URL: https://github.com/SSSD/sssd/pull/363 Author: fidencio Title: #363: Add root (user, group, uid and gid) to the negative cache (backport to sssd-1-13) Action: opened
PR body: """ Some patches have been dropped from the original series as those touched files/functions that are not present in sssd-1-13. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/363/head:pr363 git checkout pr363
From dcaa02b39fe5ad94582e14323e473cb13b4efff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 15:28:41 +0200 Subject: [PATCH 1/6] NEGCACHE: Add some comments about each step of sss_ncache_prepopulate() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The comments help to understand which part of the code is dealing with users or groups of specific or non-specific domain filters. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit b54d79cf3c8017e186b5ea7cdc383746233db39b) --- src/responder/common/negcache.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 5b0517ceb..b2c2f7309 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -663,7 +663,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, TALLOC_CTX *tmpctx = talloc_new(NULL); int i; - /* Populate domain-specific negative cache entries */ + /* Populate domain-specific negative cache user entries */ for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); @@ -715,6 +715,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate non domain-specific negative cache user entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_USERS, &filter_list); if (ret == ENOENT) { @@ -779,6 +780,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate domain-specific negative cache group entries */ filter_set = false; for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); @@ -823,6 +825,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate non domain-specific negative cache group entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_GROUPS, &filter_list); if (ret == ENOENT) { From 41e0af7f334c3f33bd008062536e5fe3e9f6d344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 15:46:10 +0200 Subject: [PATCH 2/6] NEGCACHE: Always add "root" to the negative cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current code only adds "root" to the negative cache in case there's any other user or group set up in to be added. As SSSD doesn't handle "root", it should *always* be added to the negative cache. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 1e7b7da3aa56060c26f8ba1c08318cdee77753ea) --- src/responder/common/negcache.c | 122 +++++++++++++++++++++++++++++----------- 1 file changed, 88 insertions(+), 34 deletions(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index b2c2f7309..c44646d30 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -653,8 +653,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, struct resp_ctx *rctx) { errno_t ret; - bool filter_set = false; char **filter_list = NULL; + char **default_list = NULL; char *name = NULL; struct sss_domain_info *dom = NULL; struct sss_domain_info *domain_list = rctx->domains; @@ -678,7 +678,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -718,22 +717,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache user entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_USERS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -781,7 +767,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } /* Populate domain-specific negative cache group entries */ - filter_set = false; for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); if (!conf_path) { @@ -794,7 +779,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, CONFDB_NSS_FILTER_GROUPS, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name(tmpctx, dom->names, filter_list[i], @@ -828,22 +812,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache group entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_GROUPS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -890,6 +861,89 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* SSSD doesn't handle "root", thus it'll be added to the negative cache + * nonetheless what's already added there. */ + default_list = talloc_array(tmpctx, char *, 2); + if (default_list == NULL) { + ret= ENOMEM; + goto done; + } + default_list[0] = talloc_strdup(tmpctx, "root"); + if (default_list[0] == NULL) { + ret = ENOMEM; + goto done; + } + default_list[1] = NULL; + + /* Populate negative cache users and groups entries for the + * "default_list" */ + for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, + rctx->default_domain, default_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add [%s] to negcache because the required or " + "default domain are not known yet\n", default_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", + default_list[i], ret); + continue; + } + if (domainname) { + dom = responder_get_domain(rctx, domainname); + if (!dom) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid domain name [%s]\n", domainname); + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent user filter for [%s]" + " (%d [%s])\n", default_list[i], + ret, strerror(ret)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent group filter for [%s]" + " (%d [%s])\n", default_list[i], + ret, strerror(ret)); + continue; + } + } else { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + ret = sss_ncache_set_user(ncache, true, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent user filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent group filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + + } + } + } + ret = EOK; done: From 88a7630ce332b8fb011a9088698d231905500079 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Wed, 16 Aug 2017 10:45:19 +0200 Subject: [PATCH 3/6] TEST_NEGCACHE: Test that "root" is always added to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Simply modify test_sss_ncache_prepopulate() in order to ensure that "root" user and group are always added to the negative cache, no matter whether they're set as part of the filter_users or filter_groups options. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit e54764d62bfcc48770d9b2578132979aa58636e5) --- src/tests/cmocka/test_negcache.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 274e1543c..115b05220 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -687,6 +687,12 @@ static void test_sss_ncache_prepopulate(void **state) ret = sss_ncache_check_group(ncache, 1, dom, "testgroup3@somedomain"); assert_int_equal(ret, ENOENT); + + ret = sss_ncache_check_user(ncache, 1, dom, "root"); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_group(ncache, 1, dom, "root"); + assert_int_equal(ret, EEXIST); } static void test_sss_ncache_default_domain_suffix(void **state) From 3245f7fa0655a898c79a0ff80bfd10f1dd0dd7e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 12:15:42 +0200 Subject: [PATCH 4/6] NEGCACHE: Descend to all subdomains when adding user/groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a user or group is added to the negative cache, we should descend to all subdomains as well. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 9908bdc9755e744c3e2c7c746a4edf95f9083ef5) --- src/responder/common/negcache.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index c44646d30..ef52d755c 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -752,7 +752,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } } else { - for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { ret = sss_ncache_set_user(ncache, true, dom, name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -847,7 +849,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } } else { - for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { ret = sss_ncache_set_group(ncache, true, dom, name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, From b9a09a40402940368d73c27aec5e868c095af0d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 13:31:45 +0200 Subject: [PATCH 5/6] NEGCACHE: Add root's uid/gid to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As "root" is not handled by SSSD, let's add its uid and gid to the negative cache as well. The reason it's added without specifying a domain is to follow how the negative cache is used by cache req's code when searching something by id. As the negative cache check for uid/gid, in the cache req code, is done after resolving the name, we can save one LDAP call to the data provider. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 3ad33ca77044f9a9d18f7def271b0beb180e567b) --- src/responder/common/negcache.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index ef52d755c..c3ed36941 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -948,6 +948,23 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Also add "root" uid and gid to the negative cache */ + ret = sss_ncache_set_uid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent uid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + + ret = sss_ncache_set_gid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent gid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + ret = EOK; done: From e6fa619ce31bd7134168006d9d18265b89beadc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Wed, 16 Aug 2017 10:51:47 +0200 Subject: [PATCH 6/6] TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to do so two new functions have been introduced and test_sss_ncache_prepopulate() has been modified in order to ensure that root's uid and gid are always added to the negative cache. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit b4b3d0642120ca05f63959fe2f317a6b93031929) --- src/tests/cmocka/test_negcache.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 115b05220..a48deea0e 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -693,6 +693,12 @@ static void test_sss_ncache_prepopulate(void **state) ret = sss_ncache_check_group(ncache, 1, dom, "root"); assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_uid(ncache, 1, NULL, 0); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_gid(ncache, 1, NULL, 0); + assert_int_equal(ret, EEXIST); } static void test_sss_ncache_default_domain_suffix(void **state)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
