diff options
author | Pavel Březina <pbrezina@redhat.com> | 2017-07-11 12:41:57 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-08-18 08:52:25 +0200 |
commit | a5f300adf19ec9c3087c62bd93a5175db799687a (patch) | |
tree | afb844609d6610e7dd4de048c264247f8f0ba3a4 /src/config | |
parent | dc5da74112bde32b0bd33d9304f7e94eb8ed2885 (diff) | |
download | sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.gz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.xz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.zip |
sudo: add a threshold option to reduce size of rules refresh filter
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3478
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Diffstat (limited to 'src/config')
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rw-r--r-- | src/config/cfg_rules.ini | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 0e0c3be6d..de757521c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -107,6 +107,7 @@ option_strings = { # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'), + 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'), # [autofs] 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 4537d0fe8..cba59d2c3 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -145,6 +145,7 @@ option = cache_first # sudo service option = sudo_timed option = sudo_inverse_order +option = sudo_threshold [rule/allowed_autofs_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index ef910f0df..0d11771ae 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -79,6 +79,7 @@ pam_app_services = str, None, false # sudo service sudo_timed = bool, None, false sudo_inverse_order = bool, None, false +sudo_threshold = int, None, false [autofs] # autofs service |