diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-05-30 12:51:19 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-09-01 20:26:04 +0200 |
commit | 4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9 (patch) | |
tree | 2301c7fa1a6d16428a46a1833ddbabde140076ba /src/responder | |
parent | 7a162ca3ea0bf8ef6b13795a00baa28d17f6131d (diff) | |
download | sssd-4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9.tar.gz sssd-4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9.tar.xz sssd-4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9.zip |
SECRETS: Read the quotas for cn=secrets from [secrets/secrets] configuration subsection
This patch makes obsoletes the old way of configuring quotas for the
secrets responder. Instead, adds a new way of configuring each hive
separately in a configuration subsection, e.g.
[secrets/secrets]
max_secrets = 123
The old way is still supported as a backwards-compatible method.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/secrets/secsrv.c | 133 |
1 files changed, 110 insertions, 23 deletions
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index e3a8c1476..db12cbbc3 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -33,54 +33,141 @@ #define DEFAULT_SEC_MAX_SECRETS 1024 #define DEFAULT_SEC_MAX_PAYLOAD_SIZE 16 -static int sec_get_config(struct sec_ctx *sctx) +static int sec_get_quota(struct sec_ctx *sctx, + const char *section_config_path, + int default_max_containers_nest_level, + int default_max_num_secrets, + int default_max_payload, + struct sec_quota *quota) { int ret; ret = confdb_get_int(sctx->rctx->cdb, - sctx->rctx->confdb_service_path, - CONFDB_SERVICE_FD_LIMIT, - DEFAULT_SEC_FD_LIMIT, - &sctx->fd_limit); + section_config_path, + CONFDB_SEC_CONTAINERS_NEST_LEVEL, + default_max_containers_nest_level, + "a->containers_nest_level); + if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get file descriptors limit\n"); - goto fail; + "Failed to get container nesting level for %s\n", + section_config_path); + return ret; } ret = confdb_get_int(sctx->rctx->cdb, - sctx->rctx->confdb_service_path, - CONFDB_SEC_CONTAINERS_NEST_LEVEL, - DEFAULT_SEC_CONTAINERS_NEST_LEVEL, - &sctx->sec_config.quota.containers_nest_level); + section_config_path, + CONFDB_SEC_MAX_SECRETS, + default_max_num_secrets, + "a->max_secrets); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get containers' maximum depth\n"); - goto fail; + "Failed to get maximum number of entries for %s\n", + section_config_path); + return ret; } ret = confdb_get_int(sctx->rctx->cdb, - sctx->rctx->confdb_service_path, - CONFDB_SEC_MAX_SECRETS, - DEFAULT_SEC_MAX_SECRETS, - &sctx->sec_config.quota.max_secrets); + section_config_path, + CONFDB_SEC_MAX_PAYLOAD_SIZE, + default_max_payload, + "a->max_payload_size); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get maximum number of entries\n"); - goto fail; + "Failed to get payload's maximum size for an entry in %s\n", + section_config_path); + return ret; + } + + return EOK; +} + +static int sec_get_hive_config(struct sec_ctx *sctx, + const char *hive_name, + struct sec_hive_config *hive_config, + int default_max_containers_nest_level, + int default_max_num_secrets, + int default_max_payload) +{ + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(sctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + hive_config->confdb_section = talloc_asprintf(sctx, + "config/secrets/%s", + hive_name); + if (hive_config->confdb_section == NULL) { + ret = ENOMEM; + goto done; } + ret = sec_get_quota(sctx, + hive_config->confdb_section, + default_max_containers_nest_level, + default_max_num_secrets, + default_max_payload, + &hive_config->quota); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read quota settings for %s [%d]: %s\n", + hive_name, ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int sec_get_config(struct sec_ctx *sctx) +{ + int ret; + ret = confdb_get_int(sctx->rctx->cdb, sctx->rctx->confdb_service_path, - CONFDB_SEC_MAX_PAYLOAD_SIZE, - DEFAULT_SEC_MAX_PAYLOAD_SIZE, - &sctx->sec_config.quota.max_payload_size); + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_SEC_FD_LIMIT, + &sctx->fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get file descriptors limit\n"); + goto fail; + } + + /* Read the global quota first -- this should be removed in a future release */ + /* Note that this sets the defaults for the sec_config quota to be used + * in sec_get_hive_config() + */ + ret = sec_get_quota(sctx, + sctx->rctx->confdb_service_path, + DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + DEFAULT_SEC_MAX_SECRETS, + DEFAULT_SEC_MAX_PAYLOAD_SIZE, + &sctx->sec_config.quota); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get legacy global quotas\n"); + goto fail; + } + /* Read the per-hive configuration */ + ret = sec_get_hive_config(sctx, + "secrets", + &sctx->sec_config, + sctx->sec_config.quota.containers_nest_level, + sctx->sec_config.quota.max_secrets, + sctx->sec_config.quota.max_payload_size); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get payload's maximum size for an entry\n"); + "Failed to get configuration of the secrets hive\n"); goto fail; } |