On Tue, 2016-08-23 at 17:24 +0300, Nikolai Kondrashov wrote:
Hi everyone,
Attached is the third version of work-in-progress SSSD/tlog
integration
patches. I'm sending them in the hope that somebody takes a look and
perhaps
points out some wrong bits I can fix before I'm too dependent on them.
The changes from the last version is some refactoring of the NSS and
the
common parts, plus start of the PAM part of the implementation.
Also, at this point, I think I could contribute some general fixes and
prerequisite refactoring patches separately.
So I have been going through the patchset and I have concerns about how
you are determining if the shell needs to be substituted with the
session recording shell.
It seem you do this work every single time a getpwname/uis/etc request
is run. this is very expensive as you do a full group search on each of
those requests, to find data that arguably rarely changes.
I think in general this should be done at "write" time not at "read"
time.
Ie whenever the the session recording configuration changes or when a
new user is written in the cache, then you should check if session
recording apply to this user and write an attribute in the user entry.
On getpwnam/uid/ent calls you would look for those calls and replace the
shell entry accordingly.
Unless there is some very good reason to do it always at query time this
is, I am afraid, a nack on the approach.
Simo.
--
Simo Sorce * Red Hat, Inc * New York