URL: https://github.com/SSSD/sssd/pull/806 Author: pbrezina Title: #806: sudo: always use server highest usn for smart refresh Action: opened
PR body: """ The sudo attributes may not be indexed on the server, therefore if smart refresh filter is run on the server it may first search using the indexed entryusn attribute and run the rest of the filter on non-sudo objects. The number of objects that are filtered may increased dramatically if sudo rules are not changed for a long time (and thus keeping smaller and smaller last sudo usn number). This patch makes sure that highest sudo usn number is always set to the highest server usn number after each refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3997 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/806/head:pr806 git checkout pr806
From 2b0c93ae699113dbc7f8517b6788ecb13d7c871b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 23 Apr 2019 13:37:01 +0200 Subject: [PATCH] sudo: always use server highest usn for smart refresh The sudo attributes may not be indexed on the server, therefore if smart refresh filter is run on the server it may first search using the indexed entryusn attribute and run the rest of the filter on non-sudo objects. The number of objects that are filtered may increased dramatically if sudo rules are not changed for a long time (and thus keeping smaller and smaller last sudo usn number). This patch makes sure that highest sudo usn number is always set to the highest server usn number after each refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3997 --- src/providers/ldap/sdap_sudo_shared.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c index 66b788702f..d2f24ed6e2 100644 --- a/src/providers/ldap/sdap_sudo_shared.c +++ b/src/providers/ldap/sdap_sudo_shared.c @@ -174,28 +174,17 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, return; } - if (usn_number == 0) { - /* Zero means that there were no rules on the server, so we have - * nothing to store. */ - DEBUG(SSSDBG_TRACE_FUNC, "SUDO USN value is empty.\n"); - return; + if (usn_number > srv_opts->last_usn) { + srv_opts->last_usn = usn_number; } - newusn = sdap_sudo_new_usn(srv_opts, usn_number, endptr); + newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr); if (newusn == NULL) { return; } - if (sysdb_compare_usn(newusn, srv_opts->max_sudo_value) > 0) { - talloc_zfree(srv_opts->max_sudo_value); - srv_opts->max_sudo_value = newusn; - } else { - talloc_zfree(newusn); - } - - if (usn_number > srv_opts->last_usn) { - srv_opts->last_usn = usn_number; - } + talloc_zfree(srv_opts->max_sudo_value); + srv_opts->max_sudo_value = newusn; DEBUG(SSSDBG_FUNC_DATA, "SUDO higher USN value: [%s]\n", srv_opts->max_sudo_value);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org