Re: [SSSD] [PATCHES] HBAC performance enhancements

Mon, 10 Oct 2011 04:26:05 -0700 

On Fri, Oct 07, 2011 at 02:12:08PM -0400, Stephen Gallagher wrote:
> https://fedorahosted.org/sssd/ticket/1029
> 
> The problem here is that we were trying to perform an "optimization" by
> bulk-deleting the contents of the service and host lists in the sysdb
> before dumping into it the new data we received from LDAP.
> 
> This was causing a major performance hit on large deployments, because
> this recursive delete was repeatedly hitting a weak point of the
> memberOf plugin. However, upon closer analysis, Sumit pointed out that
> we don't actually need to rely on the local memberOf plugin in this
> situation.
> 
> These patches remove the member/memberOf relationship from
> host/hostgroup and service/servicegroup entries in the SSSD. As a
> result, we don't invoke the memberOf plugin during the mass-delete and
> we see a significant performance increase.
> 
> The patches [ab]use the fact that we know the DN structure of the hosts,
> service and groups so that we don't need to go and look them up when
> constructing the requests. Instead we take the originalMemberOf object
> and interpret the value directly from it. This is much faster than
> searching the sysdb for the original object to get its fqdn or cn value.

Patch 1/3 - Ack

Patch 2/3 - Nack,
In hbac_eval_service_element(), I assume you meant to loop until
i < el->num_values, count is always 1 there.

> +    for (i = j = 0; i < count; i++) {
> +        ret = get_ipa_servicegroupname(tmp_ctx, sysdb,
> +                                       (const char *)el->values[i].data,
> +                                       &name);
> +        if (ret != EOK && ret != ENOENT) goto done;
>  
> -        DEBUG(6, ("Added service group [%s] to the eval request\n",
> -                  svc->groups[i]));
> +        /* ENOENT means we had a memberOf entry that wasn't a
> +         * service group. We'll just ignore those (could be
> +         * HBAC rules)
> +         */
> +
> +        if (ret == EOK) {
> +            svc->groups[j] = talloc_steal(svc->groups, name);
> +            j++;
> +        }

Patch 3/3 - Nack, same comment as above. Also please change the comment in
get_ipa_hostgroupname() from "It's not a service." to "It's not a hostgroup."
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to