On Thu, Oct 13, 2011 at 04:03:48PM -0400, Stephen Gallagher wrote: > On Mon, 2011-10-10 at 13:25 +0200, Jakub Hrozek wrote: > > On Fri, Oct 07, 2011 at 02:12:08PM -0400, Stephen Gallagher wrote: > > > https://fedorahosted.org/sssd/ticket/1029 > > > > > > The problem here is that we were trying to perform an "optimization" by > > > bulk-deleting the contents of the service and host lists in the sysdb > > > before dumping into it the new data we received from LDAP. > > > > > > This was causing a major performance hit on large deployments, because > > > this recursive delete was repeatedly hitting a weak point of the > > > memberOf plugin. However, upon closer analysis, Sumit pointed out that > > > we don't actually need to rely on the local memberOf plugin in this > > > situation. > > > > > > These patches remove the member/memberOf relationship from > > > host/hostgroup and service/servicegroup entries in the SSSD. As a > > > result, we don't invoke the memberOf plugin during the mass-delete and > > > we see a significant performance increase. > > > > > > The patches [ab]use the fact that we know the DN structure of the hosts, > > > service and groups so that we don't need to go and look them up when > > > constructing the requests. Instead we take the originalMemberOf object > > > and interpret the value directly from it. This is much faster than > > > searching the sysdb for the original object to get its fqdn or cn value. > > > > Patch 1/3 - Ack > > > > Patch 2/3 - Nack, > > In hbac_eval_service_element(), I assume you meant to loop until > > i < el->num_values, count is always 1 there. > > > > > + for (i = j = 0; i < count; i++) { > > > + ret = get_ipa_servicegroupname(tmp_ctx, sysdb, > > > + (const char *)el->values[i].data, > > > + &name); > > > + if (ret != EOK && ret != ENOENT) goto done; > > > > > > - DEBUG(6, ("Added service group [%s] to the eval request\n", > > > - svc->groups[i])); > > > + /* ENOENT means we had a memberOf entry that wasn't a > > > + * service group. We'll just ignore those (could be > > > + * HBAC rules) > > > + */ > > > + > > > + if (ret == EOK) { > > > + svc->groups[j] = talloc_steal(svc->groups, name); > > > + j++; > > > + } > > > > Patch 3/3 - Nack, same comment as above. Also please change the comment in > > get_ipa_hostgroupname() from "It's not a service." to "It's not a > > hostgroup." > > Thanks, good catch. > > New patches attached.
Ack to all three patches _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
