diff options
author | Pavel Březina <pbrezina@redhat.com> | 2017-07-11 12:41:57 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-08-18 08:52:25 +0200 |
commit | a5f300adf19ec9c3087c62bd93a5175db799687a (patch) | |
tree | afb844609d6610e7dd4de048c264247f8f0ba3a4 /src/responder | |
parent | dc5da74112bde32b0bd33d9304f7e94eb8ed2885 (diff) | |
download | sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.gz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.xz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.zip |
sudo: add a threshold option to reduce size of rules refresh filter
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3478
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/sudo/sudosrv.c | 11 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv_get_sudorules.c | 25 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv_private.h | 1 |
3 files changed, 32 insertions, 5 deletions
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index b427878d4..dca70ea4a 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -148,6 +148,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, goto fail; } + /* Get sudo_inverse_order option */ + ret = confdb_get_int(sudo_ctx->rctx->cdb, + CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD, + CONFDB_DEFAULT_SUDO_THRESHOLD, + &sudo_ctx->threshold); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index cfdbfc9c9..3272e634d 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -479,6 +479,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct resp_ctx *rctx, struct sss_domain_info *domain, + int threshold, uid_t uid, const char *username, char **groups) @@ -520,9 +521,20 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n", num_rules, username, domain->name); - subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, - SSS_DP_SUDO_REFRESH_RULES, - username, num_rules, rules); + if (num_rules > threshold) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Rules threshold [%d] is reached, performing full refresh " + "instead.\n", threshold); + + subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, + SSS_DP_SUDO_FULL_REFRESH, + username, 0, NULL); + } else { + subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, + SSS_DP_SUDO_REFRESH_RULES, + username, num_rules, rules); + } + if (subreq == NULL) { ret = ENOMEM; goto immediately; @@ -609,6 +621,7 @@ struct sudosrv_get_rules_state { struct sss_domain_info *domain; char **groups; bool inverse_order; + int threshold; struct sysdb_attrs **rules; uint32_t num_rules; @@ -640,6 +653,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, state->type = type; state->uid = uid; state->inverse_order = sudo_ctx->inverse_order; + state->threshold = sudo_ctx->threshold; DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username); @@ -696,8 +710,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) } subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx, - state->domain, state->uid, - state->username, state->groups); + state->domain, state->threshold, + state->uid, state->username, + state->groups); if (subreq == NULL) { ret = ENOMEM; goto done; diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h index 94f3c4458..c76bdd395 100644 --- a/src/responder/sudo/sudosrv_private.h +++ b/src/responder/sudo/sudosrv_private.h @@ -48,6 +48,7 @@ struct sudo_ctx { */ bool timed; bool inverse_order; + int threshold; }; struct sudo_cmd_ctx { |