On 23/03/16 07:17, Timo Aaltonen wrote:
22.03.2016, 21:10, Timo Aaltonen kirjoitti:
18.03.2016, 12:30, Timo Aaltonen kirjoitti:

Fix some hardcoded uid/gid strings to help with porting.

rebased and simplified against current master.

bah, the second patch needs to use constants.{ODS_USER,ODS_GROUP} now.


Hello, thanks for the patches. I've done few minor changes:
- using constants.ODS_{USER,GROUP} in second patch as you've mentioned
- added ticket URL to commit messages for future reference
- rebased the first patch to ipa-4-3 branch

Now it works for me, ACK.

--
David Kupka

--
David Kupka
From f8d4597106c06bec40c8c232671e2b8e7ba55203 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Fri, 18 Mar 2016 12:22:33 +0200
Subject: [PATCH 1/3] ipaplatform: Move remaining user/group constants to
 ipaplatform.constants.

Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.

https://fedorahosted.org/freeipa/ticket/5343
---
 install/oddjob/com.redhat.idm.trust-fetch-domains |  3 ++-
 ipaplatform/base/constants.py                     |  5 +++++
 ipaplatform/base/services.py                      | 12 -----------
 ipaplatform/redhat/services.py                    | 26 -----------------------
 ipaserver/install/bindinstance.py                 |  2 +-
 ipaserver/install/dns.py                          |  4 ++--
 ipaserver/install/dnskeysyncinstance.py           |  9 ++++----
 ipaserver/install/dogtaginstance.py               |  1 -
 ipaserver/install/httpinstance.py                 |  2 +-
 ipaserver/install/odsexporterinstance.py          |  5 +++--
 ipaserver/install/opendnssecinstance.py           | 15 +++++++------
 11 files changed, 27 insertions(+), 57 deletions(-)

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index ea82e086ef5bade9be3b9f30ae50504c4fcd5db7..4c50c43065b365e7997f222d5e72041dfd32e034 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipapython.ipautil import kinit_keytab
+from ipaplatform.constants import constants
 import sys
 import os, pwd
 
@@ -30,7 +31,7 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
                 raiseonerr=False)
     # Make sure SSSD is able to read the keytab
     try:
-        sssd = pwd.getpwnam('sssd')
+        sssd = pwd.getpwnam(constants.SSSD_USER)
         os.chown(oneway_keytab_name, sssd[2], sssd[3])
     except KeyError as e:
         # If user 'sssd' does not exist, we don't need to chown from root to sssd
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 52af12429d090dcc0d7eed14b76e8b651360f283..3e1c4c6f761444bf1e8d527691aa53282e46f17e 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -12,12 +12,17 @@ class BaseConstantsNamespace(object):
     DS_GROUP = 'dirsrv'
     HTTPD_USER = "apache"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
+    KDCPROXY_USER = "kdcproxy"
     NAMED_USER = "named"
+    NAMED_GROUP = "named"
     PKI_USER = 'pkiuser'
     PKI_GROUP = 'pkiuser'
     # ntpd init variable used for daemon options
     NTPD_OPTS_VAR = "OPTIONS"
     # quote used for daemon options
     NTPD_OPTS_QUOTE = "\""
+    ODS_USER = "ods"
+    ODS_GROUP = "ods"
     # nfsd init variable used to enable kerberized NFS
     SECURE_NFS_VAR = "SECURE_NFS"
+    SSSD_USER = "sssd"
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 2ec84cdb21607cb51df6ad5fcd2ae515898bee44..9c1b30c0b3c536a58627d6a12f4632dfa4be5c6a 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -181,18 +181,6 @@ class PlatformService(object):
     def get_config_dir(self, instance_name=""):
         return
 
-    def get_user_name(self, instance_name=""):
-        return
-
-    def get_group_name(self, instance_name=""):
-        return
-
-    def get_binary_path(self):
-        return
-
-    def get_package_name(self):
-        return
-
 
 class SystemdService(PlatformService):
     SYSTEMD_SRV_TARGET = "%s.target.wants"
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index ca2a9481ef46b1dc22d898a583ed0fef98e306e1..4774dbf0deb3df50e1a3284353e47b2fb0bebc75 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -247,28 +247,6 @@ class RedHatCAService(RedHatService):
             self.wait_until_running()
 
 
-class RedHatNamedService(RedHatService):
-    def get_user_name(self):
-        return u'named'
-
-    def get_group_name(self):
-        return u'named'
-
-    def get_binary_path(self):
-        return paths.NAMED_PKCS11
-
-    def get_package_name(self):
-        return u"bind-pkcs11"
-
-
-class RedHatODSEnforcerdService(RedHatService):
-    def get_user_name(self):
-        return u'ods'
-
-    def get_group_name(self):
-        return u'ods'
-
-
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
 
@@ -281,10 +259,6 @@ def redhat_service_class_factory(name):
         return RedHatSSHService(name)
     if name in ('pki-tomcatd', 'pki_tomcatd'):
         return RedHatCAService(name)
-    if name == 'named':
-        return RedHatNamedService(name)
-    if name in ('ods-enforcerd', 'ods_enforcerd'):
-        return RedHatODSEnforcerdService(name)
     return RedHatService(name)
 
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 8254aad7db968b9e43984e0c0200f28b5f9ca13a..f8ae9734218f1aacac57583ab7c1a6e9cbbada25 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1262,4 +1262,4 @@ class BindInstance(service.Service):
             self.named_regular.start()
 
         installutils.remove_keytab(paths.NAMED_KEYTAB)
-        installutils.remove_ccache(run_as='named')
+        installutils.remove_ccache(run_as=constants.NAMED_USER)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 9a2fde29f613a3ce07b4f85f5ae2a856b806bdc8..dbeacaee804dacd102d47aa28e9600adedead884 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -231,8 +231,8 @@ def install_check(standalone, api, replica, options, hostname):
             dnskeysyncd.stop()
             try:
                 ipautil.run(cmd, env=environment,
-                            runas=ods_enforcerd.get_user_name(),
-                            suplementary_groups=[named.get_group_name()])
+                            runas=constants.ODS_USER,
+                            suplementary_groups=[constants.NAMED_GROUP])
             except CalledProcessError as e:
                 root_logger.debug("%s", e)
                 raise RuntimeError("This IPA server cannot be promoted to "
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 06387b43eaaf51385045346db16817abb207c4dd..9777d787c9720f1b3352ee0cb0f7d043a88f46ce 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -22,6 +22,7 @@ from ipapython.dn import DN
 from ipapython import ipaldap
 from ipapython import sysrestore, ipautil
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipalib.constants import CACERT
@@ -142,14 +143,14 @@ class DNSKeySyncInstance(service.Service):
     def __get_named_uid(self):
         named = services.knownservices.named
         try:
-            return pwd.getpwnam(named.get_user_name()).pw_uid
+            return pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
     def __get_named_gid(self):
         named = services.knownservices.named
         try:
-            return grp.getgrnam(named.get_group_name()).gr_gid
+            return grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
@@ -160,12 +161,12 @@ class DNSKeySyncInstance(service.Service):
         self.named_gid = self.__get_named_gid()
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index d906d05e5628decdb3cf92668e277c2213973b76..9f094d83404d8d59c871cadca325a8b8a5a0c0bc 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -45,7 +45,6 @@ from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr
 
-PKI_USER = constants.PKI_USER
 HTTPD_USER = constants.HTTPD_USER
 
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a2ff1ee605b5be0867a264ca000374b0c8f3a7cb..9c8b722327b214076aeffc6e127b9e00d25d7447 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -54,8 +54,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_run_ipa='on',
 )
 
-KDCPROXY_USER = 'kdcproxy'
 HTTPD_USER = constants.HTTPD_USER
+KDCPROXY_USER = constants.KDCPROXY_USER
 
 # See contrib/nsscipersuite/nssciphersuite.py
 NSS_CIPHER_SUITE = [
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 2d072cc9358266e9c6f549732bf7a56be054e2aa..3c8eb036489f022db88d5afd6b46c7b84bed9cf0 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -13,6 +13,7 @@ from ipaserver.install import installutils
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform import services
 from ipalib import errors, api
@@ -68,12 +69,12 @@ class ODSExporterInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 766799c71577fbc157ed67670503c70bff122324..6284b97e9d6fb6eb714cf2336ca783e32c800d56 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -17,6 +17,7 @@ from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap, p11helper
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipaserver.install import dnskeysyncinstance
@@ -127,22 +128,22 @@ class OpenDNSSECInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+            self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
         try:
-            self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+            self.named_gid = grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
@@ -289,7 +290,7 @@ class OpenDNSSECInstance(service.Service):
             ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
             result = ipautil.run(cmd,
-                                 runas=ods_enforcerd.get_user_name(),
+                                 runas=constants.ODS_USER,
                                  capture_output=True)
             with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
                 zonelistf.write(result.output)
@@ -305,7 +306,7 @@ class OpenDNSSECInstance(service.Service):
             ]
 
             ods_enforcerd = services.knownservices.ods_enforcerd
-            ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name())
+            ipautil.run(command, stdin="y", runas=constants.ODS_USER)
 
     def __setup_dnskeysyncd(self):
         # set up dnskeysyncd this is DNSSEC master
@@ -354,7 +355,7 @@ class OpenDNSSECInstance(service.Service):
             cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
             try:
                 self.print_msg("Exporting DNSSEC data before uninstallation")
-                ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
+                ipautil.run(cmd, runas=constants.ODS_USER)
             except CalledProcessError:
                 root_logger.error("DNSSEC data export failed")
 
-- 
2.5.5

From ac035152c0b64a1cc2175ab2f87c2694b865b532 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Fri, 18 Mar 2016 12:22:33 +0200
Subject: [PATCH 1/3] ipaplatform: Move remaining user/group constants to
 ipaplatform.constants.

Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.

https://fedorahosted.org/freeipa/ticket/5343
---
 install/oddjob/com.redhat.idm.trust-fetch-domains |  3 ++-
 ipaplatform/base/constants.py                     |  5 +++++
 ipaplatform/base/services.py                      | 12 -----------
 ipaplatform/redhat/services.py                    | 26 -----------------------
 ipaserver/install/bindinstance.py                 |  2 +-
 ipaserver/install/dns.py                          |  4 ++--
 ipaserver/install/dnskeysyncinstance.py           |  9 ++++----
 ipaserver/install/dogtaginstance.py               |  1 -
 ipaserver/install/httpinstance.py                 |  2 +-
 ipaserver/install/odsexporterinstance.py          |  5 +++--
 ipaserver/install/opendnssecinstance.py           | 15 +++++++------
 11 files changed, 27 insertions(+), 57 deletions(-)

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 6e8bfc6c8d589605a942518a48027ac2caa26c9e..7c70c41d57b952cf2526937fbc2a70b7806d158b 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipapython.ipautil import kinit_keytab
+from ipaplatform.constants import constants
 import sys
 import os
 import pwd
@@ -31,7 +32,7 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
                 raiseonerr=False)
     # Make sure SSSD is able to read the keytab
     try:
-        sssd = pwd.getpwnam('sssd')
+        sssd = pwd.getpwnam(constants.SSSD_USER)
         os.chown(oneway_keytab_name, sssd[2], sssd[3])
     except KeyError as e:
         # If user 'sssd' does not exist, we don't need to chown from root to sssd
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 52af12429d090dcc0d7eed14b76e8b651360f283..3e1c4c6f761444bf1e8d527691aa53282e46f17e 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -12,12 +12,17 @@ class BaseConstantsNamespace(object):
     DS_GROUP = 'dirsrv'
     HTTPD_USER = "apache"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
+    KDCPROXY_USER = "kdcproxy"
     NAMED_USER = "named"
+    NAMED_GROUP = "named"
     PKI_USER = 'pkiuser'
     PKI_GROUP = 'pkiuser'
     # ntpd init variable used for daemon options
     NTPD_OPTS_VAR = "OPTIONS"
     # quote used for daemon options
     NTPD_OPTS_QUOTE = "\""
+    ODS_USER = "ods"
+    ODS_GROUP = "ods"
     # nfsd init variable used to enable kerberized NFS
     SECURE_NFS_VAR = "SECURE_NFS"
+    SSSD_USER = "sssd"
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 11d0c2a838ee0c7d2fdb397df130cdf6656914f1..641a654183c52c0330cb4ece2a54c6bd0a96394c 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -181,18 +181,6 @@ class PlatformService(object):
     def get_config_dir(self, instance_name=""):
         return
 
-    def get_user_name(self, instance_name=""):
-        return
-
-    def get_group_name(self, instance_name=""):
-        return
-
-    def get_binary_path(self):
-        return
-
-    def get_package_name(self):
-        return
-
 
 class SystemdService(PlatformService):
     SYSTEMD_SRV_TARGET = "%s.target.wants"
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 3c18dbc3c1274ef3852abef5f054b4e37e6b32fa..92dae452a31a0b3680e9c407eccb120881cc9e25 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -223,28 +223,6 @@ class RedHatCAService(RedHatService):
             self.wait_until_running()
 
 
-class RedHatNamedService(RedHatService):
-    def get_user_name(self):
-        return u'named'
-
-    def get_group_name(self):
-        return u'named'
-
-    def get_binary_path(self):
-        return paths.NAMED_PKCS11
-
-    def get_package_name(self):
-        return u"bind-pkcs11"
-
-
-class RedHatODSEnforcerdService(RedHatService):
-    def get_user_name(self):
-        return u'ods'
-
-    def get_group_name(self):
-        return u'ods'
-
-
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
 
@@ -257,10 +235,6 @@ def redhat_service_class_factory(name):
         return RedHatSSHService(name)
     if name in ('pki-tomcatd', 'pki_tomcatd'):
         return RedHatCAService(name)
-    if name == 'named':
-        return RedHatNamedService(name)
-    if name in ('ods-enforcerd', 'ods_enforcerd'):
-        return RedHatODSEnforcerdService(name)
     return RedHatService(name)
 
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index f7d5be41e303d22510e40ab7989a6f9ebdf0bcfb..0b451e5f5041339a6d2ee6b01d0bd90f3e29868d 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1260,4 +1260,4 @@ class BindInstance(service.Service):
             self.named_regular.start()
 
         installutils.remove_keytab(paths.NAMED_KEYTAB)
-        installutils.remove_ccache(run_as='named')
+        installutils.remove_ccache(run_as=constants.NAMED_USER)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 9a2fde29f613a3ce07b4f85f5ae2a856b806bdc8..dbeacaee804dacd102d47aa28e9600adedead884 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -231,8 +231,8 @@ def install_check(standalone, api, replica, options, hostname):
             dnskeysyncd.stop()
             try:
                 ipautil.run(cmd, env=environment,
-                            runas=ods_enforcerd.get_user_name(),
-                            suplementary_groups=[named.get_group_name()])
+                            runas=constants.ODS_USER,
+                            suplementary_groups=[constants.NAMED_GROUP])
             except CalledProcessError as e:
                 root_logger.debug("%s", e)
                 raise RuntimeError("This IPA server cannot be promoted to "
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 4fe566cdd08dc1dda1c93178cb04e92cd2be7d82..4888d83f845bfe611160209d9e829cdfc56956a7 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -22,6 +22,7 @@ from ipapython.dn import DN
 from ipapython import ipaldap
 from ipapython import sysrestore, ipautil
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipalib.constants import CACERT
@@ -142,14 +143,14 @@ class DNSKeySyncInstance(service.Service):
     def __get_named_uid(self):
         named = services.knownservices.named
         try:
-            return pwd.getpwnam(named.get_user_name()).pw_uid
+            return pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
     def __get_named_gid(self):
         named = services.knownservices.named
         try:
-            return grp.getgrnam(named.get_group_name()).gr_gid
+            return grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
@@ -160,12 +161,12 @@ class DNSKeySyncInstance(service.Service):
         self.named_gid = self.__get_named_gid()
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index d906d05e5628decdb3cf92668e277c2213973b76..9f094d83404d8d59c871cadca325a8b8a5a0c0bc 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -45,7 +45,6 @@ from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr
 
-PKI_USER = constants.PKI_USER
 HTTPD_USER = constants.HTTPD_USER
 
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 54aeb8ae79eab0eab2661f52885229c09e0affaa..b0fbe6926a9e89b122ed52178dba02d3d92aacfd 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -54,8 +54,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_run_ipa='on',
 )
 
-KDCPROXY_USER = 'kdcproxy'
 HTTPD_USER = constants.HTTPD_USER
+KDCPROXY_USER = constants.KDCPROXY_USER
 
 # See contrib/nsscipersuite/nssciphersuite.py
 NSS_CIPHER_SUITE = [
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index e761ebcdeda4ffdc445d1db4c8215ca43b69551c..e9f7bf853d98237aa19aace384b8ff7021c3a85a 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -13,6 +13,7 @@ from ipaserver.install import installutils
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform import services
 from ipalib import errors, api
@@ -68,12 +69,12 @@ class ODSExporterInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 05b2013c812109e1ee7c5fb0f580c3ab863a2fc6..cfb41be4c72e2738939cb58385e1569d8df37b4d 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -15,6 +15,7 @@ from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import sysrestore, ipautil, ipaldap, p11helper
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipaserver.install import dnskeysyncinstance
@@ -125,22 +126,22 @@ class OpenDNSSECInstance(service.Service):
         ods_enforcerd = services.knownservices.ods_enforcerd
 
         try:
-            self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+            self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
         try:
-            self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+            self.named_gid = grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
         try:
-            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+            self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
         except KeyError:
             raise RuntimeError("OpenDNSSEC UID not found")
 
         try:
-            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+            self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("OpenDNSSEC GID not found")
 
@@ -287,7 +288,7 @@ class OpenDNSSECInstance(service.Service):
             ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
             result = ipautil.run(cmd,
-                                 runas=ods_enforcerd.get_user_name(),
+                                 runas=constants.ODS_USER,
                                  capture_output=True)
             with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
                 zonelistf.write(result.output)
@@ -303,7 +304,7 @@ class OpenDNSSECInstance(service.Service):
             ]
 
             ods_enforcerd = services.knownservices.ods_enforcerd
-            ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name())
+            ipautil.run(command, stdin="y", runas=constants.ODS_USER)
 
     def __setup_dnskeysyncd(self):
         # set up dnskeysyncd this is DNSSEC master
@@ -352,7 +353,7 @@ class OpenDNSSECInstance(service.Service):
             cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
             try:
                 self.print_msg("Exporting DNSSEC data before uninstallation")
-                ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
+                ipautil.run(cmd, runas=constants.ODS_USER)
             except CalledProcessError:
                 root_logger.error("DNSSEC data export failed")
 
-- 
2.5.5

From e8b1fb8c7abaa9143eeaae41f43cf500dd0076c4 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Fri, 18 Mar 2016 12:25:20 +0200
Subject: [PATCH 2/3] Use ODS_USER/ODS_GROUP in opendnssec_conf.template

https://fedorahosted.org/freeipa/ticket/5343
---
 install/share/opendnssec_conf.template  | 4 ++--
 ipaserver/install/opendnssecinstance.py | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index c407326b0e4a5ad38d5a5078ee34f3f7c659ed34..3d01fb4156e3bf150defac1299120a7f8cb57ad3 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -28,8 +28,8 @@
 
 	<Enforcer>
 		<Privileges>
-			<User>ods</User>
-			<Group>ods</Group>
+			<User>$ODS_USER</User>
+			<Group>$ODS_GROUP</Group>
 		</Privileges>
 
 		<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index cfb41be4c72e2738939cb58385e1569d8df37b4d..f0c512ba04129d08b5874f58c7a25620f7435b2a 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -74,6 +74,8 @@ class OpenDNSSECInstance(service.Service):
             'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
             'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
             'KASP_DB': paths.OPENDNSSEC_KASP_DB,
+            'ODS_USER': constants.ODS_USER,
+            'ODS_GROUP': constants.ODS_GROUP,
         }
         self.kasp_file_dict = {}
         self.extra_config = [KEYMASTER]
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to