[Freeipa-devel] [PATCH] 314-315 Limit unindexed searches

Tue, 25 Sep 2012 09:14:19 -0700 

These 2 patches significantly limit the number of unindexed LDAP searches we do
in IPA. I used our unit test suite as a good source of different LDAP searches
run by our command suite.

Most of the remaining unindexed searches are produced either by our general
term search ("ipa service-find TERM") which hit every object parameter and DNS
commands (idnsname is not indexed yet). I am thinking about indexing about
idnsName as well...

Martin

From 96506ba2fbe2445def86faef466b8b90b83da35f Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 25 Sep 2012 17:16:20 +0200
Subject: [PATCH 1/2] Index ipakrbprincipalalias and ipaautomountkey
 attributes

An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.

Add both indexes to new and updated IPA installs.

https://fedorahosted.org/freeipa/ticket/3020
---
 install/share/indices.ldif        | 16 ++++++++++++++++
 install/updates/20-indices.update | 14 ++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 59936585cd63ec264a80d90792e1b49307da7bfa..1e1a5e9c790eb967b32bd712be0a881c480151c6 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -192,3 +192,19 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+
+dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: automountkey
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipakrbprincipalalias
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 80ac66c8a17dc59de39746385b551e0c3f9af886..323fb9cc8fa97be5b88666bcee176c43129e0411 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -116,3 +116,17 @@ default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 default:nsIndexType: eq
 default:nsIndexType: pres
+
+dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: automountkey
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
+
+dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipakrbprincipalalias
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
-- 
1.7.11.4


From 7b4c5d0d5e9032ce466f4df1498ac916df609c71 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 25 Sep 2012 17:19:44 +0200
Subject: [PATCH 2/2] Do not produce unindexed search on every DEL command

Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
---
 ipalib/plugins/baseldap.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 14a46f2d0344c4276ec98091314b15e6e552ed77..62e9d2978e8166c7341f8cfb07e7a9af90605c9d 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1424,7 +1424,13 @@ class LDAPDelete(LDAPMultiQuery):
                 except errors.NotFound:
                     self.obj.handle_not_found(*nkeys)
 
-            delete_subtree(dn)
+            try:
+                self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn, normalize=self.obj.normalize_dn)
+            except errors.NotFound:
+                self.obj.handle_not_found(*nkeys)
+            except errors.DatabaseError:
+                # this entry may not be a leaf entry, try to delete all child nodes
+                delete_subtree(dn)
 
             for callback in self.get_callbacks('post'):
                 result = callback(self, ldap, dn, *nkeys, **options)
-- 
1.7.11.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to