On Fri, 2011-10-14 at 14:18 +0200, Jakub Hrozek wrote: > On Thu, Oct 13, 2011 at 04:03:48PM -0400, Stephen Gallagher wrote: > > On Mon, 2011-10-10 at 13:25 +0200, Jakub Hrozek wrote: > > > On Fri, Oct 07, 2011 at 02:12:08PM -0400, Stephen Gallagher wrote: > > > > https://fedorahosted.org/sssd/ticket/1029 > > > > > > > > The problem here is that we were trying to perform an "optimization" by > > > > bulk-deleting the contents of the service and host lists in the sysdb > > > > before dumping into it the new data we received from LDAP. > > > > > > > > This was causing a major performance hit on large deployments, because > > > > this recursive delete was repeatedly hitting a weak point of the > > > > memberOf plugin. However, upon closer analysis, Sumit pointed out that > > > > we don't actually need to rely on the local memberOf plugin in this > > > > situation. > > > > > > > > These patches remove the member/memberOf relationship from > > > > host/hostgroup and service/servicegroup entries in the SSSD. As a > > > > result, we don't invoke the memberOf plugin during the mass-delete and > > > > we see a significant performance increase. > > > > > > > > The patches [ab]use the fact that we know the DN structure of the hosts, > > > > service and groups so that we don't need to go and look them up when > > > > constructing the requests. Instead we take the originalMemberOf object > > > > and interpret the value directly from it. This is much faster than > > > > searching the sysdb for the original object to get its fqdn or cn value. > > > > > > Patch 1/3 - Ack > > > > > > Patch 2/3 - Nack, > > > In hbac_eval_service_element(), I assume you meant to loop until > > > i < el->num_values, count is always 1 there. > > > > > > > + for (i = j = 0; i < count; i++) { > > > > + ret = get_ipa_servicegroupname(tmp_ctx, sysdb, > > > > + (const char > > > > *)el->values[i].data, > > > > + &name); > > > > + if (ret != EOK && ret != ENOENT) goto done; > > > > > > > > - DEBUG(6, ("Added service group [%s] to the eval request\n", > > > > - svc->groups[i])); > > > > + /* ENOENT means we had a memberOf entry that wasn't a > > > > + * service group. We'll just ignore those (could be > > > > + * HBAC rules) > > > > + */ > > > > + > > > > + if (ret == EOK) { > > > > + svc->groups[j] = talloc_steal(svc->groups, name); > > > > + j++; > > > > + } > > > > > > Patch 3/3 - Nack, same comment as above. Also please change the comment in > > > get_ipa_hostgroupname() from "It's not a service." to "It's not a > > > hostgroup." > > > > Thanks, good catch. > > > > New patches attached. > > Ack to all three patches
Pushed to master, sssd-1-6 and sssd-1-5.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
