Hello,
I've started the design page for Invalidating cached sudo rules here:
https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOCachingRulesInvalidate
This task consists of two tickets (see below). So far, I have worked on
the first one. The second one is waiting for SSSD Status Tool.
For your convenience, I've included the text below as well:
= Invalidate Cached SUDO Rules =
Related ticket(s):
* https://fedorahosted.org/sssd/ticket/2081
* https://fedorahosted.org/sssd/ticket/2884
=== Problem statement ===
Currently sss_cache can't be used to reliably invalidate sudo rules.
=== Use cases ===
Usually if admin changes sudo rules he would like to see an effect
immediately.
=== Overview of the solution ===
Sudo rules are stored in sss_cache. Sometimes ''smart'' or ''full''
refresh of sudo rules is done, but there is no effective way to
invalidate them (see
https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOCachingRules).
Solution consists of two steps:
1. Invalidate sudo rules by setting expiration time to 0 which can
prevent to use old rules.
2. Trigger full refresh (and maybe even smart refresh) on demand.
=== Implementation details ===
==== Invalidating sudo rules ====
SSSD provides tool sss_cache for invalidating items.
{{{
$ sss_cache --help
Usage: sss_cache [OPTION...]
-E, --everything Invalidate all cached entries except for
sudo rules
-u, --user=STRING Invalidate particular user
-U, --users Invalidate all users
-g, --group=STRING Invalidate particular group
-G, --groups Invalidate all groups
-n, --netgroup=STRING Invalidate particular netgroup
-N, --netgroups Invalidate all netgroups
-s, --service=STRING Invalidate particular service
-S, --services Invalidate all services
-a, --autofs-map=STRING Invalidate particular autofs map
-A, --autofs-maps Invalidate all autofs maps
-h, --ssh-host=STRING Invalidate particular SSH host
-H, --ssh-hosts Invalidate all SSH hosts
-d, --domain=STRING Only invalidate entries from a particular
domain
Help options:
-?, --help Show this help message
--usage Display brief usage message
}}}
We need:
* add option `--sudo-rules=STRING` for invalidating only STRING named
sudo rule,
* add option `--sudo-rules` for invalidating all sudo rules,
* change option `--everything` for invalidating sudo rules too.
For those changes we will provide new function
`sysdb_search_sudo_rule()` in `db/sysdb_sudo.{hc}`.
{{{
#!C
errno_t
sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *filter,
const char **attrs,
size_t *num_hosts,
struct ldb_message ***hosts)
/* Synopsis is inspired by other `sysdb_search_*()` functions. */
}}}
This new function be able to find sudo rule by given name (via filter).
On the other hand there is function
`sudosrv_get_sudorules_query_cache()` in
`responder/sudo/sudosrv_get_sudorules.c` which has very similar
behavior. Maybe it is candidate for proxy and moving to
`db/sysdb_sudo.{hc}`.
--
Petr^4 Cech
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
