View File

@ -379,8 +379,6 @@ def install_check(installer):
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("enable_kra=%s\n" % config.setup_kra)
fd.write("mode=production\n")
fd.close()
finally:
@ -480,6 +478,18 @@ def install_check(installer):
root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check')
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
ca.install_check(False, config, options)
if config.setup_kra:
try:
kra.install_check(remote_api, config, options)
except RuntimeError as e:
print str(e)
sys.exit(1)
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server "
"%s" % config.master_host_name)
@ -492,20 +502,6 @@ def install_check(installer):
if conn.isconnected():
conn.disconnect()
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
ca.install_check(False, config, options)
if config.setup_kra:
try:
kra.install_check(config, options, False,
dogtag.install_constants.DOGTAG_VERSION)
except RuntimeError as e:
print str(e)
sys.exit(1)
if options.setup_dns:
dns.install_check(False, True, options, config.host_name)
else:
@ -567,10 +563,11 @@ def install(installer):
if conn.isconnected():
conn.disconnect()
options.dm_password = config.dirman_password
if config.setup_ca:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
ca.install(False, config, options)
@ -591,7 +588,7 @@ def install(installer):
ds.apply_updates()
if options.setup_kra:
kra.install(config, options, config.dirman_password)
kra.install(api, config, options)
else:
service.print_msg("Restarting the directory server")
ds.restart()

View File

@ -41,6 +41,7 @@ SERVICE_LIST = {
'MEMCACHE': ('ipa_memcached', 39),
'HTTP': ('httpd', 40),
'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
'ADTRUST': ('smb', 60),
'EXTID': ('winbind', 70),
'OTPD': ('ipa-otpd', 80),

View File

@ -1909,7 +1909,7 @@ class kra(Backend):
Raises a generic exception if KRA is not enabled.
"""
if not api.env.enable_kra:
if not self.api.Command.kra_is_enabled()['result']:
# TODO: replace this with a more specific exception
raise RuntimeError('KRA service is not enabled')