18.03.2016, 12:30, Timo Aaltonen kirjoitti:
> 
> Fix some hardcoded uid/gid strings to help with porting.

rebased and simplified against current master.


-- 
t
From 424d3cf28f92a624b9970701a341dfa26370f616 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Fri, 18 Mar 2016 12:22:33 +0200
Subject: [PATCH] ipaplatform: Move remaining user/group constants to
 ipaplatform.constants.

Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
---
 install/oddjob/com.redhat.idm.trust-fetch-domains |  3 ++-
 ipaplatform/base/constants.py                     |  5 +++++
 ipaplatform/base/services.py                      | 12 -----------
 ipaplatform/redhat/services.py                    | 26 -----------------------
 ipaserver/install/bindinstance.py                 |  2 +-
 ipaserver/install/dns.py                          |  4 ++--
 ipaserver/install/dnskeysyncinstance.py           |  9 ++++----
 ipaserver/install/dogtaginstance.py               |  1 -
 ipaserver/install/httpinstance.py                 |  2 +-
 ipaserver/install/odsexporterinstance.py          |  5 +++--
 ipaserver/install/opendnssecinstance.py           | 15 +++++++------
 11 files changed, 27 insertions(+), 57 deletions(-)

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 6e8bfc6..7c70c41 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipapython.ipautil import kinit_keytab
+from ipaplatform.constants import constants
 import sys
 import os
 import pwd
@@ -31,7 +32,7 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
                 raiseonerr=False)
     # Make sure SSSD is able to read the keytab
     try:
-        sssd = pwd.getpwnam('sssd')
+        sssd = pwd.getpwnam(constants.SSSD_USER)
         os.chown(oneway_keytab_name, sssd[2], sssd[3])
     except KeyError as e:
         # If user 'sssd' does not exist, we don't need to chown from root to sssd
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 52af124..3e1c4c6 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -12,12 +12,17 @@ class BaseConstantsNamespace(object):
     DS_GROUP = 'dirsrv'
     HTTPD_USER = "apache"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
+    KDCPROXY_USER = "kdcproxy"
     NAMED_USER = "named"
+    NAMED_GROUP = "named"
     PKI_USER = 'pkiuser'
     PKI_GROUP = 'pkiuser'
     # ntpd init variable used for daemon options
     NTPD_OPTS_VAR = "OPTIONS"
     # quote used for daemon options
     NTPD_OPTS_QUOTE = "\""
+    ODS_USER = "ods"
+    ODS_GROUP = "ods"
     # nfsd init variable used to enable kerberized NFS
     SECURE_NFS_VAR = "SECURE_NFS"
+    SSSD_USER = "sssd"
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 11d0c2a..641a654 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -181,18 +181,6 @@ class PlatformService(object):
     def get_config_dir(self, instance_name=""):
         return
 
-    def get_user_name(self, instance_name=""):
-        return
-
-    def get_group_name(self, instance_name=""):
-        return
-
-    def get_binary_path(self):
-        return
-
-    def get_package_name(self):
-        return
-
 
 class SystemdService(PlatformService):
     SYSTEMD_SRV_TARGET = "%s.target.wants"
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 3c18dbc..92dae45 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -223,28 +223,6 @@ class RedHatCAService(RedHatService):
             self.wait_until_running()
 
 
-class RedHatNamedService(RedHatService):
-    def get_user_name(self):
-        return u'named'
-
-    def get_group_name(self):
-        return u'named'
-
-    def get_binary_path(self):
-        return paths.NAMED_PKCS11
-
-    def get_package_name(self):
-        return u"bind-pkcs11"
-
-
-class RedHatODSEnforcerdService(RedHatService):
-    def get_user_name(self):
-        return u'ods'
-
-    def get_group_name(self):
-        return u'ods'
-
-
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
 
@@ -257,10 +235,6 @@ def redhat_service_class_factory(name):
         return RedHatSSHService(name)
     if name in ('pki-tomcatd', 'pki_tomcatd'):
         return RedHatCAService(name)
-    if name == 'named':
-        return RedHatNamedService(name)
-    if name in ('ods-enforcerd', 'ods_enforcerd'):
-        return RedHatODSEnforcerdService(name)
     return RedHatService(name)
 
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index f7d5be4..0b451e5 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1260,4 +1260,4 @@ class BindInstance(service.Service):
             self.named_regular.start()
 
         installutils.remove_keytab(paths.NAMED_KEYTAB)
-        installutils.remove_ccache(run_as='named')
+        installutils.remove_ccache(run_as=constants.NAMED_USER)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 9a2fde2..dbeacae 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -231,8 +231,8 @@ def install_check(standalone, api, replica, options, hostname):
             dnskeysyncd.stop()
             try:
                 ipautil.run(cmd, env=environment,
-                            runas=ods_enforcerd.get_user_name(),
-                            suplementary_groups=[named.get_group_name()])
+                            runas=constants.ODS_USER,
+                            suplementary_groups=[constants.NAMED_GROUP])
             except CalledProcessError as e:
                 root_logger.debug("%s", e)
                 raise RuntimeError("This IPA server cannot be promoted to "
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 4fe566c..4888d83 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -22,6 +22,7 @@ from ipapython.dn import DN
 from ipapython import ipaldap
 from ipapython import sysrestore, ipautil
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipalib.constants import CACERT
@@ -142,14 +143,14 @@ class DNSKeySyncInstance(service.Service):
     def __get_named_uid(self):
         named = services.knownservices.named
         try:
-            return pwd.getpwnam(named.get_user_name()).pw_uid
+            return pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
     def __get_named_gid(self):
         named = services.knownservices.named
         try:
-            return grp.getgrnam(named.get_group_name()).gr_gid
+            return grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
@@ -160,12 +161,12 @@ class DNSKeySyncInstance(service.Service):
         self.named_gid = self.__get_named_gid()
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index d906d05..9f094d8 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -45,7 +45,6 @@ from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr
 
-PKI_USER = constants.PKI_USER
 HTTPD_USER = constants.HTTPD_USER
 
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 54aeb8a..b0fbe69 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -54,8 +54,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_run_ipa='on',
 )
 
-KDCPROXY_USER = 'kdcproxy'
 HTTPD_USER = constants.HTTPD_USER
+KDCPROXY_USER = constants.KDCPROXY_USER
 
 # See contrib/nsscipersuite/nssciphersuite.py
 NSS_CIPHER_SUITE = [
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index e761ebc..e9f7bf8 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -13,6 +13,7 @@ from ipaserver.install import installutils
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform import services
 from ipalib import errors, api
@@ -68,12 +69,12 @@ class ODSExporterInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 05b2013..cfb41be 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -15,6 +15,7 @@ from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap, p11helper
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipaserver.install import dnskeysyncinstance
@@ -125,22 +126,22 @@ class OpenDNSSECInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+            self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
         try:
-            self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+            self.named_gid = grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
@@ -287,7 +288,7 @@ class OpenDNSSECInstance(service.Service):
             ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
             result = ipautil.run(cmd,
-                                 runas=ods_enforcerd.get_user_name(),
+                                 runas=constants.ODS_USER,
                                  capture_output=True)
             with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
                 zonelistf.write(result.output)
@@ -303,7 +304,7 @@ class OpenDNSSECInstance(service.Service):
             ]
 
             ods_enforcerd = services.knownservices.ods_enforcerd
-            ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name())
+            ipautil.run(command, stdin="y", runas=constants.ODS_USER)
 
     def __setup_dnskeysyncd(self):
         # set up dnskeysyncd this is DNSSEC master
@@ -352,7 +353,7 @@ class OpenDNSSECInstance(service.Service):
             cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
             try:
                 self.print_msg("Exporting DNSSEC data before uninstallation")
-                ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
+                ipautil.run(cmd, runas=constants.ODS_USER)
             except CalledProcessError:
                 root_logger.error("DNSSEC data export failed")
 
-- 
2.7.3

From 4bb77573b36be3d84eb49384c5e240565744cd4c Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Fri, 18 Mar 2016 12:25:20 +0200
Subject: [PATCH] Use ODS_USER/ODS_GROUP in opendnssec_conf.template

---
 install/share/opendnssec_conf.template  | 4 ++--
 ipaserver/install/opendnssecinstance.py | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index c407326..3d01fb4 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -28,8 +28,8 @@
 
 	<Enforcer>
 		<Privileges>
-			<User>ods</User>
-			<Group>ods</Group>
+			<User>$ODS_USER</User>
+			<Group>$ODS_GROUP</Group>
 		</Privileges>
 
 		<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 3cfd8a6..d7d6c11 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -78,6 +78,8 @@ class OpenDNSSECInstance(service.Service):
             'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
             'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
             'KASP_DB': paths.OPENDNSSEC_KASP_DB,
+            'ODS_USER': ODS_USER,
+            'ODS_GROUP': ODS_GROUP,
         }
         self.kasp_file_dict = {}
         self.extra_config = [KEYMASTER]
-- 
2.7.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to