URL: https://github.com/SSSD/sssd/pull/390 Author: mzidek-rh Title: #390: NSS: Add option to disable memcache Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/390/head:pr390 git checkout pr390
From 4c9925d07cd1383a0805339f0cfee7be2fd2829e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com> Date: Wed, 13 Sep 2017 12:53:08 +0200 Subject: [PATCH] NSS: Add option to disable memcache Added option use_memcache to centrally disable memcache for all clients without the need to specify SSS_NSS_USE_MEMCACHE=NO environment variable. Resolves: https://pagure.io/SSSD/sssd/issue/3496 --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/man/sssd.conf.5.xml | 20 ++++++++++++++ src/responder/nss/nsssrv.c | 51 ++++++++++++++++++++++------------ src/tests/intg/test_memory_cache.py | 53 ++++++++++++++++++++++++++++++++++++ 6 files changed, 110 insertions(+), 17 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index bcea99ae4..da7fdaed2 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -108,6 +108,7 @@ #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" #define CONFDB_NSS_DEFAULT_SHELL "default_shell" #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout" +#define CONFDB_NSS_USE_MEMCACHE "use_memcache" #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring" #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 227f76180..76c5abe8b 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -85,6 +85,7 @@ option_strings = { 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), 'default_shell': _('Shell to use if the provider does not list one'), 'memcache_timeout': _('How long will be in-memory cache records valid'), + 'use_memcache': _('Whether to use fast in-memory cache'), 'user_attributes': _('List of user attributes the NSS responder is allowed to publish'), # [pam] diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index f3d30b9b3..b02002b75 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -90,6 +90,7 @@ option = shell_fallback option = default_shell option = get_domains_timeout option = memcache_timeout +option = use_memcache [rule/allowed_pam_options] validator = ini_allowed_options diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 11496341d..f992622d3 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -988,6 +988,26 @@ fallback_homedir = /home/%u </listitem> </varlistentry> <varlistentry> + <term>use_memcache (bool)</term> + <listitem> + <para> + Whether to use in-memory cache to improve + performance. If this option is set to False, + the environment variable SSS_NSS_USE_MEMCACHE + is ignored. + </para> + <para> + Default: True + </para> + <para> + NOTE: If the environment variable + SSS_NSS_USE_MEMCACHE is set to "NO", client + applications will not use the fast in-memory + cache. + </para> + </listitem> + </varlistentry> + <varlistentry> <term>user_attributes (string)</term> <listitem> <para> diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index d67b9fac8..b3449685a 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -264,6 +264,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx, int ret, max_retries; enum idmap_error_code err; int fd_limit; + bool use_memcache; nss_cmds = get_nss_cmds(); @@ -351,26 +352,42 @@ int nss_process_init(TALLOC_CTX *mem_ctx, goto fail; } - /* TODO: read cache sizes from configuration */ - ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD, - SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, - &nctx->pwd_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); - } - ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP, - SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, - &nctx->grp_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); + ret = confdb_get_bool(nctx->rctx->cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_USE_MEMCACHE, + true, &use_memcache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get 'use_memcache' option from confdb.\n"); + goto fail; } - ret = sss_mmap_cache_init(nctx, "initgroups", SSS_MC_INITGROUPS, - SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, - &nctx->initgr_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); + if (use_memcache) { + /* TODO: read cache sizes from configuration */ + ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD, + SSS_MC_CACHE_ELEMENTS, + (time_t)memcache_timeout, + &nctx->pwd_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); + } + + ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP, + SSS_MC_CACHE_ELEMENTS, + (time_t)memcache_timeout, + &nctx->grp_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); + } + + ret = sss_mmap_cache_init(nctx, "initgroups", SSS_MC_INITGROUPS, + SSS_MC_CACHE_ELEMENTS, + (time_t)memcache_timeout, + &nctx->initgr_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); + } } /* Set up file descriptor limits */ diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py index c7ba72490..b8eedde30 100644 --- a/src/tests/intg/test_memory_cache.py +++ b/src/tests/intg/test_memory_cache.py @@ -130,6 +130,32 @@ def load_data_to_ldap(request, ldap_conn): @pytest.fixture +def disable_memcache_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + use_memcache = false + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture def sanity_rfc2307(request, ldap_conn): load_data_to_ldap(request, ldap_conn) @@ -778,3 +804,30 @@ def test_removed_mc(ldap_conn, sanity_rfc2307): grp.getgrnam('group1') with pytest.raises(KeyError): grp.getgrgid(2001) + + +def test_disabled_mc(ldap_conn, disable_memcache_rfc2307): + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) + ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) + stop_sssd() + + # sssd is stopped and the memory cache is disabled; + # so pytest should not be able to find anything + with pytest.raises(KeyError): + pwd.getpwnam('user1') + with pytest.raises(KeyError): + pwd.getpwuid(1001) + + with pytest.raises(KeyError): + grp.getgrnam('group1') + with pytest.raises(KeyError): + grp.getgrgid(2001)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
