Jira (PUP-10774) Long query time for AD groups
Title: Message Title Gheorghe Popescu updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Gheorghe Popescu Fix Version/s: PUP 6.20.0 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.114129.1610546940239%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Claire Cadman updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Claire Cadman Labels: doc_reviewed Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.94656.1607531820029%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Fix Version/s: PUP 7.1.0 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.94461.1607515620054%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Luchian Nemes updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Luchian Nemes Release Notes: Bug Fix Release Notes Summary: Time spent on querying the groups of a system user has been significantly improved on Linux operating systems with FFI and the `getgrouplist` method available. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.92165.1607332020191%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Sprint: NW - 2020-11-25 , NW - 2020-12-09 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.86995.1606375740035%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau assigned an issue to Luchian Nemes Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Assignee: Luchian Nemes Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.81852.1605687180031%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Story Points: 3 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.76625.1605086640033%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Sprint: ready for triage NW - 2020-11-25 Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.75464.1604998680034%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Reid Vandewiele commented on PUP-10774 Re: Long query time for AD groups Question: on the FFI github page, there is this warning: On Linux systems running with PaX (Gentoo, Alpine, etc.), FFI may trigger mprotect errors. You may need to disable mprotect for ruby (paxctl -m [/path/to/ruby]) for the time being until a solution is found. Would we need to worry about this at all on our supported platforms, if we start using FFI, LIBC, and getgrouplist? I don't know how PaX/mprotect works but it seems like even if a customer did have it installed we might be okay since we're only linking LIBC, and I'm sure that's already being used by Ruby. Figured it was worth asking the question though. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.74227.1604706300203%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Bogdan Irimie updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Bogdan Irimie Sprint: ready for triage Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.72447.1604566322953%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Bogdan Irimie updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Bogdan Irimie Sprint: Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.72376.1604566262607%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Mihai Buzgau Issue Type: Task Improvement Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.71402.1604504280207%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Luchian Nemes updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Luchian Nemes Comment: A comment with security level 'Developers' was removed. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.377144.160449921.71325.1604499960088%40Atlassian.JIRA.
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]:{code: java ruby }# Returns an array of all the groups that the user's a member of. def groups_of(user) groups = [] Puppet::Etc.group do |group|groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end uniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]:{code:ruby}# Returns an array of all the groups that the user's a member of.def groups_of(user) groups = [] Puppet::Etc.group do |group|groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end uniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]: {code:java}# Returns an array of all the groups that the user's a member of.def groups_of(user) groups = [] Puppet::Etc.group do |group|groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end uniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]:{code:java}# Returns an array of all the groups that the user's a member of.def groups_of(user) groups = [] Puppet::Etc.group do |group|groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end uniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]: {code:java} # Returns an array of all the groups that the user's a member of. def groups_of(user) groups = [] Puppet::Etc.group do |group| groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groups Puppet.debug(_('Removing any duplicate group entries')) enduniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27] : {code:java}# Returns an array of all the groups that the user's a member of . def groups_of(user) groups = [] Puppet::Etc.group do |group| groups << group.name if group.mem.include?(user) end uniq_groups = groups.uniq if uniq_groups != groups Puppet.debug(_('Removing any duplicate group entries')) enduniq_groups end{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which is first retrieving all available groups and then determines which ones the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title Luchian Nemes updated an issue Puppet / PUP-10774 Long query time for AD groups Change By: Luchian Nemes Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data.Said implementation points us to [puppet/lib/puppet/util/posix.rb|https://github.com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix.rb#L12-L27]. This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which retrieved is first retrieving all available groups and then determined determines which one ones the user belongs to. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes updated an issue
Puppet / PUP-10774
Long query time for AD groups
Change By:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to : {code:ruby}# Returns an array of all the groups that the user's a member of.def groups_of(user) groups = [ ] Puppet::Etc puppet/lib/puppet/util/posix . group do rb | group|groups << group https://github . name if group com/puppetlabs/puppet/blob/d8068536284ad3601d447308ab9d3d6f9cdcf02d/lib/puppet/util/posix . mem rb#L12-L27] . include?(user) enduniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end uniq_groupsend{code} This needs to be replaced by the C API implementation [getgrouplist(3)|https://www.man7.org/linux/man-pages/man3/getgrouplist.3.html] using FFI calls to lookup the groups of a single user instead of [getent(1)|https://man7.org/linux/man-pages/man1/getent.1.html] which retrieved all available groups and then determined which one the user belongs to.
Add Comment
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Jira (PUP-10774) Long query time for AD groups
Title: Message Title
Luchian Nemes created an issue
Puppet / PUP-10774
Long query time for AD groups
Issue Type:
Task
Assignee:
Unassigned
Created:
2020/11/04 6:13 AM
Priority:
Normal
Reporter:
Luchian Nemes
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to:
# Returns an array of all the groups that the user's a member of.def groups_of(user) groups = [] Puppet::Etc.group do |group|groups << group.name if group.mem.include?(user) enduniq_groups = groups.uniq if uniq_groups != groupsPuppet.debug(_('Removing any duplicate group entries')) end
uniq_groupsend
This needs to be replaced by the C API implementation getgrouplist(3) using FFI calls to lookup the groups of a single user instead of getent(1) which retrieved all available groups and then determined which one the user belongs to.
