File 1101536-SDAP-Set-initgroups-expire-attribute-at... of Package sssd.5306

Overview Repositories Revisions Requests Users Attributes Meta

File 1101536-SDAP-Set-initgroups-expire-attribute-at-the-end.patch of Package sssd.5306

From 9ae6567a573c05ba59d1138cfda94b44732019e8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 15 May 2015 15:05:28 +0200
Subject: [PATCH] SDAP: Set initgroups expire attribute at the end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.

Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.

This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.

In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
 a) Time between two request was too small. User was not stored in cache
    yet and 2nd request waited for response from DP.
 b) Time between two request was big enough. All users groups were
    successfully stored in cache and 2nd request returned correct results.

Resolves:
https://fedorahosted.org/sssd/ticket/2634

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d0cc678d20d8bde829450eb50bec1b7397cea3e1)
---
 src/providers/ldap/ldap_id.c          | 42 +++++++++++++++++++++++++++++++++++
 src/providers/ldap/sdap_async_users.c |  9 --------
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 63098a82e9..1a44de8521 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -977,6 +977,40 @@ static int groups_by_user_retry(struct tevent_req *req);
 static void groups_by_user_connect_done(struct tevent_req *subreq);
 static void groups_by_user_done(struct tevent_req *subreq);
 
+static errno_t set_initgroups_expire_attribute(struct sysdb_ctx *sysdb, struct sss_domain_info *domain,
+                                               const char *name)
+{
+    errno_t ret;
+    time_t cache_timeout;
+    struct sysdb_attrs *attrs;
+
+    attrs = sysdb_new_attrs(NULL);
+    if (attrs == NULL) {
+        return ENOMEM;
+    }
+
+    cache_timeout = domain->user_timeout
+                        ? time(NULL) + domain->user_timeout
+                        : 0;
+
+    ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, cache_timeout);
+    if (ret != EOK) {
+        
+        goto done;
+    }
+
+    ret = sysdb_set_user_attr(sysdb, domain, name, attrs, SYSDB_MOD_REP);
+    if (ret != EOK) {
+         
+         
+        goto done;
+    }
+
+done:
+    talloc_zfree(attrs);
+    return ret;
+}
+
 static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
                                               struct tevent_context *ev,
                                               struct sdap_id_ctx *ctx,
@@ -1121,6 +1155,14 @@ static void groups_by_user_done(struct tevent_req *subreq)
         }
     }
 
+    ret = set_initgroups_expire_attribute(state->ctx->be->domain->sysdb, state->ctx->be->domain,
+                                          state->name);
+    if (ret != EOK) {
+        state->dp_error = DP_ERR_FATAL;
+        tevent_req_error(req, ret);
+        return;
+    }
+
     state->dp_error = DP_ERR_OK;
     tevent_req_done(req);
 }
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 82b4df4793..89e5ae558f 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -467,15 +467,6 @@ int sdap_save_user(TALLOC_CTX *memctx,
 
     cache_timeout = dom->user_timeout;
 
-    if (is_initgr) {
-        ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_INITGR_EXPIRE,
-                                     (cache_timeout ?
-                                      (time(NULL) + cache_timeout) : 0));
-        if (ret) {
-            goto done;
-        }
-    }
-
     ret = sdap_save_all_names(user_name, attrs, dom, user_attrs);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to save user names\n"));

Places

File 1101536-SDAP-Set-initgroups-expire-attribute-at-the-end.patch of Package sssd.5306

Places