sssd.git/src/db, branch jhrozek_sysdb_fqdn Unnamed repository; edit this file to name it for gitweb. sudo: solve problems with fully qualified names 2016-07-06T15:40:23+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 98a85bf0b2334c45a60c5bc10042e5abdeff3f98 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: qualify_attr: create new attribute only once 2016-07-06T15:40:22+00:00 Sumit Bose sbose@redhat.com 2016-07-05T13:53:39+00:00 85bb0c2ace68edbf148df6670a86e33f83696f16 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-05T10:44:09+00:00 3612c827757821622daa51ebb9841699b9b07272 Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. 
Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.
SYSDB: Remove the timestamps cache on update 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-29T16:37:02+00:00 fc69c7e376390b62581966dadf73fd6d451f206c When the cache is upgraded, we want to avoid upgrading the timestamps cache, because it was only introduced recently in Beta, so it doesn't make senes to write complex code to change the format. This patch rather removes the cache during upgrade, it will be recreated with later lookups anyway. 
When the cache is upgraded, we want to avoid upgrading the timestamps
cache, because it was only introduced recently in Beta, so it doesn't
make senes to write complex code to change the format.

This patch rather removes the cache during upgrade, it will be recreated
with later lookups anyway.
SYSDB: Fix small issues during db upgrade 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-29T15:03:51+00:00 bcbf6855477af41db9bd6bf4d49a04f6c2a64f27 This patch fixes several issues introduced during the recent sysdb upgrade: 1) The upgrade code often accesses sysdb->ldb, but at this point, the ldb pointer might not be initialized yet. As a kind of an ugly, yet functional workaround, we pass in the ldb pointer that we received from the caller as part of the sysdb structure. 2) the version that sysdb_domain_cache_upgrade() returns is not a talloc pointer, so the upgrade was crashing when we tried to steal it. 3) the ldb pointer sysdb_cache_connect() returns was kept allocated on the tmp_ctx. We need to steal it instead. 
This patch fixes several issues introduced during the recent sysdb
upgrade:
    1) The upgrade code often accesses sysdb->ldb, but at this point,
    the ldb pointer might not be initialized yet. As a kind of an ugly,
    yet functional workaround, we pass in the ldb pointer that we
    received from the caller as part of the sysdb structure.

    2) the version that sysdb_domain_cache_upgrade() returns is not a
    talloc pointer, so the upgrade was crashing when we tried to steal
    it.

    3) the ldb pointer sysdb_cache_connect() returns was kept allocated
    on the tmp_ctx. We need to steal it instead.
SYSDB: Allow passing a context to sysdb upgrade functions 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-29T14:30:39+00:00 190e68d96b287c00be6bd5a4603884e74141bbe7 We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. 
We decide on whether to upgrade or not based on a pointer value, not a
boolean. This pointer points to a structure that the upgrade invoker
(typically the monitor) can use to fill auxilary data the sysdb upgrade
has no means of instantiating.
SYSDB: Remove useless parameter from sysdb_init() 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-29T14:18:12+00:00 dde89d133dfb38351656195bcf024f6df9c76a0d The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. 
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.
SYSDB: Construct internal fqnames, not NSS names in sysdb_add_group_member_overrides 2016-07-06T15:33:00+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-19T06:35:57+00:00 f69b128a26fd4d7f72d64d2e5ae26e57c831e43b Because all users and groups are stored the same way in sysdb, we can avoid parsing and unparsing the name with NSS functions and instead just grab the name from the FQDN in the cache. 
Because all users and groups are stored the same way in sysdb, we can
avoid parsing and unparsing the name with NSS functions and instead just
grab the name from the FQDN in the cache.
SYSDB: Add a utility function to return a list of qualified names 2016-07-06T15:32:59+00:00 Jakub Hrozek jhrozek@redhat.com 2016-04-08T14:29:42+00:00 99990d4e4d929db39a1fc1d0d65406b677095dba Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. 
Adds a utility function the LDAP provider can use. This is different
from sss_create_internal_fqname_list in the sense that the LDAP provider
passes in the attribute name that contains the name attribute value.
SYSDB: add_name_and_aliases_for_name_override no longer needs to special case subdomain users 2016-07-06T15:32:58+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-19T05:24:08+00:00 3dbe1b9776c6f8182aeb8947e88d2e517658526e All user and group names use the same unified format in the cache, so there's no need to special-case subdomains and create different names for the main domain and a subdomain. 
All user and group names use the same unified format in the cache, so
there's no need to special-case subdomains and create different names
for the main domain and a subdomain.