[sssd PR#650][opened] Implement a hybrid mode of generating private groups
by jhrozek
URL: https://github.com/SSSD/sssd/pull/650
Author: jhrozek
Title: #650: Implement a hybrid mode of generating private groups
Action: opened
PR body:
"""
Related:
https://pagure.io/SSSD/sssd/issue/3822
Design page PR:
https://pagure.io/SSSD/docs/pull-request/72
Commit mesages follow, hopefully they are enough to explain what is going on.
SYSDB: Special case getgrnam and getgrgid searches in hybrid MPG mode
In hybrid MPG mode, we want to return the MPG group only in case the user
entry has no original GID set. To achieve this, we first search with the
non-MPG filter to find 'real' groups. If that fails, we try the MPG filter,
but throw away entries that has any real GID set.
Related: https://pagure.io/SSSD/sssd/issue/3822
SYSDB: Refactor the mpg and non-mpg searches out of sysdb_getgrnam() and sysdb_getgrgid() to make them more reusable
The getgrnam and getgrgid searches already special-case lookups with
overrides where in some cases the search falls back no a non-MPG search.
The upcoming special case for the hybrid mode would do something similar,
just in the opposite direction, so it makes sense to split out the
functions for just the MPG step and just the non-MPG step into reusable
functions.
Related: https://pagure.io/SSSD/sssd/issue/3822
CONFDB/NSS: Add the hybrid MPG mode
Permits a new option value 'hybrid' for the auto_private_groups option. The
option was even previously marked as a string option in both the configAPI
and the man pages, so we don't have to change the type now.
If the hybrid mode is selected and the user's original GID number is
available, then during initgroups and getpwnam, it is used as their primary
GID instead of the MPG group. The original group is also not added as a
secondary group during initgroups in this case.
Related: https://pagure.io/SSSD/sssd/issue/3822
CONFDB: Read auto_private_groups as string, not bool
In preparation to adding the third value of auto_private_groups, this patch
reads the confdb value as string and checks for the option values on its
own.
Related: https://pagure.io/SSSD/sssd/issue/3822
UTIL: Convert bool mpg to an enum mpg_mode
Instead of bool mpg inside struct sss_domain_info, let's introduce enum
mpg_mode that currently maps pretty much 1:1 to the boolean. In future
patches, a third value will be added.
Also adds a getter for the mpg_mode value because we want to discourage
getting or setting the value directly. Instead, the sss_domain_info
structure should be opaque in the future.
Related: https://pagure.io/SSSD/sssd/issue/3822
UTIL: Add a is_domain_mpg shorthand
Instead of looking into the domain structure directly, add a
sss_domain_is_mpg() function. This will make sense when we add a third
state instead of the boolean that will also be mpg-like.
Related: https://pagure.io/SSSD/sssd/issue/3822
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/650/head:pr650
git checkout pr650
5 years, 1 month
[sssd PR#702][opened] NSS: Avoid changing the memory cache ownership away from the SSSD user
by jhrozek
URL: https://github.com/SSSD/sssd/pull/702
Author: jhrozek
Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
Action: opened
PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner.
And in turn, this means that users can't reliably assess the package
integrity using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense, a
process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set to
read only.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/702/head:pr702
git checkout pr702
5 years, 4 months
[sssd PR#701][opened] ci: add ability to run tests in jenkins
by pbrezina
URL: https://github.com/SSSD/sssd/pull/701
Author: pbrezina
Title: #701: ci: add ability to run tests in jenkins
Action: opened
PR body:
"""
Jenkins master polls github for new branches and pull requests. When it discovers new pull request or branch or changes to existing pull request or branch it will allocate a jenkins agent and executes pipeline defined in `./Jenkinsfile` (in SSSD source) on this agent.
The pipeline executes `./contrib/test-suite/run.sh` and archives logs when testing is finished. Script `./contrib/test-suite/run.sh` prepares sssd-test-suite, starts the vagrant machines and copy SSSD source code to the client machine. Then it calls `./contrib/test-suite/run-client.sh` on the client machine which runs continuous integration tests.
### Extending current tests
To extend current testing capabilities, modify `./contrib/test-suite/run.sh` and `./contrib/test-suite/run-client.sh` to new requirements. These files can be modified by anyone but are considered untrusted from contributor that is not an administrator of SSSD repository. This means that if a public contributor submits a pull request that changes those files, Jenkins will refuse to run tests.
### Adding additional distribution to test on
You need to modify `./Jenkinsfile`. Simply copy, paste and amend existing Fedora 28 stage. This file is also considered untrusted so only administrators can modify it within a pull request.
You also need to extend `sssd-test-suite` and prepare vagrant boxes for this distro.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/701/head:pr701
git checkout pr701
5 years, 4 months