[SSSD] [sssd PR#806][comment] sudo: always use server highest usn for smart refresh

sumit-bose Fri, 03 May 2019 09:29:09 -0700

  URL: https://github.com/SSSD/sssd/pull/806
Title: #806: sudo: always use server highest usn for smart refresh


sumit-bose commented:
"""
> Because the search result contains only sudo object (or nothing), it is quite 
> possible that `srv_opts->max_sudo_value <= newusn < srv_opts->last_usn` 
> therefore before the patch we would set `srv_opts->max_sudo_value` to a value 
> that is lower than `srv_opts->last_usn`. With the patch we always use the 
> highest known usn value and it will get updated with each refresh.

Thanks for the explanation. But in my testing the looks like srv_opts->last_usn 
is basically never updated. It is set at the first connection setup. On every 
reconnect (by default every 15min) it is read again, but as long as the server 
stays the same it is not updated as can be see here where I used a shorter 
ldap_connection_expire timeout:

```
(Fri May  3 17:59:26 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406238
(Fri May  3 17:59:36 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 17:59:36 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406239
(Fri May  3 17:59:46 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 17:59:46 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406240
(Fri May  3 17:59:56 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 17:59:56 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406241
(Fri May  3 18:00:06 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:06 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406242
(Fri May  3 18:00:16 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:16 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406243
(Fri May  3 18:00:26 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:26 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406244
(Fri May  3 18:00:36 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:36 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406245
(Fri May  3 18:00:46 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:46 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406246
(Fri May  3 18:00:56 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:00:56 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406247
(Fri May  3 18:01:06 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:01:06 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406248
(Fri May  3 18:01:16 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:01:16 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406249
(Fri May  3 18:01:26 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2405657)
(Fri May  3 18:01:26 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2405656, New USN: 2406250
```

If I add

```
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index e81aaf4..4a3670e 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1460,8 +1460,9 @@ void sdap_steal_server_opts(struct sdap_id_ctx *id_ctx,
     }
 
     /* discard if same as previous so we do not reset max usn values
-     * unnecessarily */
+     * unnecessarily, only update last_usn. */
     if (strcmp(id_ctx->srv_opts->server_id, (*srv_opts)->server_id) == 0) {
+        id_ctx->srv_opts->last_usn = (*srv_opts)->last_usn;
         talloc_zfree(*srv_opts);
         return;
     }
``` 

I see

```
(Fri May  3 18:19:37 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406361, New USN: 2406362
(Fri May  3 18:19:47 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406363)
(Fri May  3 18:19:47 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406362, New USN: 2406363
(Fri May  3 18:19:57 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406364)
(Fri May  3 18:19:57 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406363, New USN: 2406368
(Fri May  3 18:20:07 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406369)
(Fri May  3 18:20:07 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406368, New USN: 2406369
(Fri May  3 18:20:17 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406370)
(Fri May  3 18:20:17 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406369, New USN: 2406370
(Fri May  3 18:20:27 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406371)
(Fri May  3 18:20:27 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406370, New USN: 2406376
(Fri May  3 18:20:37 2019) [sssd[be[ad.devel]]] [sdap_sudo_smart_refresh_send] 
(0x0400): Issuing a smart refresh of sudo rules (USN >= 2406377)
(Fri May  3 18:20:37 2019) [sssd[be[ad.devel]]] [sdap_id_op_connect_done] 
(0x2000): Old USN: 2406376, New USN: 2406377
```

But even in this case it has to be documented that the highest USN is not 
updated after each smart refresh but only during a reconnect. Since both 
timeout values (reconnect and smart refresh) are 15min by default is will 
effectively be  the case but if one of the values is modified this might change.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/806#issuecomment-489157607

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#806][comment] sudo: always use server highest usn for smart refresh

Reply via email to