From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 25 Jan 2019 16:12:11 +0100 Subject: [PATCH] Add workaround for slow host/service del host-del and service-del are slow because cert revokation is implemented inefficiently. The internal cert_find() call retrieves all certificates from Dogtag. The workaround special cases service and host find without additional RA search options. A search for service and host certs limits the scope to certificate with matching subject common name. See: https://pagure.io/freeipa/issue/7835 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- ipaserver/plugins/cert.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod): result = collections.OrderedDict() complete = bool(ra_options) + # workaround for RHBZ#1669012 + # Improve performance for service and host case by also searching + # for subject. This limits the amount of certificate retrieved from + # Dogtag. The special case is only used, when no ra_options are set + # and exactly one service or host is supplied. + # The complete flag is left to False. + if not ra_options: + services = options.get('service', ()) + hosts = options.get('host', ()) + if len(services) == 1 and not hosts: + principal = kerberos.Principal(options['service'][0]) + if principal.is_service: + ra_options['subject'] = principal.hostname + elif len(hosts) == 1 and not services: + ra_options['subject'] = options['host'][0] + try: ca_enabled_check(self.api) except errors.NotFound: -- 2.20.1