On Thu, 2016-08-25 at 14:24 +0300, Nikolai Kondrashov wrote:
Hi Simo,
Thanks for looking at the patches and for the feedback!
I'm replying below.
On 08/24/2016 11:24 PM, Simo Sorce wrote:
> On Tue, 2016-08-23 at 17:24 +0300, Nikolai Kondrashov wrote:
>> Hi everyone,
>>
>> Attached is the third version of work-in-progress SSSD/tlog integration
>> patches. I'm sending them in the hope that somebody takes a look and
>> perhaps points out some wrong bits I can fix before I'm too dependent on
>> them.
>>
>> The changes from the last version is some refactoring of the NSS and the
>> common parts, plus start of the PAM part of the implementation.
>>
>> Also, at this point, I think I could contribute some general fixes and
>> prerequisite refactoring patches separately.
>
> So I have been going through the patchset and I have concerns about how
> you are determining if the shell needs to be substituted with the
> session recording shell.
> It seem you do this work every single time a getpwname/uis/etc request
> is run. this is very expensive as you do a full group search on each of
> those requests, to find data that arguably rarely changes.
>
> I think in general this should be done at "write" time not at
"read"
> time.
> Ie whenever the the session recording configuration changes or when a
> new user is written in the cache, then you should check if session
> recording apply to this user and write an attribute in the user entry.
>
> On getpwnam/uid/ent calls you would look for those calls and replace the
> shell entry accordingly.
>
> Unless there is some very good reason to do it always at query time this
> is, I am afraid, a nack on the approach.
I'm not sure I fully understand your suggestion, but I like it so far.
I wanted to do something like this from the start, but Sumit had some concerns
which I can't quite remember now.
Sumit, maybe you can take a look at this?
I'll try to describe what I think you mean. So, we can modify the
user cache-filling machinery to look at the session recording configuration
upon adding a new user, and if session recording is enabled for the user
(in whatever way), add an attribute signifying that. Then NSS could just check
that attribute and substitute the shell when needed. I assume PAM would also
be able to do that. Although it would still need the shell override logic,
currently residing in NSS (I started another thread on this). Is that what you
mean?
Yes
Still, I have a bunch of concerns about this, which perhaps you can
help me
resolve.
Would it be OK for the cache machinery to also pull groups into the cache, for
which session recording is enabled, so that it can check if the user belongs
to them? It would need to fetch them by names that the administrator would put
into the configuration. I.e. with all the overrides, whitespace, and other
changes.
I am a bit concerned that this list is based on group names in general,
how do you deal with local groups that list a remote user as member ?
Similarly, would the cache machinery be in a good position to
understand the
names of the users listed in the session recording configuration? I.e. I
expect the administrators would like to put there names as they see them. Also
with overrides, whitespace and other tweaks NSS does.
You have access to the same configuration rules that the frontend has
access to if you need, so you can do whatever mapping is needed at store
time.
Then, I expect we need to check whether a user should be recorded
also on
cache refresh, not only on initial addition and configuration change. Because
groups can go away, or their names might change due to overrides.
The check needs to be performed any time that:
- a user is added or refreshed
- a group is added or refreshed (memberships changed)
- the session recording configuration is changed
Lastly, user names might change due to overrides. Can this approach
handle it?
afaik overrides are also store in cache so it can be taken in account.
I am curious about what are Sumit concerns though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York