[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705
Author: jhrozek
Title: #705: KCM: Add configurable quotas
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/705/head:pr705
git checkout pr705
From e2b8f44bc0418bc531c7e372306f057b275ef9df Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 5 Oct 2018 13:17:14 +0200
Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
---
src/man/sssd-kcm.8.xml | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index fff8b0a16d..90b9ad09c2 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -58,11 +58,9 @@
-the SSSD implementation stores the ccaches in the SSSD
-
-sssd-secrets5
-
-secrets store, allowing the ccaches to survive KCM server restarts or machine reboots.
+the SSSD implementation stores the ccaches in a database,
+typically located at /var/lib/sss/secrets
+allowing the ccaches to survive KCM server restarts or machine reboots.
From 1161664d427f34a2428a8cb86f8494aac9472da3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 30 Nov 2018 13:15:58 +0100
Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
---
src/man/sssd-kcm.8.xml | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 90b9ad09c2..4e4aaa38ea 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service
CONFIGURATION OPTIONS
The KCM service is configured in the kcm
-section of the sssd.conf file. Please note that currently,
-is it not sufficient to restart the sssd-kcm service, because
-the sssd configuration is only parsed and read to an internal
-configuration database by the sssd service. Therefore you
-must restart the sssd service if you change anything in the
-kcm section of sssd.conf.
+section of the sssd.conf file. Please note that because
+the KCM service is typically socket-activated, it is
+enough to just restart the sssd-kcm service
+after changing options in the kcm section
+of sssd.conf:
+
+systemctl restart sssd-kcm.service
+
+
+
+The KCM service is configured in the kcm
For a detailed syntax reference, refer to the FILE FORMAT section of the
sssd.conf
From 7294fd022eb397e22dc345846a6cbb067d3a27bc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 26 Nov 2018 13:44:08 +0100
Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM
for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
---
src/responder/secrets/secsrv.c | 70 ++
src/util/secrets/config.c | 40 +--
src/util/secrets/secrets.h | 21 ++
3 files changed, 88 insertions(+), 43 deletions(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2de93dedc5..e783e231d3 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
static int sec_get_config(struct sec_ctx *sctx)
{
int ret;
+struct sss_sec_quota_opt dfl_sec_nest_level = {
+.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
+};
+
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ rebased """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-458698402 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#737][opened] providers/proxy: fixed issue 3931
URL: https://github.com/SSSD/sssd/pull/737
Author: alexey-tikhonov
Title: #737: providers/proxy: fixed issue 3931
Action: opened
PR body:
"""
Set of patches related with https://pagure.io/SSSD/sssd/issue/3931
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/737/head:pr737
git checkout pr737
From 68e19fa3a0e4f873931954bb8f56a9e3bf9ab4ba Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Mon, 28 Jan 2019 17:50:17 +0100
Subject: [PATCH 1/6] providers/proxy: small optimization
Small optimization of for-loops in
proxy_id.c:remove_duplicate_group_members()
---
src/providers/proxy/proxy_id.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index e82e603365..478709f693 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -602,9 +602,9 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
goto done;
}
-for (i=0; orig_grp->gr_mem[i] != NULL; i++) {
-orig_member_count++;
-}
+for (i=0; orig_grp->gr_mem[i] != NULL; ++i) /* no-op: just counting */;
+
+orig_member_count = i;
if (orig_member_count == 0) {
ret = ENOENT;
@@ -618,7 +618,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
goto done;
}
-for (i=0; orig_grp->gr_mem[i] != NULL; i++) {
+for (i=0; i < orig_member_count; ++i) {
key.type = HASH_KEY_STRING;
key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]);
if (key.str == NULL) {
From d8b8098ac137add9f00f52fe2a0347cf53d7a074 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Mon, 28 Jan 2019 18:30:21 +0100
Subject: [PATCH 2/6] providers/proxy: fixed wrong check
Fixed evident "copy-paste" bug with wrong var being checked for NULL
in proxy_id.c:remove_duplicate_group_members()
---
src/providers/proxy/proxy_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 478709f693..db65a984cd 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -629,7 +629,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
value.type = HASH_VALUE_PTR;
value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]);
-if (key.str == NULL) {
+if (value.ptr == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
goto done;
From e0de9be7371c942f2b4ba1398a7790207c0b958b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Mon, 28 Jan 2019 18:47:27 +0100
Subject: [PATCH 3/6] providers/proxy: fixed usage of wrong mem ctx
Temporary var `grp` in proxy_id.c:remove_duplicate_group_members()
should be created in `tmp_ctx`.
Call to
```
*_grp = talloc_steal(mem_ctx, grp);
```
as well confirms it was original intent
(before fix this call didn't have any sense).
Having `grp` created in `mem_ctx` may lead to memory leak in case
of failure. While actually this doesn't happen since caller of
remove_duplicate_group_members() cleans mem_ctx, still it is
good to fix it.
---
src/providers/proxy/proxy_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index db65a984cd..52f7a64243 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -649,7 +649,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
goto done;
}
-grp = talloc(mem_ctx, struct group);
+grp = talloc(tmp_ctx, struct group);
if (grp == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
ret = ENOMEM;
From ce7c1184ddb4a0779e35068e840631772d4884fc Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Mon, 28 Jan 2019 19:23:46 +0100
Subject: [PATCH 4/6] providers/proxy: got rid of excessive mem copies
There is no need to create copies of strings for temporary storage
in hash_table.
---
src/providers/proxy/proxy_id.c | 17 -
1 file changed, 4 insertions(+), 13 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 52f7a64243..3e8a43ad7c 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -620,24 +620,15 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
for (i=0; i < orig_member_count; ++i) {
key.type = HASH_KEY_STRING;
-key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]);
-if (key.str == NULL) {
-DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
-ret = ENOMEM;
-goto done;
-}
+key.str = orig_grp->gr_mem[i]; /* hash_enter() makes copy itself */
value.type = HASH_VALUE_PTR;
-value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]);
-if
