From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 25 Jan 2019 16:12:11 +0100
Subject: [PATCH] Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.
The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/cert.py | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod):
result = collections.OrderedDict()
complete = bool(ra_options)
+ # workaround for RHBZ#1669012
+ # Improve performance for service and host case by also searching
+ # for subject. This limits the amount of certificate retrieved from
+ # Dogtag. The special case is only used, when no ra_options are set
+ # and exactly one service or host is supplied.
+ # The complete flag is left to False.
+ if not ra_options:
+ services = options.get('service', ())
+ hosts = options.get('host', ())
+ if len(services) == 1 and not hosts:
+ principal = kerberos.Principal(options['service'][0])
+ if principal.is_service:
+ ra_options['subject'] = principal.hostname
+ elif len(hosts) == 1 and not services:
+ ra_options['subject'] = options['host'][0]
+
try:
ca_enabled_check(self.api)
except errors.NotFound:
--
2.20.1