On 2016-01-20 02:54, Fraser Tweedale wrote: > On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >> ipaplatform.constants has platform specific names for a couple of system >> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER >> and DS_GROUP are defined in other modules. Similar to #5587 the patch my >> patch moves the constants into the platform module. >> >> https://fedorahosted.org/freeipa/ticket/5619 > > I see a few remaining cases: > > ipaserver/install/dsinstance.py > 712: pent = pwd.getpwnam("dirsrv") > > ipatests/test_integration/test_backup_and_restore.py > 167: self.master.run_command(['userdel', 'dirsrv']) > 168: self.master.run_command(['userdel', 'pkiuser']) > > ipaplatform/redhat/tasks.py > 441: if name == 'pkiuser': > > When these are included, ACK.
Good catch! My new patch takes care of remaining cases.
From ed52b83274c7cb70271264c01d25d9571ed48510 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 19 Jan 2016 14:18:30 +0100 Subject: [PATCH] Move user/group constants for PKI and DS into ipaplatform https://fedorahosted.org/freeipa/ticket/5619 --- install/share/copy-schema-to-ca.py | 8 ++++---- ipaplatform/base/constants.py | 4 ++++ ipaplatform/redhat/tasks.py | 5 +++-- ipaserver/install/cainstance.py | 15 +++++++-------- ipaserver/install/dogtaginstance.py | 3 ++- ipaserver/install/dsinstance.py | 7 ++++--- ipaserver/install/ipa_backup.py | 4 ++-- ipaserver/install/ipa_restore.py | 16 +++++++++------- ipaserver/install/krainstance.py | 8 ++++---- ipaserver/install/krbinstance.py | 4 ++-- ipaserver/install/server/upgrade.py | 3 ++- ipatests/test_integration/test_backup_and_restore.py | 5 +++-- 12 files changed, 46 insertions(+), 36 deletions(-) diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 10fd3d740bb60b9506a233a6aea6c6ac98356c18..c2f070aa29b7abf1cb32c46020ae80450cfd5080 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -19,9 +19,9 @@ from hashlib import sha1 from ipapython import ipautil from ipapython.ipa_log_manager import root_logger, standard_logging_setup -from ipaserver.install.dsinstance import DS_USER, schema_dirname -from ipaserver.install.cainstance import PKI_USER +from ipaserver.install.dsinstance import schema_dirname from ipalib import api +from ipaplatform.constants import constants try: from ipaplatform import services @@ -52,8 +52,8 @@ def _sha1_file(filename): def add_ca_schema(): """Copy IPA schema files into the CA DS instance """ - pki_pent = pwd.getpwnam(PKI_USER) - ds_pent = pwd.getpwnam(DS_USER) + pki_pent = pwd.getpwnam(constants.PKI_USER) + ds_pent = pwd.getpwnam(constants.DS_USER) for schema_fname in SCHEMA_FILENAMES: source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname) target_fname = os.path.join(schema_dirname(SERVERID), schema_fname) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 50f8a3ed140aca0f6573231f2a7e5b20e2169919..52af12429d090dcc0d7eed14b76e8b651360f283 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -8,9 +8,13 @@ This base platform module exports platform dependant constants. class BaseConstantsNamespace(object): + DS_USER = 'dirsrv' + DS_GROUP = 'dirsrv' HTTPD_USER = "apache" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" NAMED_USER = "named" + PKI_USER = 'pkiuser' + PKI_GROUP = 'pkiuser' # ntpd init variable used for daemon options NTPD_OPTS_VAR = "OPTIONS" # quote used for daemon options diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index a0b4060cb26bab66248c4397c24b4d58bf1bf8d6..55c840de2be0a8c8308d93c2b533ce2df9f76471 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -44,6 +44,7 @@ import ipapython.errors from ipalib import x509 # FIXME: do not import from ipalib +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.redhat.authconfig import RedHatAuthConfig from ipaplatform.base.tasks import BaseTaskNamespace @@ -458,14 +459,14 @@ class RedHatTaskNamespace(BaseTaskNamespace): This values should be constant and may be hardcoded. Add other values for other users when needed. """ - if name == 'pkiuser': + if name == constants.PKI_USER: if uid is None: uid = 17 if gid is None: gid = 17 if comment is None: comment = 'CA System User' - if name == 'dirsrv': + if name == constants.DS_USER: if comment is None: comment = 'DS System User' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f3c1bfa361f2627d8e95ad6cb2fa93b4dc41ee38..269d2387db8293b98ef320156690020c540f952f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -66,8 +66,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service -from ipaserver.install.dogtaginstance import ( - PKI_USER, export_kra_agent_pem, DogtagInstance) +from ipaserver.install.dogtaginstance import export_kra_agent_pem, DogtagInstance from ipaserver.plugins import ldap2 # Python 3 rename. The package is available in "six.moves.http_client", but @@ -279,8 +278,8 @@ def is_ca_installed_locally(): def create_ca_user(): """Create PKI user/group if it doesn't exist yet.""" tasks.create_system_user( - name=PKI_USER, - group=PKI_USER, + name=constants.PKI_USER, + group=constants.PKI_GROUP, homedir=paths.VAR_LIB, shell=paths.NOLOGIN, ) @@ -442,7 +441,7 @@ class CAInstance(DogtagInstance): # Create an empty and secured file (cfg_fd, cfg_file) = tempfile.mkstemp() os.close(cfg_fd) - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(cfg_file, pent.pw_uid, pent.pw_gid) # Create CA configuration @@ -511,7 +510,7 @@ class CAInstance(DogtagInstance): cafile = self.pkcs12_info[0] shutil.copy(cafile, paths.TMP_CA_P12) - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid) # Security domain registration @@ -606,7 +605,7 @@ class CAInstance(DogtagInstance): 'ca.enableNonces=false') if update_result != 0: raise RuntimeError("Disabling nonces failed") - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid) def enable_pkix(self): @@ -941,7 +940,7 @@ class CAInstance(DogtagInstance): os.mkdir(publishdir) os.chmod(publishdir, 0o775) - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(publishdir, 0, pent.pw_gid) tasks.restore_context(publishdir) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 193423d7e09cec17a82d4f5da2ed6c43accf1c0c..55535a3568fb70057c9305ddc0f77ead25cb79df 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -33,6 +33,7 @@ import pki.system from ipalib import errors from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certmonger from ipapython import ipaldap @@ -44,7 +45,7 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -PKI_USER = "pkiuser" +PKI_USER = constants.PKI_USER def get_security_domain(): diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..f18d68995332eb90dba084250d9788f481200968 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -44,14 +44,15 @@ from ipalib import api from ipalib import certstore from ipalib import errors from ipalib import constants +from ipaplatform.constants import constants as platformconstants from ipaplatform.tasks import tasks from ipalib.constants import CACERT from ipapython.dn import DN from ipaplatform import services from ipaplatform.paths import paths -DS_USER = 'dirsrv' -DS_GROUP = 'dirsrv' +DS_USER = platformconstants.DS_USER +DS_GROUP = platformconstants.DS_GROUP IPA_SCHEMA_FILES = ("60kerberos.ldif", "60samba.ldif", @@ -708,7 +709,7 @@ class DsInstance(service.Service): self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict) def configure_dirsrv_ccache(self): - pent = pwd.getpwnam("dirsrv") + pent = pwd.getpwnam(platformconstants.DS_USER) ccache = paths.TMP_KRB5CC % pent.pw_uid filepath = paths.SYSCONFIG_DIRSRV if not os.path.exists(filepath): diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index d49576d7d5bf3934882cdfe570dee8635eef28b8..a0e064778ffb781ab10df1c65ced8ff7138928ff 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -32,13 +32,13 @@ from ipapython import version from ipapython.ipautil import run, write_tmp_file from ipapython import admintool from ipapython.dn import DN -from ipaserver.install.dsinstance import DS_USER from ipaserver.install.replication import wait_for_task from ipaserver.install import installutils from ipapython import ipaldap from ipalib.session import ISO8601_DATETIME_FMT from ipalib.constants import CACERT from six.moves.configparser import SafeConfigParser +from ipaplatform.constants import constants from ipaplatform.tasks import tasks """ @@ -262,7 +262,7 @@ class Backup(admintool.AdminTool): self.log.info("Preparing backup on %s", api.env.host) - pent = pwd.getpwnam(DS_USER) + pent = pwd.getpwnam(constants.DS_USER) self.top_dir = tempfile.mkdtemp("ipa") os.chown(self.top_dir, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index b223bd287f633b863315661ca27641425529cc40..b2ee6aaebd44bb82e32e6b1611caaf0d79ba73dc 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -32,14 +32,15 @@ from ipapython import version, ipautil, certdb from ipapython.ipautil import run, user_input from ipapython import admintool from ipapython.dn import DN -from ipaserver.install.dsinstance import create_ds_user, DS_USER -from ipaserver.install.cainstance import PKI_USER, create_ca_user +from ipaserver.install.dsinstance import create_ds_user +from ipaserver.install.cainstance import create_ca_user from ipaserver.install.replication import (wait_for_task, ReplicationManager, get_cs_replication_manager) from ipaserver.install import installutils from ipaserver.install import dsinstance, httpinstance, cainstance from ipapython import ipaldap import ipapython.errors +from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths @@ -293,7 +294,7 @@ class Restore(admintool.AdminTool): raise admintool.ScriptError("Aborted") create_ds_user() - pent = pwd.getpwnam(DS_USER) + pent = pwd.getpwnam(constants.DS_USER) # Temporary directory for decrypting files before restoring self.top_dir = tempfile.mkdtemp("ipa") @@ -530,7 +531,7 @@ class Restore(admintool.AdminTool): srcldiffile = os.path.join(self.dir, ldifname) if not os.path.exists(ldifdir): - pent = pwd.getpwnam(DS_USER) + pent = pwd.getpwnam(constants.DS_USER) os.mkdir(ldifdir) os.chmod(ldifdir, 0o770) os.chown(ldifdir, pent.pw_uid, pent.pw_gid) @@ -755,7 +756,7 @@ class Restore(admintool.AdminTool): ] run(args) - pent = pwd.getpwnam(DS_USER) + pent = pwd.getpwnam(constants.DS_USER) os.chown(self.top_dir, pent.pw_uid, pent.pw_gid) recursive_chown(self.dir, pent.pw_uid, pent.pw_gid) @@ -781,9 +782,10 @@ class Restore(admintool.AdminTool): paths.TOMCAT_SIGNEDAUDIT_DIR] try: - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) except KeyError: - self.log.debug("No %s user exists, skipping CA directory creation" % PKI_USER) + self.log.debug("No %s user exists, skipping CA directory creation", + constants.PKI_USER) return self.log.debug('Creating log directories for dogtag') for dir in dirs: diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 6589bb54eadf9bc5017ef99cdfbf3c46dabc27c6..1343f0fe298dba2b4ad0da435becba885e32a73f 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -28,6 +28,7 @@ from six.moves.configparser import ConfigParser from ipalib import api from ipalib import x509 from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certdb from ipapython import ipautil @@ -37,8 +38,7 @@ from ipaserver.install import cainstance from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import service -from ipaserver.install.dogtaginstance import ( - PKI_USER, export_kra_agent_pem, DogtagInstance) +from ipaserver.install.dogtaginstance import export_kra_agent_pem, DogtagInstance from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import log_mgr @@ -134,7 +134,7 @@ class KRAInstance(DogtagInstance): # Create an empty and secured file (cfg_fd, cfg_file) = tempfile.mkstemp() os.close(cfg_fd) - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(cfg_file, pent.pw_uid, pent.pw_gid) # Create KRA configuration @@ -223,7 +223,7 @@ class KRAInstance(DogtagInstance): if self.clone: krafile = self.pkcs12_info[0] shutil.copy(krafile, p12_tmpfile_name) - pent = pwd.getpwnam(PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid) # Security domain registration diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 31149752a1eab62ce142ac9614309a1d0a098754..9f73aab237dfc7555cf2378164c6e911dfd00918 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -36,11 +36,11 @@ from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipaserver.install import replication -from ipaserver.install import dsinstance from ipaserver.install import ldapupdate from ipaserver.install import certs from distutils import version +from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -327,7 +327,7 @@ class KrbInstance(service.Service): vardict = {"KRB5_KTNAME": paths.DS_KEYTAB} ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV, replacevars=vardict) - pent = pwd.getpwnam(dsinstance.DS_USER) + pent = pwd.getpwnam(constants.DS_USER) os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid) def __create_host_keytab(self): diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f37a8fea504d828f9bce5a870ad0b48f154b4e88..888b5169b3394361448a733e113fc53097d6f0d3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -25,6 +25,7 @@ from ipapython import ipaldap from ipapython.ipa_log_manager import root_logger from ipapython import certmonger from ipapython.dn import DN +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaserver.install import installutils from ipaserver.install import dsinstance @@ -929,7 +930,7 @@ def copy_crl_file(old_path, new_path=None): os.symlink(realpath, new_path) else: shutil.copy2(old_path, new_path) - pent = pwd.getpwnam(cainstance.PKI_USER) + pent = pwd.getpwnam(constants.PKI_USER) os.chown(new_path, pent.pw_uid, pent.pw_gid) tasks.restore_context(new_path) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index b8abb343b027a9b61c6c2d8660ac2e926c5e70bf..ffd086bae93f95e9f04617b5fe7e656d53d292b7 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -23,6 +23,7 @@ import os import re import contextlib +from ipaplatform.constants import constants from ipapython.ipa_log_manager import log_mgr from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest @@ -164,8 +165,8 @@ class TestBackupAndRestore(IntegrationTest): '--uninstall', '-U']) - self.master.run_command(['userdel', 'dirsrv']) - self.master.run_command(['userdel', 'pkiuser']) + self.master.run_command(['userdel', constants.DS_USER]) + self.master.run_command(['userdel', constants.PKI_USER]) homedir = os.path.join(self.master.config.test_dir, 'testuser_homedir') -- 2.5.0
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
