Yedidyah Bar David has uploaded a new change for review.
Change subject: packaging: setup: split pki
......................................................................
packaging: setup: split pki
Change-Id: I64dd9f4eb2969f8cf1169684cfad82a3b1474f74
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M ovirt-engine.spec.in
M packaging/setup/ovirt_engine_setup/engine_common/constants.py
M packaging/setup/plugins/ovirt-engine-common/base/dialog/titles.py
M packaging/setup/plugins/ovirt-engine-remove/ovirt-engine/config/misc.py
A packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/__init__.py
R packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/ca.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/appmode.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/domain_type.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/options.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py
A packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/engine.py
M
packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/provisioning/postgres.py
M packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/pki.py
13 files changed, 451 insertions(+), 301 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/70/29070/1
diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in
index f99dcbd..0a1ceed 100644
--- a/ovirt-engine.spec.in
+++ b/ovirt-engine.spec.in
@@ -298,6 +298,7 @@
Requires: python-cheetah
Requires: spice-html5
Requires: vdsm-jsonrpc-java
+Requires: %{name}-pki-tools >= %{version}-%{release}
%if %{ovirt_install_systemd}
Requires(post): systemd
@@ -335,6 +336,14 @@
%description backend
The backend engine of %{ovirt_product_name_short}
+
+%package pki-tools
+Summary: Tools for managing the %{ovirt_product_name_short} PKI
+Group: %{ovirt_product_group}
+Requires: openssl
+
+%description pki-tools
+Tools for managing the %{ovirt_product_name_short} PKI
%package restapi
Summary: RESTful API for %{ovirt_product_name_short}
@@ -904,24 +913,6 @@
#
# PKI
-#
-# Most directories are owned by the engine user because
-# it needs to create files inside
-#
-%config(noreplace) %{engine_pki}/cacert.template.in
-%config(noreplace) %{engine_pki}/cert.template.in
-%config(noreplace) %{engine_pki}/openssl.conf
-%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}
-%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/certs
-%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/private
-%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/requests
-%dir %{engine_pki}/keys
-%{engine_data}/bin/pki-common.sh
-%{engine_data}/bin/pki-create-ca.sh
-%{engine_data}/bin/pki-enroll-pkcs12.sh
-%{engine_data}/bin/pki-enroll-request.sh
-%{engine_data}/bin/pki-pkcs12-extract.sh
-
# backward compatibly (pre-3.3.0)
# force rpm not to remove pki files
# as these used to be %config
@@ -929,6 +920,16 @@
%ghost %config(noreplace) %{engine_pki}/cert.template
%ghost %config(noreplace) %{engine_pki}/database.txt
%ghost %config(noreplace) %{engine_pki}/serial.txt
+
+%files pki-tools
+
+%dir %{engine_data}/bin
+
+%{engine_data}/bin/pki-common.sh
+%{engine_data}/bin/pki-create-ca.sh
+%{engine_data}/bin/pki-enroll-pkcs12.sh
+%{engine_data}/bin/pki-enroll-request.sh
+%{engine_data}/bin/pki-pkcs12-extract.sh
%files setup-base
@@ -982,6 +983,21 @@
%{engine_data}/setup/plugins/*/ovirt-engine-common/
%{engine_data}/firewalld/ovirt-common/
+#
+# PKI
+#
+# Most directories are owned by the engine user because
+# it needs to create files inside
+#
+%config(noreplace) %{engine_pki}/cacert.template.in
+%config(noreplace) %{engine_pki}/cert.template.in
+%config(noreplace) %{engine_pki}/openssl.conf
+%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}
+%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/certs
+%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/private
+%dir %attr(-, %{engine_user}, %{engine_group}) %{engine_pki}/requests
+%dir %{engine_pki}/keys
+
%files setup-plugin-websocket-proxy
%{engine_data}/firewalld/websocket-proxy/
diff --git a/packaging/setup/ovirt_engine_setup/engine_common/constants.py
b/packaging/setup/ovirt_engine_setup/engine_common/constants.py
index a0af707..27dec74 100644
--- a/packaging/setup/ovirt_engine_setup/engine_common/constants.py
+++ b/packaging/setup/ovirt_engine_setup/engine_common/constants.py
@@ -173,6 +173,7 @@
JBOSS_DIRECT_HTTPS_PORT = 'OVESETUP_CONFIG/jbossDirectHttpsPort'
JBOSS_DEBUG_ADDRESS = 'OVESETUP_CONFIG/jbossDebugAddress'
JBOSS_NEEDED = 'OVESETUP_CONFIG/jbossNeeded'
+ PKI_CA_NEEDED = 'OVESETUP_CONFIG/pkiCANeeded'
@util.export
diff --git a/packaging/setup/plugins/ovirt-engine-common/base/dialog/titles.py
b/packaging/setup/plugins/ovirt-engine-common/base/dialog/titles.py
index 61ba655..2b69d79 100644
--- a/packaging/setup/plugins/ovirt-engine-common/base/dialog/titles.py
+++ b/packaging/setup/plugins/ovirt-engine-common/base/dialog/titles.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git
a/packaging/setup/plugins/ovirt-engine-remove/ovirt-engine/config/misc.py
b/packaging/setup/plugins/ovirt-engine-remove/ovirt-engine/config/misc.py
index e04c56b..35d3483 100644
--- a/packaging/setup/plugins/ovirt-engine-remove/ovirt-engine/config/misc.py
+++ b/packaging/setup/plugins/ovirt-engine-remove/ovirt-engine/config/misc.py
@@ -101,7 +101,6 @@
'ca_pki',
'exportfs',
'nfs_config',
- 'ca_pki',
'iso_domain',
'ca_config',
'ssl',
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/__init__.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/__init__.py
new file mode 100644
index 0000000..1f68588
--- /dev/null
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/__init__.py
@@ -0,0 +1,33 @@
+#
+# ovirt-engine-setup -- ovirt engine setup
+# Copyright (C) 2013-2014 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+"""ovirt-host-setup pki plugin."""
+
+
+from otopi import util
+
+
+from . import ca
+
+
+@util.export
+def createPlugins(context):
+ ca.Plugin(context=context)
+
+
+# vim: expandtab tabstop=4 shiftwidth=4
diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/ca.py
similarity index 63%
rename from packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
rename to
packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/ca.py
index c85d71f..e80c014 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/pki/ca.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -105,15 +105,10 @@
oenginecons.PKIEnv.ORG,
None
)
-
- @plugin.event(
- stage=plugin.Stages.STAGE_SETUP,
- condition=lambda self: not os.path.exists(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+ self.environment.setdefault(
+ oengcommcons.ConfigEnv.PKI_CA_NEEDED,
+ False
)
- )
- def _setup(self):
- self._enabled = True
@plugin.event(
stage=plugin.Stages.STAGE_CUSTOMIZATION,
@@ -124,25 +119,19 @@
osetupcons.Stages.CONFIG_PROTOCOLS_CUSTOMIZATION,
oengcommcons.Stages.DIALOG_TITLES_S_PKI,
),
- priority=plugin.Stages.PRIORITY_HIGH
- )
- def _customization_enable(self):
- if not self.environment[oenginecons.CoreEnv.ENABLE]:
- self._enabled = False
-
- @plugin.event(
- stage=plugin.Stages.STAGE_CUSTOMIZATION,
- before=(
- oengcommcons.Stages.DIALOG_TITLES_E_PKI,
- ),
- after=(
- osetupcons.Stages.CONFIG_PROTOCOLS_CUSTOMIZATION,
- oengcommcons.Stages.DIALOG_TITLES_S_PKI,
- ),
- condition=lambda self: self._enabled,
+ condition=lambda self: self.environment[
+ oengcommcons.ConfigEnv.PKI_CA_NEEDED
+ ],
)
def _customization(self):
- if self._enabled:
+ if os.path.exists(
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+ ):
+ self.dialog.note(
+ text=_('PKI is already configured'),
+ )
+ else:
+ self._enabled = True
if self.environment[oenginecons.PKIEnv.ORG] is None:
org = 'Test'
if '.' in self.environment[osetupcons.ConfigEnv.FQDN]:
@@ -160,10 +149,6 @@
prompt=True,
default=org,
)
- else:
- self.dialog.note(
- text=_('PKI is already configured'),
- )
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
@@ -172,7 +157,7 @@
)
def _misc(self):
# TODO
- # this implementaiton is not transactional
+ # this implementation is not transactional
# too many issues with legacy ca implementation
# need to work this out to allow transactional
# for now just delete files if we fail
@@ -259,134 +244,13 @@
},
)
- for name in (
- 'engine',
- 'apache',
- 'jboss',
- 'websocket-proxy',
- 'reports'
- ):
- self.execute(
- (
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
- '--name=%s' % name,
- '--password=%s' % (
- self.environment[oenginecons.PKIEnv.STORE_PASS],
- ),
- '--subject=/C=%s/O=%s/CN=%s' % (
- self._subjectComponentEscape(
- self.environment[oenginecons.PKIEnv.COUNTRY],
- ),
- self._subjectComponentEscape(
- self.environment[oenginecons.PKIEnv.ORG],
- ),
- self._subjectComponentEscape(
- self.environment[osetupcons.ConfigEnv.FQDN],
- ),
- ),
- ),
- )
-
uninstall_files.extend(
(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
- (
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_CERT
- ),
- (
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE
- ),
)
)
-
- self.execute(
- args=(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
- '--name=websocket-proxy',
- '--passin=%s' % (
- self.environment[oenginecons.PKIEnv.STORE_PASS],
- ),
- '--key=%s' % (
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY,
- ),
- ),
- logStreams=False,
- )
- uninstall_files.append(
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY
- )
-
- self.execute(
- args=(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
- '--name=reports',
- '--passin=%s' % (
- self.environment[oenginecons.PKIEnv.STORE_PASS],
- ),
- '--key=%s' % (
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_KEY,
- ),
- ),
- logStreams=False,
- )
- uninstall_files.append(
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_KEY
- )
-
- self.execute(
- args=(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
- '--name=apache',
- '--passin=%s' % (
- self.environment[oenginecons.PKIEnv.STORE_PASS],
- ),
- '--key=%s' % (
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY,
- ),
- ),
- logStreams=False,
- )
- uninstall_files.append(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
- )
-
- if not os.path.exists(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
- ):
- os.symlink(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
- )
- uninstall_files.append(
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
- )
-
- for f in (
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
- oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
- ):
- os.chown(
- f,
- osetuputil.getUid(
- self.environment[osetupcons.SystemEnv.USER_ENGINE]
- ),
- -1,
- )
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/appmode.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/appmode.py
index 3921295..ecab4fe 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/appmode.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/appmode.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/domain_type.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/domain_type.py
index 1e9bbd7..a2207a6 100644
---
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/domain_type.py
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/domain_type.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/options.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/options.py
index 9912d65..a631269 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/options.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/options.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py
index f51d0a7..e9fffca 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,13 +22,13 @@
from otopi import util
-from . import ca
+from . import engine
from . import ssh
@util.export
def createPlugins(context):
- ca.Plugin(context=context)
+ engine.Plugin(context=context)
ssh.Plugin(context=context)
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/engine.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/engine.py
new file mode 100644
index 0000000..9f372d9
--- /dev/null
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/engine.py
@@ -0,0 +1,169 @@
+#
+# ovirt-engine-setup -- ovirt engine setup
+# Copyright (C) 2013-2014 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+"""CA plugin."""
+
+
+import os
+import re
+import random
+import gettext
+_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup')
+
+
+from M2Crypto import X509
+
+
+from otopi import util
+from otopi import plugin
+
+
+from ovirt_engine import util as outil
+
+
+from ovirt_engine_setup import constants as osetupcons
+from ovirt_engine_setup.engine import constants as oenginecons
+from ovirt_engine_setup.engine_common \
+ import constants as oengcommcons
+from ovirt_engine_setup.engine import vdcoption
+from ovirt_engine_setup import util as osetuputil
+
+
+@util.export
+class Plugin(plugin.PluginBase):
+ """CA plugin."""
+
+ def _subjectComponentEscape(self, s):
+ return outil.escape(s, '/\\')
+
+ def __init__(self, context):
+ super(Plugin, self).__init__(context=context)
+ self._enabled = False
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_CUSTOMIZATION,
+ before=(
+ oengcommcons.Stages.DIALOG_TITLES_E_PKI,
+ ),
+ after=(
+ osetupcons.Stages.CONFIG_PROTOCOLS_CUSTOMIZATION,
+ oengcommcons.Stages.DIALOG_TITLES_S_PKI,
+ ),
+ condition=lambda self: (
+ self.environment[oenginecons.CoreEnv.ENABLE] and
+ not os.path.exists(
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE
+ )
+ ),
+ )
+ def _customization(self):
+ self._enabled = True
+ self.environment[oengcommcons.ConfigEnv.PKI_CA_NEEDED] = True
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_MISC,
+ after=(
+ oenginecons.Stages.CA_AVAILABLE,
+ ),
+ condition=lambda self: self._enabled,
+ )
+ def _misc(self):
+ # TODO
+ # this implementation is not transactional
+ # too many issues with legacy ca implementation
+ # need to work this out to allow transactional
+ # for now just delete files if we fail
+ uninstall_files = []
+ self.environment[
+ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
+ ].createGroup(
+ group='ca_pki_engine',
+ description='Engine PKI keys',
+ optional=True,
+ ).addFiles(
+ group='ca_pki_engine',
+ fileList=uninstall_files,
+ )
+
+ for name in ('engine', 'jboss'):
+ self.execute(
+ (
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
+ '--name=%s' % name,
+ '--password=%s' % (
+ self.environment[oenginecons.PKIEnv.STORE_PASS],
+ ),
+ '--subject=/C=%s/O=%s/CN=%s' % (
+ self._subjectComponentEscape(
+ self.environment[oenginecons.PKIEnv.COUNTRY],
+ ),
+ self._subjectComponentEscape(
+ self.environment[oenginecons.PKIEnv.ORG],
+ ),
+ self._subjectComponentEscape(
+ self.environment[osetupcons.ConfigEnv.FQDN],
+ ),
+ ),
+ ),
+ )
+
+ uninstall_files.extend(
+ (
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
+ )
+ )
+
+ for f in (
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
+ ):
+ os.chown(
+ f,
+ osetuputil.getUid(
+ self.environment[osetupcons.SystemEnv.USER_ENGINE]
+ ),
+ -1,
+ )
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_MISC,
+ after=(
+ oengcommcons.Stages.DB_CONNECTION_AVAILABLE,
+ ),
+ condition=lambda self: self._enabled,
+ )
+ def miscOptions(self):
+ vdcoption.VdcOption(
+ statement=self.environment[oenginecons.EngineDBEnv.STATEMENT]
+ ).updateVdcOptions(
+ options=(
+ {
+ 'name': 'OrganizationName',
+ 'value': self.environment[
+ oenginecons.PKIEnv.ORG
+ ],
+ },
+ ),
+ )
+
+
+# vim: expandtab tabstop=4 shiftwidth=4
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/provisioning/postgres.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/provisioning/postgres.py
index 274ccc0..25b6d86 100644
---
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/provisioning/postgres.py
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/provisioning/postgres.py
@@ -1,6 +1,6 @@
#
# ovirt-engine-setup -- ovirt engine setup
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013-2014 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/pki.py
b/packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/pki.py
index e3b3af8..5b374cd 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/pki.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/websocket_proxy/pki.py
@@ -39,6 +39,9 @@
from otopi import plugin
+from ovirt_engine import util as outil
+
+
from ovirt_engine_setup import constants as osetupcons
from ovirt_engine_setup.websocket_proxy import constants as owspcons
@@ -61,6 +64,9 @@
req.set_pubkey(evp)
req.sign(evp, 'sha1')
return rsapem, req.as_pem()
+
+ def _subjectComponentEscape(self, s):
+ return outil.escape(s, '/\\')
def __init__(self, context):
super(Plugin, self).__init__(context=context)
@@ -104,6 +110,17 @@
),
)
def _misc_pki(self):
+ uninstall_files = []
+ self.environment[
+ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
+ ].createGroup(
+ group='ca_pki_wsp',
+ description='WebSocket Proxy PKI keys',
+ optional=True,
+ ).addFiles(
+ group='ca_pki_wsp',
+ fileList=uninstall_files,
+ )
self._need_cert = not os.path.exists(
owspcons.FileLocations.
@@ -120,139 +137,190 @@
OVIRT_ENGINE_PKI_ENGINE_CERT
)
- if self._need_key:
- wspkey, req = self._genReq()
-
- self.dialog.displayMultiString(
- name=owspcons.Displays.CERTIFICATE_REQUEST,
- value=req.splitlines(),
- note=_(
- '\n\nPlease issue WebSocket Proxy certificate based '
- 'on this certificate request\n\n'
- ),
- )
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=owspcons.FileLocations.
- OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_KEY,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=wspkey,
- modifiedList=self.environment[
- otopicons.CoreEnv.MODIFIED_FILES
- ],
- )
- )
-
- if self._need_cert:
- self.dialog.note(
- text=_(
- "Enroll SSL certificate for the websocket proxy service.\n"
- "It can be done using engine internal CA, if no 3rd "
- "party CA is available, with this sequence:\n"
-
- "1. Copy and save certificate request at\n"
- " /etc/pki/ovirt-engine/requests/{name}.req\n"
- "on the engine server\n\n"
- "2. execute, on the engine host, this command "
- "to enroll the cert:\n"
- " /usr/share/ovirt-engine/bin/pki-enroll-request.sh \\\n"
- " --name={name} \\\n"
- " --subject=\"/C=<country>/O=<organization>/"
- "CN={fqdn}\"\n"
- "Substitute <country>, <organization> to suite your "
- "environment\n"
- "(i.e. the values must match values in the "
- "certificate authority of your engine)\n\n"
-
- "3. Certificate will be available at\n"
- " /etc/pki/ovirt-engine/certs/{name}.cer\n"
- "on the engine host, please copy that content here "
- "when required\n"
- ).format(
- fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
- name=owspcons.Const.WEBSOCKET_PROXY_CERT_NAME,
+ if (
+ (self._need_cert or self._need_key) and
+ not self._on_separate_h
+ ):
+ self.execute(
+ (
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
+ '--name=%s' % owspcons.Const.WEBSOCKET_PROXY_CERT_NAME,
+ '--password=%s' % (
+ self.environment[oenginecons.PKIEnv.STORE_PASS],
+ ),
+ '--subject=/C=%s/O=%s/CN=%s' % (
+ self._subjectComponentEscape(
+ self.environment[oenginecons.PKIEnv.COUNTRY],
+ ),
+ self._subjectComponentEscape(
+ self.environment[oenginecons.PKIEnv.ORG],
+ ),
+ self._subjectComponentEscape(
+ self.environment[osetupcons.ConfigEnv.FQDN],
+ ),
+ ),
),
)
- if self.environment[
- owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
- ] is None:
- self.environment[
- owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
- ] = self.dialog.queryMultiString(
- name=owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN,
- note=_(
- '\n\nPlease input WSP certificate chain that '
- 'matches certificate request, (issuer is not '
- 'mandatory, from intermediate and upper)\n\n'
+ uninstall_files.extend(
+ (
+ (
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_CERT
),
- )
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=owspcons.FileLocations.
- OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_CERT,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=self.environment[
- owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
- ],
- modifiedList=self.environment[
- otopicons.CoreEnv.MODIFIED_FILES
- ],
+ (
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE
+ ),
)
)
- if self._on_separate_h:
- self.logger.debug('Acquiring engine.crt from the engine')
- while not self.environment[
- owspcons.ConfigEnv.REMOTE_ENGINE_CER
- ]:
- remote_engine_host = self.dialog.queryString(
- name='REMOTE_ENGINE_HOST',
- note=_(
- 'Please provide the FQDN or IP '
- 'of the remote engine host: '
+ self.execute(
+ args=(
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
+ '--name=websocket-proxy',
+ '--passin=%s' % (
+ self.environment[oenginecons.PKIEnv.STORE_PASS],
),
- prompt=True,
- )
+ '--key=%s' % (
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY,
+ ),
+ ),
+ logStreams=False,
+ )
+ uninstall_files.append(
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY
+ )
+ else:
+ if self._need_key:
+ wspkey, req = self._genReq()
- with contextlib.closing(
- urllib2.urlopen(
- 'http://{engine_fqdn}/ovirt-engine/services/'
- 'pki-resource?resource=engine-certificate&'
- 'format=X509-PEM'.format(
- engine_fqdn=remote_engine_host
- )
+ self.dialog.displayMultiString(
+ name=owspcons.Displays.CERTIFICATE_REQUEST,
+ value=req.splitlines(),
+ note=_(
+ '\n\nPlease issue WebSocket Proxy certificate based '
+ 'on this certificate request\n\n'
+ ),
+ )
+ self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
+ filetransaction.FileTransaction(
+ name=owspcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_KEY,
+ mode=0o600,
+
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
+ enforcePermissions=True,
+ content=wspkey,
+ modifiedList=uninstall_files,
)
- ) as urlObj:
- engine_cer = urlObj.read()
- if engine_cer:
- self.environment[
- owspcons.ConfigEnv.REMOTE_ENGINE_CER
- ] = engine_cer
-
- self.environment[
- otopicons.CoreEnv.MAIN_TRANSACTION
- ].append(
- filetransaction.FileTransaction(
- name=owspcons.FileLocations.
- OVIRT_ENGINE_PKI_ENGINE_CERT,
- mode=0o600,
- owner=self.environment[
- osetupcons.SystemEnv.USER_ENGINE
- ],
- enforcePermissions=True,
- content=self.environment[
- owspcons.ConfigEnv.REMOTE_ENGINE_CER
- ],
- modifiedList=self.environment[
- otopicons.CoreEnv.MODIFIED_FILES
- ],
)
- )
+
+ if self._need_cert:
+ self.dialog.note(
+ text=_(
+ "Enroll SSL certificate for the websocket proxy
service.\n"
+ "It can be done using engine internal CA, if no 3rd "
+ "party CA is available, with this sequence:\n"
+
+ "1. Copy and save certificate request at\n"
+ " /etc/pki/ovirt-engine/requests/{name}.req\n"
+ "on the engine server\n\n"
+ "2. execute, on the engine host, this command "
+ "to enroll the cert:\n"
+ " /usr/share/ovirt-engine/bin/pki-enroll-request.sh
\\\n"
+ " --name={name} \\\n"
+ " --subject=\"/C=<country>/O=<organization>/"
+ "CN={fqdn}\"\n"
+ "Substitute <country>, <organization> to suite your "
+ "environment\n"
+ "(i.e. the values must match values in the "
+ "certificate authority of your engine)\n\n"
+
+ "3. Certificate will be available at\n"
+ " /etc/pki/ovirt-engine/certs/{name}.cer\n"
+ "on the engine host, please copy that content here "
+ "when required\n"
+ ).format(
+ fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
+ name=owspcons.Const.WEBSOCKET_PROXY_CERT_NAME,
+ ),
+ )
+
+ if self.environment[
+ owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
+ ] is None:
+ self.environment[
+ owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
+ ] = self.dialog.queryMultiString(
+ name=owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN,
+ note=_(
+ '\n\nPlease input WSP certificate chain that '
+ 'matches certificate request, (issuer is not '
+ 'mandatory, from intermediate and upper)\n\n'
+ ),
+ )
+ self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
+ filetransaction.FileTransaction(
+ name=owspcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_CERT,
+ mode=0o600,
+
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
+ enforcePermissions=True,
+ content=self.environment[
+ owspcons.ConfigEnv.WSP_CERTIFICATE_CHAIN
+ ],
+ modifiedList=uninstall_files,
+ )
+ )
+
+ if self._on_separate_h:
+ self.logger.debug('Acquiring engine.crt from the engine')
+ while not self.environment[
+ owspcons.ConfigEnv.REMOTE_ENGINE_CER
+ ]:
+ remote_engine_host = self.dialog.queryString(
+ name='REMOTE_ENGINE_HOST',
+ note=_(
+ 'Please provide the FQDN or IP '
+ 'of the remote engine host: '
+ ),
+ prompt=True,
+ )
+
+ with contextlib.closing(
+ urllib2.urlopen(
+ 'http://{engine_fqdn}/ovirt-engine/services/'
+ 'pki-resource?resource=engine-certificate&'
+ 'format=X509-PEM'.format(
+ engine_fqdn=remote_engine_host
+ )
+ )
+ ) as urlObj:
+ engine_cer = urlObj.read()
+ if engine_cer:
+ self.environment[
+ owspcons.ConfigEnv.REMOTE_ENGINE_CER
+ ] = engine_cer
+
+ self.environment[
+ otopicons.CoreEnv.MAIN_TRANSACTION
+ ].append(
+ filetransaction.FileTransaction(
+ name=owspcons.FileLocations.
+ OVIRT_ENGINE_PKI_ENGINE_CERT,
+ mode=0o600,
+ owner=self.environment[
+ osetupcons.SystemEnv.USER_ENGINE
+ ],
+ enforcePermissions=True,
+ content=self.environment[
+ owspcons.ConfigEnv.REMOTE_ENGINE_CER
+ ],
+ modifiedList=uninstall_files,
+ )
+ )
# vim: expandtab tabstop=4 shiftwidth=4
--
To view, visit http://gerrit.ovirt.org/29070
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I64dd9f4eb2969f8cf1169684cfad82a3b1474f74
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
