Re: [Freeipa-devel] [PATCH] 314-315 Limit unindexed searches

Thu, 27 Sep 2012 00:53:59 -0700 

On 09/26/2012 08:58 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> These 2 patches significantly limit the number of unindexed LDAP searches we 
>> do
>> in IPA. I used our unit test suite as a good source of different LDAP 
>> searches
>> run by our command suite.
>>
>> Most of the remaining unindexed searches are produced either by our general
>> term search ("ipa service-find TERM") which hit every object parameter and 
>> DNS
>> commands (idnsname is not indexed yet). I am thinking about indexing about
>> idnsName as well...
>>
> 
> Patch 314 looks ok. It addresses ticket 3025 as well (ipakrbprincipalalias).
> 

I added this ticket number to the patch too. Btw. managedBy attribute mentioned
in the ticket was already added to indexed in ticket #2866.

> For 315 I'd prefer we add a new exception type to mirror
> ldap.NOT_ALLOWED_ON_NONLEAF and catch that in delete instead of DatabaseError.


This is a very good catch, it will make this procedure safer when there is an
actual DatabaseError raised.

Updated patches attached.

Martin

From 4f603a74e369d7e05397ba82418aa47a6899700f Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Tue, 25 Sep 2012 17:16:20 +0200
Subject: [PATCH 1/2] Index ipakrbprincipalalias and ipaautomountkey
 attributes

An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.

Add both indexes to new and updated IPA installs.

https://fedorahosted.org/freeipa/ticket/3020
https://fedorahosted.org/freeipa/ticket/3025
---
 install/share/indices.ldif        | 16 ++++++++++++++++
 install/updates/20-indices.update | 14 ++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 59936585cd63ec264a80d90792e1b49307da7bfa..1e1a5e9c790eb967b32bd712be0a881c480151c6 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -192,3 +192,19 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+
+dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: automountkey
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipakrbprincipalalias
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 80ac66c8a17dc59de39746385b551e0c3f9af886..323fb9cc8fa97be5b88666bcee176c43129e0411 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -116,3 +116,17 @@ default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 default:nsIndexType: eq
 default:nsIndexType: pres
+
+dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: automountkey
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
+
+dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipakrbprincipalalias
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+default:nsIndexType: eq
-- 
1.7.11.4


From c80af7c25ab6afbe4ac0627e7be3e7a27839d971 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Tue, 25 Sep 2012 17:19:44 +0200
Subject: [PATCH 2/2] Do not produce unindexed search on every DEL command

Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
---
 ipalib/errors.py           | 16 ++++++++++++++++
 ipalib/plugins/baseldap.py |  8 +++++++-
 ipaserver/plugins/ldap2.py |  2 ++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 6a4e2c5d68f6a6f9b94d8e6b3d7a81d5c1922093..31fc14ea484d9b862c5e42af90efc5f87cb91908 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1501,6 +1501,22 @@ class BadSearchFilter(ExecutionError):
     format = _('Bad search filter %(info)s')
 
 
+class NotAllowedOnNonLeaf(ExecutionError):
+    """
+    **4210** Raised when operation is not allowed on a non-leaf entry
+
+    For example:
+
+    >>> raise NotAllowedOnNonLeaf()
+    Traceback (most recent call last):
+      ...
+    NotAllowedOnNonLeaf: Not allowed on non-leaf entry
+    """
+
+    errno = 4210
+    format = _('Not allowed on non-leaf entry')
+
+
 class CertificateError(ExecutionError):
     """
     **4300** Base class for Certificate execution errors (*4300 - 4399*).
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 14a46f2d0344c4276ec98091314b15e6e552ed77..a55a23244b65dd98b8bcd63b587471e436bf3743 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1424,7 +1424,13 @@ class LDAPDelete(LDAPMultiQuery):
                 except errors.NotFound:
                     self.obj.handle_not_found(*nkeys)
 
-            delete_subtree(dn)
+            try:
+                self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn, normalize=self.obj.normalize_dn)
+            except errors.NotFound:
+                self.obj.handle_not_found(*nkeys)
+            except errors.NotAllowedOnNonLeaf:
+                # this entry is not a leaf entry, delete all child nodes
+                delete_subtree(dn)
 
             for callback in self.get_callbacks('post'):
                 result = callback(self, ldap, dn, *nkeys, **options)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index a0b91fd5d7214b181cb660c1788d9cbd6062c097..1a754a55f13b60786de17d3198ced009e67caa4e 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -719,6 +719,8 @@ class ldap2(CrudBackend):
             raise errors.NotAllowedOnRDN(attr=info)
         except _ldap.FILTER_ERROR:
             raise errors.BadSearchFilter(info=info)
+        except _ldap.NOT_ALLOWED_ON_NONLEAF:
+            raise errors.NotAllowedOnNonLeaf()
         except _ldap.SUCCESS:
             pass
         except _ldap.LDAPError, e:
-- 
1.7.11.4


_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to