On 08/26/2015 02:13 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5231
Attaching updated patch. With changes discussed offline.
Not related to the patch:
This patch limits the size to 1MB instead of proposed 10MB. Testing
showed that even 10MB raises a MemoryError in archive_encrypted_data
which is AFAIK a KraClient method - Endi, this sounds as something which
should be also handled in PKI.
Especially when it happens the subsequent vault-archive command ends
with HTTPError: 503 Server Error: Service Unavailable. After restart of
pki, subsequent vault-archive with 1M file took about 4mins (in
vault_retrieve_internal). Next archive command with 1M file took "only" 18s.
10k file took 9s.
Why is it so slow?
--
Petr Vobornik
From c08848ad37010fa72e774305837db49a078ef5ea Mon Sep 17 00:00:00 2001
From: David Kupka
Date: Wed, 26 Aug 2015 14:11:21 +0200
Subject: [PATCH] vault: Limit size of data stored in vault
https://fedorahosted.org/freeipa/ticket/5231
---
ipalib/plugins/vault.py | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index da1a58cfb77932e8a907725eb88f9f5c6df023c9..3f23c57be830fe85369bfc19e0b93581ded4115a 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -236,6 +236,8 @@ def validated_read(argname, filename, mode='r', encoding=None):
register = Registry()
+MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB
+
vaultcontainer_options = (
Str(
'service?',
@@ -1242,10 +1244,28 @@ class vault_archive(PKQuery, Local):
raise errors.MutuallyExclusiveError(
reason=_('Input data specified multiple times'))
+elif data:
+if len(data) > MAX_VAULT_DATA_SIZE:
+raise errors.ValidationError(name="data", error=_(
+"Size of data exceeds the limit. Current vault data size "
+"limit is %(limit)d B")
+% {'limit': MAX_VAULT_DATA_SIZE})
+
elif input_file:
+try:
+stat = os.stat(input_file)
+except OSError as exc:
+raise errors.ValidationError(name="in", error=_(
+"Cannot read file '%(filename)s': %(exc)s")
+% {'filename': input_file, 'exc': exc[1]})
+if stat.st_size > MAX_VAULT_DATA_SIZE:
+raise errors.ValidationError(name="in", error=_(
+"Size of data exceeds the limit. Current vault data size "
+"limit is %(limit)d B")
+% {'limit': MAX_VAULT_DATA_SIZE})
data = validated_read('in', input_file, mode='rb')
-elif not data:
+else:
data = ''
if self.api.env.in_server:
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code