diff options
| author | Simo Sorce <simo@redhat.com> | 2016-12-02 06:48:35 -0500 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
| commit | b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (patch) | |
| tree | 32e5c708bb5f5c2d3552d34c881facc890ee4cf8 /ipaserver/install/httpinstance.py | |
| parent | b109f5d850ce13585d4392ca48896dc069a746e5 (diff) | |
| download | freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.gz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.xz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.zip | |
Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
| -rw-r--r-- | ipaserver/install/httpinstance.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index a4e895cb4..d07b32253 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -43,6 +43,7 @@ import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api from ipalib import errors +from ipalib.constants import ANON_USER from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -167,6 +168,7 @@ class HTTPInstance(service.Service): self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self._request_service_keytab) + self.step("retrieving anonymous keytab", self.request_anon_keytab) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", @@ -333,6 +335,17 @@ class HTTPInstance(service.Service): os.chown(nss_path, 0, pent.pw_gid) tasks.restore_context(nss_path) + def request_anon_keytab(self): + parent = os.path.dirname(paths.ANON_KEYTAB) + if not os.path.exists(parent): + os.makedirs(parent, 0o755) + self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) + + pent = pwd.getpwnam(self.service_user) + os.chmod(parent, 0o700) + os.chown(parent, pent.pw_uid, pent.pw_gid) + os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid) + def __setup_ssl(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: |