[sssd PR#432][comment] CACHE_REQ: Better debugging for email conflicts
by lslebodn
URL: https://github.com/SSSD/sssd/pull/432
Title: #432: CACHE_REQ: Better debugging for email conflicts
lslebodn commented:
"""
I'm sorry the error message is still vague and it will not fix the bug.
NACK.
`SYSDB_USER_EMAIL` is part of attributes requested in `SYSDB_PW_ATTRS` and used in
many functions: `sysdb_search_user_by_cert, sysdb_get_user_members_recursively, sysdb_getpwnam, sysdb_getpwuid, sysdb_enumpwent_filter, sysdb_search_user_by_cert_with_views, sysdb_search_user_override_by_name, sysdb_search_override_by_id, sysdb_add_overrides_to_object, sysdb_add_group_member_overrides, sysdb_getpwupn, sysdb_search_user_by_upn, sysdb_search_user_by_upn_res`
But you choose the wrong one. We can get more users with the same email only if `SYSDB_USER_EMAIL` is used in filter `SYSDB_PWUPN_FILTER`. And this filter is used only in the function `sysdb_search_user_by_upn_res`.
I would recommend to test patches especially close to deadlines.
"""
See the full comment at https://github.com/SSSD/sssd/pull/432#issuecomment-341659084
6 years, 5 months
Design document: Enhanced NSS API
by Sumit Bose
Hi,
please find below the design document for the enhanced NSS API which
makes e.g. the client side timeouts which where recently refactored
available to callers.
A more visual friendly version can be found at:
https://pagure.io/fork/sbose/SSSD/docs/blob/07514ce52845d47fe6bb327f782a8...
bye,
Sumit
Enhanced NSS (Name Service Switch) API
======================================
Related ticket(s):
------------------
https://pagure.io/SSSD/sssd/issue/2478
Problem statement
-----------------
The system-wide NSS API provided by glibc with calls like ``getpwnam`` etc
might be a bottleneck for applications which are only interested in the data
provide by the SSSD backends.
It would be possible to load SSSD's NSS plugin ``libnss_sss.so`` with
``dlopen`` and call the provided functions directly. But besides being a bit
cumbersome the API defined by NSS is limited and does not offer option to
control the behavior of the plugin. Hence a new API provider by SSSD to lookup
objects manages by SSSD would be beneficial.
Use cases
---------
The first users of the new API would be the FreeIPA ``extdom`` and
``slapi-nis`` plugins. Both are use to make information about users and groups
from trusted domains available and hence are only interested results from SSSD.
Both plugins are run in threads of the 389ds directory server and to work
efficiently the current mutex based locking of the connection of SSSD should be
improved.
Additionally ``slapi-nis`` caches results for performance reasons. Being a part
of 389ds it will be notified if 389ds objects like e.g. id-overrides are
modified and can drop the cached object. But since SSSD caches results as well
a new lookup of the modified object via slapi-nis might still return the old
result which will then stay in the cache of ``slapi-nis`` because no now
modification is detected. As a result ``slapi-nis`` should be able to
invalidate objects in the caches of SSSD to allow a refresh. The ``sss_cache``
is only of limited use here because it requires root privileges and currently
invalidates the whole memory cache.
Overview of the solution
------------------------
The use cases that the new API should offer a timeout option so that an
individual thread does not have to wait until the request is completely handled
by SSSD but can abandon from the request and maybe check later if a result is
available.
Additionally an option to invalidate the cached entires of an individual object
are needed. It would be possible to use a set of new calls for this but since
most of the processing of such request and similar to the lookup requests it
would be more straight forward to use a flag to indicate that the cached entry
of the found object should be invalidated.
This gives us an API with two new options, a timeout and the bit-field for
flags. The flags might be useful for future use cases as well. And the flag to
invalidate cached entries of individual objects might be used in future by the
``sss_cache`` utility to make the code simpler and to avoid to completely
remove the memory cache.
Implementation details
----------------------
Client side
~~~~~~~~~~~
Some of the flags might have influence on the client behavior. E.g. the flag to
invalidate the cached entries of an object would tell the client to bypass the
memory cache. This is needed because the memory cache will only contain the
data of object which were directly requested. But the SSSD on-disk cache might
already contain data of objects which are lookup up indirectly, e.g. groups
during a initgroups request or users while looking up group members. So a
missing entry in the memory cache does not indicate that the entry is missing
in the on-disk cache as well. Additionally memory cache and on-disk cache have
different timeouts which would require the request to go directly to the SSSD
responder as well.
For the timeout it has to be kept in mind that in a threaded environment there
are two major steps where time might be spend. First is of course the
communication with the SSSD responder. But the second is waiting on the mutex.
Currently SSSD's NSS plugin ``libnss_sss.so`` uses ``pthread_mutex_lock`` which
waits without limits until the mutex can be locked. The reason is that
``libnss_sss.so`` should restrict itself to only use glibc and not libpthread
and currently glibc only implements ``pthread_mutex_lock`` (see discussion in
https://bugzilla.redhat.com/show_bug.cgi?id=1369130 for details about this
requirement).
To wait only a limited amount of time libpthread offers ``pthread_mutex_timedlock`` but due to the restriction mentioned above this should be implemented independently of the NSS plugin code. ``libsss_nss_idmap`` looks like the most suitable place for this.
New calls
~~~~~~~~~
The API of the new calls will be defined in ``sss_nss_idmap.h``::
/**
* Flags to control the behavior and the results for sss_*_ex() calls
*/
#define SSS_NSS_EX_FLAG_NO_FLAGS 0
/** Always request data from the server side, client must be privileged to do
* so, see nss_trusted_users option in man sssd.conf for details.
* This flag cannot be used together with SSS_NSS_EX_FLAG_INVALIDATE_CACHE */
#define SSS_NSS_EX_FLAG_NO_CACHE (1 << 0)
/** Invalidate the data in the caches, client must be privileged to do
* so, see nss_trusted_users option in man sssd.conf for details.
* This flag cannot be used together with SSS_NSS_EX_FLAG_NO_CACHE */
#define SSS_NSS_EX_FLAG_INVALIDATE_CACHE (1 << 1)
/**
* @brief Return user information based on the user name
*
* @param[in] name same as for getpwnam_r(3)
* @param[in] pwd same as for getpwnam_r(3)
* @param[in] buffer same as for getpwnam_r(3)
* @param[in] buflen same as for getpwnam_r(3)
* @param[out] result same as for getpwnam_r(3)
* @param[in] flags flags to control the behavior and the results of the
* call
* @param[in] timeout timeout in milliseconds
*
* @return
* - 0:
* - ENOENT: no user with the given name found
* - ERANGE: Insufficient buffer space supplied
* - ETIME: request timed out but was send to SSSD
* - ETIMEDOUT: request timed out but was not send to SSSD
*/
int sss_nss_getpwnam_timeout(const char *name, struct passwd *pwd,
char *buffer, size_t buflen,
struct passwd **result,
uint32_t flags, unsigned int timeout);
/**
* @brief Return user information based on the user uid
*
* @param[in] uid same as for getpwuid_r(3)
* @param[in] pwd same as for getpwuid_r(3)
* @param[in] buffer same as for getpwuid_r(3)
* @param[in] buflen same as for getpwuid_r(3)
* @param[out] result same as for getpwuid_r(3)
* @param[in] flags flags to control the behavior and the results of the
* call
* @param[in] timeout timeout in milliseconds
*
* @return
* - 0:
* - ENOENT: no user with the given uid found
* - ERANGE: Insufficient buffer space supplied
* - ETIME: request timed out but was send to SSSD
* - ETIMEDOUT: request timed out but was not send to SSSD
*/
int sss_nss_getpwuid_timeout(uid_t uid, struct passwd *pwd,
char *buffer, size_t buflen,
struct passwd **result,
uint32_t flags, unsigned int timeout);
/**
* @brief Return group information based on the group name
*
* @param[in] name same as for getgrnam_r(3)
* @param[in] pwd same as for getgrnam_r(3)
* @param[in] buffer same as for getgrnam_r(3)
* @param[in] buflen same as for getgrnam_r(3)
* @param[out] result same as for getgrnam_r(3)
* @param[in] flags flags to control the behavior and the results of the
* call
* @param[in] timeout timeout in milliseconds
*
* @return
* - 0:
* - ENOENT: no group with the given name found
* - ERANGE: Insufficient buffer space supplied
* - ETIME: request timed out but was send to SSSD
* - ETIMEDOUT: request timed out but was not send to SSSD
*/
int sss_nss_getgrnam_timeout(const char *name, struct group *grp,
char *buffer, size_t buflen, struct group **result,
uint32_t flags, unsigned int timeout);
/**
* @brief Return group information based on the group gid
*
* @param[in] gid same as for getgrgid_r(3)
* @param[in] pwd same as for getgrgid_r(3)
* @param[in] buffer same as for getgrgid_r(3)
* @param[in] buflen same as for getgrgid_r(3)
* @param[out] result same as for getgrgid_r(3)
* @param[in] flags flags to control the behavior and the results of the
* call
* @param[in] timeout timeout in milliseconds
*
* @return
* - 0:
* - ENOENT: no group with the given gid found
* - ERANGE: Insufficient buffer space supplied
* - ETIME: request timed out but was send to SSSD
* - ETIMEDOUT: request timed out but was not send to SSSD
*/
int sss_nss_getgrgid_timeout(gid_t gid, struct group *grp,
char *buffer, size_t buflen, struct group **result,
uint32_t flags, unsigned int timeout);
/**
* @brief Return a list of groups to which a user belongs
*
* @param[in] name name of the user
* @param[in] gid same as second argument of getgrouplist(3)
* @param[in] groups array of gid_t of size ngroups, will be filled
* with GIDs of groups the user belongs to
* @param[in,out] ngroups size of the groups array on input. On output it
* will contain the actual number of groups the
* user belongs to. With a return value of 0 the
* groups array was large enough to hold all group.
* With a return valu of ERANGE the array was not
* large enough and ngroups will have the needed
* size.
* @param[in] flags flags to control the behavior and the results of
* the call
* @param[in] timeout timeout in milliseconds
*
* @return
* - 0: success
* - ENOENT: no user with the given name found
* - ERANGE: Insufficient buffer space supplied
* - ETIME: request timed out but was send to SSSD
* - ETIMEDOUT: request timed out but was not send to SSSD
*/
int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
gid_t *groups, int *ngroups,
uint32_t flags, unsigned int timeout);
SSSD responder side
~~~~~~~~~~~~~~~~~~~
The SSSD NSS responder has to be prepared to accept the flags in the request.
Currently only a name or a ID are expected. To handle this new request types:
* SSS_NSS_GETPWNAM_EX
* SSS_NSS_GETPWUID_EX
* SSS_NSS_GETGRNAM_EX
* SSS_NSS_GETGRGID_EX
* SSS_NSS_INITGR_EX
will be added. If the flags are not set will behave as the non-EX calls.
If ``SSS_NSS_EX_FLAG_NO_CACHE`` is set ``cache_req_data_set_bypass_cache()``
will be called so that the cache-request framework will directly request new
data from the backend.
If ``SSS_NSS_EX_FLAG_INVALIDATE_CACHE`` is set
``cache_req_data_set_bypass_dp()`` (which will be implemented with this
feature) will be called to only search the requested object in the cache. If it
was found the cached entry will be invalidate in both on-disk and memory cache.
If ``SSS_NSS_EX_FLAG_INVALIDATE_CACHE`` was sent with SSS_NSS_INITGR_EX both
the groupmembership data and the plain user data will be invalidates.
The flags ``SSS_NSS_EX_FLAG_NO_CACHE`` and ``SSS_NSS_EX_FLAG_INVALIDATE_CACHE``
cannot be used at the same time.
Since both flags might have impact on performace not all caller should be
allowed to use them. To configure which user is allowed a new option
``nss_trusted_users`` will be used which will follow the same rules as the
already existing option ``pam_trusted_users``.
Configuration changes
---------------------
A new option ``nss_trusted_users`` will be introduced. A man page entry might
look like::
nss_trusted_users (string)
Specifies the comma-separated list of UID values or user names that
are allowed to run privileged operation in the NSS responder, e.g.
bypass the cache and refresh and entry directly. Users not included
in this list will get a permissions error. User names are resolved
to UIDs at startup.
Default: Only UID 0
Please note that UID 0 is always allowed to run privileged operation
in the NSS responder even in case it is not in the nss_trusted_users
list.
How To Test
-----------
To test the new calls should be used in C-programs. If flags are used and the
calling user will not be root ``nss_trusted_users`` must be set accordingly.
How To Debug
------------
``libsss_nss_idmap`` currently does not has any logging infrastructure so only
the debug logs of the SSSD responder are available.
If the ``SSS_NSS_EX_FLAG_NO_CACHE`` or ``SSS_NSS_EX_FLAG_INVALIDATE_CACHE`` are
used on the client side ``strace`` can be used to see is the client skips the
memory cache as expected.
Authors
-------
* Sumit Bose <sbose(a)redhat.com>
6 years, 5 months