rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0060-Add-workaround-for-slow-host-service-del.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   e50ee6a59dd5f530b41c9822a525d6de7db2dd9d
  2.   SOURCES
  3.   0060-Add-workaround-for-slow-host-service-del.patch
Blob History Raw
760a2f 
From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001
760a2f 
From: Christian Heimes <cheimes@redhat.com>
760a2f 
Date: Fri, 25 Jan 2019 16:12:11 +0100
760a2f 
Subject: [PATCH] Add workaround for slow host/service del
760a2f
760a2f 
host-del and service-del are slow because cert revokation is implemented
760a2f 
inefficiently. The internal cert_find() call retrieves all certificates
760a2f 
from Dogtag.
760a2f
760a2f 
The workaround special cases service and host find without additional RA
760a2f 
search options. A search for service and host certs limits the scope to
760a2f 
certificate with matching subject common name.
760a2f
760a2f 
See: https://pagure.io/freeipa/issue/7835
760a2f 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
760a2f 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
760a2f 
---
760a2f 
 ipaserver/plugins/cert.py | 16 ++++++++++++++++
760a2f 
 1 file changed, 16 insertions(+)
760a2f
760a2f 
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
760a2f 
index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644
760a2f 
--- a/ipaserver/plugins/cert.py
760a2f 
+++ b/ipaserver/plugins/cert.py
760a2f 
@@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod):
760a2f 
         result = collections.OrderedDict()
760a2f 
         complete = bool(ra_options)
760a2f
760a2f 
+        # workaround for RHBZ#1669012
760a2f 
+        # Improve performance for service and host case by also searching
760a2f 
+        # for subject. This limits the amount of certificate retrieved from
760a2f 
+        # Dogtag. The special case is only used, when no ra_options are set
760a2f 
+        # and exactly one service or host is supplied.
760a2f 
+        # The complete flag is left to False.
760a2f 
+        if not ra_options:
760a2f 
+            services = options.get('service', ())
760a2f 
+            hosts = options.get('host', ())
760a2f 
+            if len(services) == 1 and not hosts:
760a2f 
+                principal = kerberos.Principal(options['service'][0])
760a2f 
+                if principal.is_service:
760a2f 
+                    ra_options['subject'] = principal.hostname
760a2f 
+            elif len(hosts) == 1 and not services:
760a2f 
+                ra_options['subject'] = options['host'][0]
760a2f 
+
760a2f 
         try:
760a2f 
             ca_enabled_check(self.api)
760a2f 
         except errors.NotFound:
760a2f 
--
760a2f 
2.20.1
760a2f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation