211 lines
8.8 KiB
Diff
211 lines
8.8 KiB
Diff
From a5f300adf19ec9c3087c62bd93a5175db799687a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Tue, 11 Jul 2017 12:41:57 +0200
|
|
Subject: [PATCH 33/93] sudo: add a threshold option to reduce size of rules
|
|
refresh filter
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If a large number of rules is expired at one time the ldap filter may
|
|
become too large to be processed by server. This commits adds a new
|
|
option "sudo_threshold" to sudo responder. If the threshold is
|
|
exceeded a full refreshed is done instead of rules refresh.
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3478
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/confdb/confdb.h | 2 ++
|
|
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
src/config/cfg_rules.ini | 1 +
|
|
src/config/etc/sssd.api.conf | 1 +
|
|
src/man/sssd.conf.5.xml | 19 +++++++++++++++++++
|
|
src/responder/sudo/sudosrv.c | 11 +++++++++++
|
|
src/responder/sudo/sudosrv_get_sudorules.c | 25 ++++++++++++++++++++-----
|
|
src/responder/sudo/sudosrv_private.h | 1 +
|
|
8 files changed, 56 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
index 3773358374064c68b2ae254fd18f43ca4c43d834..66ecc041398fda973c0f30a47a3f5944c88d19c2 100644
|
|
--- a/src/confdb/confdb.h
|
|
+++ b/src/confdb/confdb.h
|
|
@@ -139,6 +139,8 @@
|
|
#define CONFDB_DEFAULT_SUDO_TIMED false
|
|
#define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order"
|
|
#define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false
|
|
+#define CONFDB_SUDO_THRESHOLD "sudo_threshold"
|
|
+#define CONFDB_DEFAULT_SUDO_THRESHOLD 50
|
|
|
|
/* autofs */
|
|
#define CONFDB_AUTOFS_CONF_ENTRY "config/autofs"
|
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
index 0e0c3be6d0c6531daddd3927c53156d28a657d2b..de757521cff58460049bb8c4873efaf6bf0b8d95 100644
|
|
--- a/src/config/SSSDConfig/__init__.py.in
|
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
@@ -107,6 +107,7 @@ option_strings = {
|
|
# [sudo]
|
|
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
|
|
+ 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'),
|
|
|
|
# [autofs]
|
|
'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
|
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
index 4537d0fe87d7084cdff5e591451298393b7f632f..cba59d2c3813f44b8ab85b4c246108232f9d8fd4 100644
|
|
--- a/src/config/cfg_rules.ini
|
|
+++ b/src/config/cfg_rules.ini
|
|
@@ -145,6 +145,7 @@ option = cache_first
|
|
# sudo service
|
|
option = sudo_timed
|
|
option = sudo_inverse_order
|
|
+option = sudo_threshold
|
|
|
|
[rule/allowed_autofs_options]
|
|
validator = ini_allowed_options
|
|
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
index ef910f0dfc96241feca6db241219783d774891ef..0d11771ae3df50ba9f380e44747a5385a224544d 100644
|
|
--- a/src/config/etc/sssd.api.conf
|
|
+++ b/src/config/etc/sssd.api.conf
|
|
@@ -79,6 +79,7 @@ pam_app_services = str, None, false
|
|
# sudo service
|
|
sudo_timed = bool, None, false
|
|
sudo_inverse_order = bool, None, false
|
|
+sudo_threshold = int, None, false
|
|
|
|
[autofs]
|
|
# autofs service
|
|
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
index 7cd6ffd7a632449e23672da14586560500b9d185..7b5abebbf68a832c3b0af9bcff9c535eca77778a 100644
|
|
--- a/src/man/sssd.conf.5.xml
|
|
+++ b/src/man/sssd.conf.5.xml
|
|
@@ -1378,6 +1378,25 @@ pam_account_locked_message = Account locked, please contact help desk.
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
+ <variablelist>
|
|
+ <varlistentry>
|
|
+ <term>sudo_threshold (integer)</term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Maximum number of expired rules that can be
|
|
+ refreshed at once. If number of expired rules
|
|
+ is below threshold, those rules are refreshed
|
|
+ with <quote>rules refresh</quote> mechanism. If
|
|
+ the threshold is exceeded a
|
|
+ <quote>full refresh</quote> of sudo rules is
|
|
+ triggered instead.
|
|
+ </para>
|
|
+ <para>
|
|
+ Default: 50
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+ </variablelist>
|
|
</refsect2>
|
|
|
|
<refsect2 id='AUTOFS' condition="with_autofs">
|
|
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
index b427878d4dbe9090824a01386a7475be88b699c0..dca70ea4afc0e6df6d1b1864338c7b1091a98fee 100644
|
|
--- a/src/responder/sudo/sudosrv.c
|
|
+++ b/src/responder/sudo/sudosrv.c
|
|
@@ -148,6 +148,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
goto fail;
|
|
}
|
|
|
|
+ /* Get sudo_inverse_order option */
|
|
+ ret = confdb_get_int(sudo_ctx->rctx->cdb,
|
|
+ CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD,
|
|
+ CONFDB_DEFAULT_SUDO_THRESHOLD,
|
|
+ &sudo_ctx->threshold);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
|
|
+ ret, strerror(ret));
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
index cfdbfc9c9c66d96f774822d6a4d4aaaf1327abe3..3272e634d895acf4854309371779a00cf1525126 100644
|
|
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
|
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
@@ -479,6 +479,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
|
|
struct tevent_context *ev,
|
|
struct resp_ctx *rctx,
|
|
struct sss_domain_info *domain,
|
|
+ int threshold,
|
|
uid_t uid,
|
|
const char *username,
|
|
char **groups)
|
|
@@ -520,9 +521,20 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
|
|
DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n",
|
|
num_rules, username, domain->name);
|
|
|
|
- subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
|
|
- SSS_DP_SUDO_REFRESH_RULES,
|
|
- username, num_rules, rules);
|
|
+ if (num_rules > threshold) {
|
|
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
+ "Rules threshold [%d] is reached, performing full refresh "
|
|
+ "instead.\n", threshold);
|
|
+
|
|
+ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
|
|
+ SSS_DP_SUDO_FULL_REFRESH,
|
|
+ username, 0, NULL);
|
|
+ } else {
|
|
+ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
|
|
+ SSS_DP_SUDO_REFRESH_RULES,
|
|
+ username, num_rules, rules);
|
|
+ }
|
|
+
|
|
if (subreq == NULL) {
|
|
ret = ENOMEM;
|
|
goto immediately;
|
|
@@ -609,6 +621,7 @@ struct sudosrv_get_rules_state {
|
|
struct sss_domain_info *domain;
|
|
char **groups;
|
|
bool inverse_order;
|
|
+ int threshold;
|
|
|
|
struct sysdb_attrs **rules;
|
|
uint32_t num_rules;
|
|
@@ -640,6 +653,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
|
|
state->type = type;
|
|
state->uid = uid;
|
|
state->inverse_order = sudo_ctx->inverse_order;
|
|
+ state->threshold = sudo_ctx->threshold;
|
|
|
|
DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username);
|
|
|
|
@@ -696,8 +710,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
|
|
}
|
|
|
|
subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx,
|
|
- state->domain, state->uid,
|
|
- state->username, state->groups);
|
|
+ state->domain, state->threshold,
|
|
+ state->uid, state->username,
|
|
+ state->groups);
|
|
if (subreq == NULL) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
|
|
index 94f3c4458ab20e64db3e0bfce726d5d30a70a202..c76bdd3955bc29b7ba2cda58c503a4c616d7e63a 100644
|
|
--- a/src/responder/sudo/sudosrv_private.h
|
|
+++ b/src/responder/sudo/sudosrv_private.h
|
|
@@ -48,6 +48,7 @@ struct sudo_ctx {
|
|
*/
|
|
bool timed;
|
|
bool inverse_order;
|
|
+ int threshold;
|
|
};
|
|
|
|
struct sudo_cmd_ctx {
|
|
--
|
|
2.14.1
|
|
|