Re: [Freeipa-devel] [PATCH 0065] vault: Limit size of data stored in vault

2015-08-26 Thread Petr Vobornik 

On 08/26/2015 03:56 PM, David Kupka wrote:

On 26/08/15 15:45, Petr Vobornik wrote:

On 08/26/2015 02:13 PM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/5231




Attaching updated patch. With changes discussed offline.


Changes works for me, ACK.


(with the changes it is also ACK from me)

Pushed to:
master: 02ab34c60b5e624ef0653a473316633a5618b07c
ipa-4-2: 9fc82bc66992eaa5daeed80e366e10986a8583d8





Not related to the patch:
This patch limits the size to 1MB instead of proposed 10MB. Testing
showed that even 10MB raises a MemoryError in archive_encrypted_data
which is AFAIK a KraClient method - Endi, this sounds as something which
should be also handled in PKI.

Especially when it happens the subsequent vault-archive command ends
with HTTPError: 503 Server Error: Service Unavailable. After restart of
pki, subsequent vault-archive with 1M file took about 4mins (in
vault_retrieve_internal). Next archive command with 1M file took "only"
18s.

10k file took 9s.

Why is it so slow?






--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065] vault: Limit size of data stored in vault

2015-08-26 Thread David Kupka 

On 26/08/15 15:45, Petr Vobornik wrote:

On 08/26/2015 02:13 PM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/5231




Attaching updated patch. With changes discussed offline.


Changes works for me, ACK.



Not related to the patch:
This patch limits the size to 1MB instead of proposed 10MB. Testing
showed that even 10MB raises a MemoryError in archive_encrypted_data
which is AFAIK a KraClient method - Endi, this sounds as something which
should be also handled in PKI.

Especially when it happens the subsequent vault-archive command ends
with HTTPError: 503 Server Error: Service Unavailable. After restart of
pki, subsequent vault-archive with 1M file took about 4mins (in
vault_retrieve_internal). Next archive command with 1M file took "only"
18s.

10k file took 9s.

Why is it so slow?



--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065] vault: Limit size of data stored in vault

2015-08-26 Thread Petr Vobornik 

On 08/26/2015 02:13 PM, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/5231




Attaching updated patch. With changes discussed offline.

Not related to the patch:
This patch limits the size to 1MB instead of proposed 10MB. Testing 
showed that even 10MB raises a MemoryError in archive_encrypted_data 
which is AFAIK a KraClient method - Endi, this sounds as something which 
should be also handled in PKI.


Especially when it happens the subsequent vault-archive command ends 
with HTTPError: 503 Server Error: Service Unavailable. After restart of 
pki, subsequent vault-archive with 1M file took about 4mins (in 
vault_retrieve_internal). Next archive command with 1M file took "only" 18s.


10k file took 9s.

Why is it so slow?
--
Petr Vobornik
From c08848ad37010fa72e774305837db49a078ef5ea Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 26 Aug 2015 14:11:21 +0200
Subject: [PATCH] vault: Limit size of data stored in vault

https://fedorahosted.org/freeipa/ticket/5231
---
 ipalib/plugins/vault.py | 22 +-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index da1a58cfb77932e8a907725eb88f9f5c6df023c9..3f23c57be830fe85369bfc19e0b93581ded4115a 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -236,6 +236,8 @@ def validated_read(argname, filename, mode='r', encoding=None):
 
 register = Registry()
 
+MAX_VAULT_DATA_SIZE = 2**20  # = 1 MB
+
 vaultcontainer_options = (
 Str(
 'service?',
@@ -1242,10 +1244,28 @@ class vault_archive(PKQuery, Local):
 raise errors.MutuallyExclusiveError(
 reason=_('Input data specified multiple times'))
 
+elif data:
+if len(data) > MAX_VAULT_DATA_SIZE:
+raise errors.ValidationError(name="data", error=_(
+"Size of data exceeds the limit. Current vault data size "
+"limit is %(limit)d B")
+% {'limit': MAX_VAULT_DATA_SIZE})
+
 elif input_file:
+try:
+stat = os.stat(input_file)
+except OSError as exc:
+raise errors.ValidationError(name="in", error=_(
+"Cannot read file '%(filename)s': %(exc)s")
+% {'filename': input_file, 'exc': exc[1]})
+if stat.st_size > MAX_VAULT_DATA_SIZE:
+raise errors.ValidationError(name="in", error=_(
+"Size of data exceeds the limit. Current vault data size "
+"limit is %(limit)d B")
+% {'limit': MAX_VAULT_DATA_SIZE})
 data = validated_read('in', input_file, mode='rb')
 
-elif not data:
+else:
 data = ''
 
 if self.api.env.in_server:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code