pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch

9991ea
From 7726ddeb7506b9b68720f55c410d7c53b7098d91 Mon Sep 17 00:00:00 2001
99b6f7
From: Martin Kosek <mkosek@redhat.com>
9991ea
Date: Fri, 29 Nov 2013 13:29:20 +0100
9991ea
Subject: [PATCH 03/10] Allow kernel keyring CCACHE when supported
99b6f7
9991ea
Server and client installer should allow kernel keyring ccache when
9991ea
supported.
99b6f7
99b6f7
https://fedorahosted.org/freeipa/ticket/4013
99b6f7
---
99b6f7
 install/share/krb5.conf.template          |  2 +-
9991ea
 ipa-client/ipa-install/ipa-client-install |  7 +++++++
9991ea
 ipapython/kernel_keyring.py               | 17 +++++++++++++++++
9991ea
 ipaserver/install/krbinstance.py          | 10 ++++++++++
9991ea
 4 files changed, 35 insertions(+), 1 deletion(-)
99b6f7
99b6f7
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
99b6f7
index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644
99b6f7
--- a/install/share/krb5.conf.template
99b6f7
+++ b/install/share/krb5.conf.template
99b6f7
@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
99b6f7
  rdns = false
99b6f7
  ticket_lifetime = 24h
99b6f7
  forwardable = yes
99b6f7
-
99b6f7
+$OTHER_LIBDEFAULTS
99b6f7
 [realms]
99b6f7
  $REALM = {
99b6f7
   kdc = $FQDN:88
99b6f7
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
9991ea
index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755
99b6f7
--- a/ipa-client/ipa-install/ipa-client-install
99b6f7
+++ b/ipa-client/ipa-install/ipa-client-install
99b6f7
@@ -43,6 +43,7 @@ try:
99b6f7
         run, user_input, CalledProcessError, file_exists, realm_to_suffix)
99b6f7
     import ipapython.services as ipaservices
99b6f7
     from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
99b6f7
+    from ipapython import kernel_keyring
99b6f7
     from ipapython.config import IPAOptionParser
99b6f7
     from ipalib import api, errors
99b6f7
     from ipalib import x509
9991ea
@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
99b6f7
     libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
99b6f7
     libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
99b6f7
 
99b6f7
+    # Configure KEYRING CCACHE if supported
9991ea
+    if kernel_keyring.is_persistent_keyring_supported():
9991ea
+        root_logger.debug("Enabling persistent keyring CCACHE")
99b6f7
+        libopts.append({'name':'default_ccache_name', 'type':'option',
99b6f7
+            'value':'KEYRING:persistent:%{uid}'})
99b6f7
+
99b6f7
     opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
99b6f7
     opts.append({'name':'empty', 'type':'empty'})
99b6f7
 
99b6f7
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
9991ea
index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644
99b6f7
--- a/ipapython/kernel_keyring.py
99b6f7
+++ b/ipapython/kernel_keyring.py
9991ea
@@ -17,6 +17,8 @@
9991ea
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
9991ea
 #
9991ea
 
9991ea
+import os
9991ea
+
9991ea
 from ipapython.ipautil import run
9991ea
 
9991ea
 # NOTE: Absolute path not required for keyctl since we reset the environment
9991ea
@@ -47,6 +49,21 @@ def get_real_key(key):
99b6f7
         raise ValueError('key %s not found' % key)
99b6f7
     return stdout.rstrip()
99b6f7
 
99b6f7
+def get_persistent_key(key):
99b6f7
+    (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
99b6f7
+    if rc:
99b6f7
+        raise ValueError('persistent key %s not found' % key)
99b6f7
+    return stdout.rstrip()
99b6f7
+
9991ea
+def is_persistent_keyring_supported():
9991ea
+    uid = os.geteuid()
9991ea
+    try:
9991ea
+        get_persistent_key(str(uid))
9991ea
+    except ValueError:
9991ea
+        return False
9991ea
+
9991ea
+    return True
9991ea
+
99b6f7
 def has_key(key):
99b6f7
     """
99b6f7
     Returns True/False whether the key exists in the keyring.
99b6f7
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
9991ea
index 98687a4002cd7b19faea03acc552759e962d8832..f1fa827d89a31f9d6d4cb7f7a78a2680f983565a 100644
99b6f7
--- a/ipaserver/install/krbinstance.py
99b6f7
+++ b/ipaserver/install/krbinstance.py
99b6f7
@@ -31,6 +31,7 @@
99b6f7
 from ipapython import sysrestore
99b6f7
 from ipapython import ipautil
99b6f7
 from ipapython import services as ipaservices
99b6f7
+from ipapython import kernel_keyring
99b6f7
 from ipalib import errors
99b6f7
 from ipapython.ipa_log_manager import *
99b6f7
 from ipapython.dn import DN
9991ea
@@ -252,6 +253,15 @@ def __setup_sub_dict(self):
99b6f7
             dr_map = ""
99b6f7
         self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
99b6f7
 
99b6f7
+        # Configure KEYRING CCACHE if supported
9991ea
+        if kernel_keyring.is_persistent_keyring_supported():
9991ea
+            root_logger.debug("Enabling persistent keyring CCACHE")
99b6f7
+            self.sub_dict['OTHER_LIBDEFAULTS'] = \
99b6f7
+                " default_ccache_name = KEYRING:persistent:%{uid}\n"
99b6f7
+        else:
9991ea
+            root_logger.debug("Persistent keyring CCACHE is not enabled")
99b6f7
+            self.sub_dict['OTHER_LIBDEFAULTS'] = ''
99b6f7
+
99b6f7
     def __configure_sasl_mappings(self):
99b6f7
         # we need to remove any existing SASL mappings in the directory as otherwise they
99b6f7
         # they may conflict.
99b6f7
-- 
99b6f7
1.8.3.1
99b6f7