sudo: add a threshold option to reduce size of rules refresh filter

If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3478

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

3 files changed, 3 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0e0c3be6d..de757521c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -107,6 +107,7 @@ option_strings = {
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
     'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
+    'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'),
 
     # [autofs]
     'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 4537d0fe8..cba59d2c3 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -145,6 +145,7 @@ option = cache_first
 # sudo service
 option = sudo_timed
 option = sudo_inverse_order
+option = sudo_threshold
 
 [rule/allowed_autofs_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ef910f0df..0d11771ae 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -79,6 +79,7 @@ pam_app_services = str, None, false
 # sudo service
 sudo_timed = bool, None, false
 sudo_inverse_order = bool, None, false
+sudo_threshold = int, None, false
 
 [autofs]
 # autofs service