Couple changes in response to PR

- add skipInit option to skip authority initialization
- check admin API status when removing provisioners - no need to check
  admins when not using Admin API

authority/authority.go

@@ -78,8 +78,12 @@ type Authority struct {
 	authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
 
 	adminMutex sync.RWMutex
+
+	// Do Not initialize the authority
+	skipInit bool
 }
 
+// Info contains information about the authority.
 type Info struct {
 	StartTime          time.Time
 	RootX509Certs      []*x509.Certificate
@@ -107,25 +111,13 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 		}
 	}
 
-	// Initialize authority from options or configuration.
+	if !a.skipInit {
-	if err := a.init(); err != nil {
+		// Initialize authority from options or configuration.
-		return nil, err
+		if err := a.init(); err != nil {
-	}
-
-	return a, nil
-}
-
-// FromOptions creates an Authority exclusively using the passed in options
-// and does not initialize the Authority.
-func FromOptions(opts ...Option) (*Authority, error) {
-	var a = new(Authority)
-
-	// Apply options.
-	for _, fn := range opts {
-		if err := fn(a); err != nil {
 			return nil, err
 		}
 	}
+
 	return a, nil
 }
 
@@ -159,9 +151,11 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	// Initialize config required fields.
 	a.config.Init()
 
-	// Initialize authority from options or configuration.
+	if !a.skipInit {
-	if err := a.init(); err != nil {
+		// Initialize authority from options or configuration.
-		return nil, err
+		if err := a.init(); err != nil {
+			return nil, err
+		}
 	}
 
 	return a, nil

authority/options.go

@@ -284,6 +284,15 @@ func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option {
 	}
 }
 
+// WithSkipInit is an option that allows the constructor to skip initializtion
+// of the authority.
+func WithSkipInit() Option {
+	return func(a *Authority) error {
+		a.skipInit = true
+		return nil
+	}
+}
+
 func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
 	var block *pem.Block
 	var certs []*x509.Certificate

authority/provisioners.go

@@ -243,27 +243,29 @@ func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error {
 	}
 
 	provName, provID := p.GetName(), p.GetID()
-	// Validate
+	if a.IsAdminAPIEnabled() {
-	//  - Check that there will be SUPER_ADMINs that remain after we
+		// Validate
-	//    remove this provisioner.
+		//  - Check that there will be SUPER_ADMINs that remain after we
-	if a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) {
+		//    remove this provisioner.
-		return admin.NewError(admin.ErrorBadRequestType,
+		if a.IsAdminAPIEnabled() && a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) {
-			"cannot remove provisioner %s because no super admins will remain", provName)
+			return admin.NewError(admin.ErrorBadRequestType,
-	}
+				"cannot remove provisioner %s because no super admins will remain", provName)
+		}
 
-	// Delete all admins associated with the provisioner.
+		// Delete all admins associated with the provisioner.
-	admins, ok := a.admins.LoadByProvisioner(provName)
+		admins, ok := a.admins.LoadByProvisioner(provName)
-	if ok {
+		if ok {
-		for _, adm := range admins {
+			for _, adm := range admins {
-			if err := a.removeAdmin(ctx, adm.Id); err != nil {
+				if err := a.removeAdmin(ctx, adm.Id); err != nil {
-				return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName)
+					return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName)
+				}
 			}
 		}
 	}
 
 	// Remove provisioner from authority caches.
 	if err := a.provisioners.Remove(provID); err != nil {
-		return admin.WrapErrorISE(err, "error removing admin from authority cache")
+		return admin.WrapErrorISE(err, "error removing provisioner from authority cache")
 	}
 	// Remove provisioner from database.
 	if err := a.adminDB.DeleteProvisioner(ctx, provID); err != nil {