[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Author: jhrozek Title: #705: KCM: Add configurable quotas Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/705/head:pr705 git checkout pr705 From e2b8f44bc0418bc531c7e372306f057b275ef9df Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 5 Oct 2018 13:17:14 +0200 Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference Related: https://pagure.io/SSSD/sssd/issue/3685 There were some stray references to the secrets responder in the sssd-kcm manual page. --- src/man/sssd-kcm.8.xml | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index fff8b0a16d..90b9ad09c2 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -58,11 +58,9 @@ -the SSSD implementation stores the ccaches in the SSSD - -sssd-secrets5 - -secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. +the SSSD implementation stores the ccaches in a database, +typically located at /var/lib/sss/secrets +allowing the ccaches to survive KCM server restarts or machine reboots. From 1161664d427f34a2428a8cb86f8494aac9472da3 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 30 Nov 2018 13:15:58 +0100 Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart sssd-kcm.service lately Related: https://pagure.io/SSSD/sssd/issue/3862 We forgot to amend the man page after implementing the sssd-kcm service reload. --- src/man/sssd-kcm.8.xml | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml index 90b9ad09c2..4e4aaa38ea 100644 --- a/src/man/sssd-kcm.8.xml +++ b/src/man/sssd-kcm.8.xml @@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service CONFIGURATION OPTIONS The KCM service is configured in the kcm -section of the sssd.conf file. Please note that currently, -is it not sufficient to restart the sssd-kcm service, because -the sssd configuration is only parsed and read to an internal -configuration database by the sssd service. Therefore you -must restart the sssd service if you change anything in the -kcm section of sssd.conf. +section of the sssd.conf file. Please note that because +the KCM service is typically socket-activated, it is +enough to just restart the sssd-kcm service +after changing options in the kcm section +of sssd.conf: + +systemctl restart sssd-kcm.service + + + +The KCM service is configured in the kcm For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf From 7294fd022eb397e22dc345846a6cbb067d3a27bc Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Nov 2018 13:44:08 +0100 Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM for quota options Related: https://pagure.io/SSSD/sssd/issue/3386 With the separate secrets responder, the quotas for the /secrets and /kcm hives were configurable in a sub-section of the [secrets] sssd.conf section using the same option -- the /secrets vs. /kcm distinction was made using the subsection name. With the standalone KCM responder writing directly to the database, it makes sense to have options with more descriptive names better suitable for the KCM usage. For that we need the options for secrets quotas and kcm quotas to be named differently. For now, the patch only passes the option name to sss_sec_get_quota() and sss_sec_get_hive_config() together with the default value in an instance of a new structure sss_sec_quota_opt. The secrets responder still uses the same option names for backwards compatibility. --- src/responder/secrets/secsrv.c | 70 ++ src/util/secrets/config.c | 40 +-- src/util/secrets/secrets.h | 21 ++ 3 files changed, 88 insertions(+), 43 deletions(-) diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index 2de93dedc5..e783e231d3 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx, static int sec_get_config(struct sec_ctx *sctx) { int ret; +struct sss_sec_quota_opt dfl_sec_nest_level = { +.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL, +.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, +}; +st
[SSSD] [sssd PR#705][comment] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705 Title: #705: KCM: Add configurable quotas jhrozek commented: """ rebased """ See the full comment at https://github.com/SSSD/sssd/pull/705#issuecomment-458698402 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#737][opened] providers/proxy: fixed issue 3931
URL: https://github.com/SSSD/sssd/pull/737 Author: alexey-tikhonov Title: #737: providers/proxy: fixed issue 3931 Action: opened PR body: """ Set of patches related with https://pagure.io/SSSD/sssd/issue/3931 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/737/head:pr737 git checkout pr737 From 68e19fa3a0e4f873931954bb8f56a9e3bf9ab4ba Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 28 Jan 2019 17:50:17 +0100 Subject: [PATCH 1/6] providers/proxy: small optimization Small optimization of for-loops in proxy_id.c:remove_duplicate_group_members() --- src/providers/proxy/proxy_id.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c index e82e603365..478709f693 100644 --- a/src/providers/proxy/proxy_id.c +++ b/src/providers/proxy/proxy_id.c @@ -602,9 +602,9 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, goto done; } -for (i=0; orig_grp->gr_mem[i] != NULL; i++) { -orig_member_count++; -} +for (i=0; orig_grp->gr_mem[i] != NULL; ++i) /* no-op: just counting */; + +orig_member_count = i; if (orig_member_count == 0) { ret = ENOENT; @@ -618,7 +618,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, goto done; } -for (i=0; orig_grp->gr_mem[i] != NULL; i++) { +for (i=0; i < orig_member_count; ++i) { key.type = HASH_KEY_STRING; key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); if (key.str == NULL) { From d8b8098ac137add9f00f52fe2a0347cf53d7a074 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 28 Jan 2019 18:30:21 +0100 Subject: [PATCH 2/6] providers/proxy: fixed wrong check Fixed evident "copy-paste" bug with wrong var being checked for NULL in proxy_id.c:remove_duplicate_group_members() --- src/providers/proxy/proxy_id.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c index 478709f693..db65a984cd 100644 --- a/src/providers/proxy/proxy_id.c +++ b/src/providers/proxy/proxy_id.c @@ -629,7 +629,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, value.type = HASH_VALUE_PTR; value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); -if (key.str == NULL) { +if (value.ptr == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ret = ENOMEM; goto done; From e0de9be7371c942f2b4ba1398a7790207c0b958b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 28 Jan 2019 18:47:27 +0100 Subject: [PATCH 3/6] providers/proxy: fixed usage of wrong mem ctx Temporary var `grp` in proxy_id.c:remove_duplicate_group_members() should be created in `tmp_ctx`. Call to ``` *_grp = talloc_steal(mem_ctx, grp); ``` as well confirms it was original intent (before fix this call didn't have any sense). Having `grp` created in `mem_ctx` may lead to memory leak in case of failure. While actually this doesn't happen since caller of remove_duplicate_group_members() cleans mem_ctx, still it is good to fix it. --- src/providers/proxy/proxy_id.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c index db65a984cd..52f7a64243 100644 --- a/src/providers/proxy/proxy_id.c +++ b/src/providers/proxy/proxy_id.c @@ -649,7 +649,7 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, goto done; } -grp = talloc(mem_ctx, struct group); +grp = talloc(tmp_ctx, struct group); if (grp == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); ret = ENOMEM; From ce7c1184ddb4a0779e35068e840631772d4884fc Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 28 Jan 2019 19:23:46 +0100 Subject: [PATCH 4/6] providers/proxy: got rid of excessive mem copies There is no need to create copies of strings for temporary storage in hash_table. --- src/providers/proxy/proxy_id.c | 17 - 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c index 52f7a64243..3e8a43ad7c 100644 --- a/src/providers/proxy/proxy_id.c +++ b/src/providers/proxy/proxy_id.c @@ -620,24 +620,15 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, for (i=0; i < orig_member_count; ++i) { key.type = HASH_KEY_STRING; -key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); -if (key.str == NULL) { -DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); -ret = ENOMEM; -goto done; -} +key.str = orig_grp->gr_mem[i]; /* hash_enter() makes copy itself */ value.type = HASH_VALUE_PTR; -value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); -if