diff options
author | Sumit Bose <sbose@redhat.com> | 2015-07-22 15:34:32 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-27 19:01:26 +0200 |
commit | da0eef19ac7b06ef84e29d0ee1506981eafda68e (patch) | |
tree | 63abe2a2c3e2aac3e181b25aea1f47766e345874 | |
parent | 2bffccf990b08fb8ce1c72a0a5092053c8a06e12 (diff) | |
download | sssd-review-negcache.tar.gz sssd-review-negcache.tar.xz sssd-review-negcache.zip |
nss: use negative cache for sid-by-id requestsreview-negcache
Since requests by ID are not assized to a specific domain SSSD might
check the ID in domains where the ID does not exists even if the ID is
already in the sysdb cache of the right domain. For requests where
already a memory cache is available like e.g. getpwuid() and getgrgid()
this has no negative impact because the requests are answered directly
from the cache most of the time without hitting SSSD. As long as there
is no use-case which does not use the memory cache those requests do not
need an update.
But for request like sid-by-id where currently no memory cache is
available there are quite some additional costs especially for trusted
domains.
Resolves https://fedorahosted.org/sssd/ticket/2731
-rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 93c9bb81d..4505f2a99 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1087,6 +1087,7 @@ static void nss_cmd_getby_dp_callback(uint16_t err_maj, uint32_t err_min, struct cli_ctx *cctx = cmdctx->cctx; int ret; bool check_subdomains; + struct nss_ctx *nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); if (err_maj) { DEBUG(SSSDBG_OP_FAILURE, @@ -1135,8 +1136,40 @@ static void nss_cmd_getby_dp_callback(uint16_t err_maj, uint32_t err_min, * here. */ switch (dctx->cmdctx->cmd) { case SSS_NSS_GETPWUID: + ret = sss_ncache_set_uid(nctx->ncache, false, dctx->domain, + cmdctx->id); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache for UID %"PRIu32"\n", + cmdctx->id); + } + check_subdomains = true; + break; case SSS_NSS_GETGRGID: + ret = sss_ncache_set_gid(nctx->ncache, false, dctx->domain, + cmdctx->id); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache for GID %"PRIu32"\n", + cmdctx->id); + } + check_subdomains = true; + break; case SSS_NSS_GETSIDBYID: + ret = sss_ncache_set_uid(nctx->ncache, false, dctx->domain, + cmdctx->id); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache for UID %"PRIu32"\n", + cmdctx->id); + } + ret = sss_ncache_set_gid(nctx->ncache, false, dctx->domain, + cmdctx->id); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache for GID %"PRIu32"\n", + cmdctx->id); + } check_subdomains = true; break; default: @@ -4358,6 +4391,28 @@ static errno_t nss_cmd_getsidby_search(struct nss_dom_ctx *dctx) if (cmdctx->cmd == SSS_NSS_GETSIDBYID) { DEBUG(SSSDBG_TRACE_FUNC, "Requesting info for [%"PRIu32"@%s]\n", cmdctx->id, dom->name); + + ret = sss_ncache_check_uid(nctx->ncache, nctx->neg_timeout, dom, + cmdctx->id); + if (ret == EEXIST) { + ret = sss_ncache_check_gid(nctx->ncache, nctx->neg_timeout, dom, + cmdctx->id); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, + "ID [%"PRIu32"] does not exist in [%s]! (negative cache)\n", + cmdctx->id, dom->name); + /* if a multidomain search, try with next, including + * sub-domains */ + if (cmdctx->check_next) { + dom = get_next_domain(dom, true); + continue; + } + /* There are no further domains. */ + ret = ENOENT; + goto done; + } + } + } else { talloc_free(name); talloc_zfree(sysdb_name); |