sudo: add a threshold option to reduce size of rules refresh filter

If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
author: Pavel Březina <pbrezina@redhat.com> 2017-07-11 12:41:57 +0200
committer: Lukas Slebodnik <lslebodn@redhat.com> 2017-08-18 08:52:25 +0200
commit: a5f300adf19ec9c3087c62bd93a5175db799687a (patch)
tree: afb844609d6610e7dd4de048c264247f8f0ba3a4 /src/responder
parent: dc5da74112bde32b0bd33d9304f7e94eb8ed2885 (diff)
download: sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.gz
sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.xz
sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.zip
3 files changed, 32 insertions, 5 deletions
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index b427878d4..dca70ea4a 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -148,6 +148,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
+    /* Get sudo_inverse_order option */
+    ret = confdb_get_int(sudo_ctx->rctx->cdb,
+                         CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD,
+                         CONFDB_DEFAULT_SUDO_THRESHOLD,
+                         &sudo_ctx->threshold);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
+              ret, strerror(ret));
+        goto fail;
+    }
+
     ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index cfdbfc9c9..3272e634d 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -479,6 +479,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
                            struct tevent_context *ev,
                            struct resp_ctx *rctx,
                            struct sss_domain_info *domain,
+                           int threshold,
                            uid_t uid,
                            const char *username,
                            char **groups)
@@ -520,9 +521,20 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
     DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n",
           num_rules, username, domain->name);
 
-    subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
-                                     SSS_DP_SUDO_REFRESH_RULES,
-                                     username, num_rules, rules);
+    if (num_rules > threshold) {
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "Rules threshold [%d] is reached, performing full refresh "
+              "instead.\n", threshold);
+
+        subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
+                                         SSS_DP_SUDO_FULL_REFRESH,
+                                         username, 0, NULL);
+    } else {
+        subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
+                                         SSS_DP_SUDO_REFRESH_RULES,
+                                         username, num_rules, rules);
+    }
+
     if (subreq == NULL) {
         ret = ENOMEM;
         goto immediately;
@@ -609,6 +621,7 @@ struct sudosrv_get_rules_state {
     struct sss_domain_info *domain;
     char **groups;
     bool inverse_order;
+    int threshold;
 
     struct sysdb_attrs **rules;
     uint32_t num_rules;
@@ -640,6 +653,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
     state->type = type;
     state->uid = uid;
     state->inverse_order = sudo_ctx->inverse_order;
+    state->threshold = sudo_ctx->threshold;
 
     DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username);
 
@@ -696,8 +710,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
     }
 
     subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx,
-                                        state->domain, state->uid,
-                                        state->username, state->groups);
+                                        state->domain, state->threshold,
+                                        state->uid, state->username,
+                                        state->groups);
     if (subreq == NULL) {
         ret = ENOMEM;
         goto done;
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
index 94f3c4458..c76bdd395 100644
--- a/src/responder/sudo/sudosrv_private.h
+++ b/src/responder/sudo/sudosrv_private.h
@@ -48,6 +48,7 @@ struct sudo_ctx {
      */
     bool timed;
     bool inverse_order;
+    int threshold;
 };
 
 struct sudo_cmd_ctx {
author	Pavel Březina <pbrezina@redhat.com>	2017-07-11 12:41:57 +0200
committer	Lukas Slebodnik <lslebodn@redhat.com>	2017-08-18 08:52:25 +0200
commit	a5f300adf19ec9c3087c62bd93a5175db799687a (patch)
tree	afb844609d6610e7dd4de048c264247f8f0ba3a4 /src/responder
parent	dc5da74112bde32b0bd33d9304f7e94eb8ed2885 (diff)
download	sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.gz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.tar.xz sssd-a5f300adf19ec9c3087c62bd93a5175db799687a.zip