On 02/24/2016 04:28 PM, Jakub Hrozek wrote:
On Tue, Feb 23, 2016 at 04:08:52PM +0100, Petr Cech wrote:
Hello,
I've started the design page for Invalidating cached sudo rules here:
https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOCachingRulesInvalidate
This task consists of two tickets (see below). So far, I have worked on the
first one. The second one is waiting for SSSD Status Tool.
For your convenience, I've included the text below as well:
= Invalidate Cached SUDO Rules =
Related ticket(s):
* https://fedorahosted.org/sssd/ticket/2081
* https://fedorahosted.org/sssd/ticket/2884
=== Problem statement ===
Currently sss_cache can't be used to reliably invalidate sudo rules.
=== Use cases ===
Usually if admin changes sudo rules he would like to see an effect
immediately.
=== Overview of the solution ===
Sudo rules are stored in sss_cache. Sometimes ''smart'' or ''full'' refresh
of sudo rules is done, but there is no effective way to invalidate them (see
https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOCachingRules).
Solution consists of two steps:
1. Invalidate sudo rules by setting expiration time to 0 which can prevent
to use old rules.
2. Trigger full refresh (and maybe even smart refresh) on demand.
This is not described in this design page. Did you talk to Pavel who
will work on providing the API for triggering the refresh?
Well, the second step is content of [1]. This design page will be
extended of it in future. We are waiting for `SSS Status Tool`. And yes,
I told to Pavel it.
[1] https://fedorahosted.org/sssd/ticket/2884
=== Implementation details ===
==== Invalidating sudo rules ====
SSSD provides tool sss_cache for invalidating items.
{{{
$ sss_cache --help
Usage: sss_cache [OPTION...]
-E, --everything Invalidate all cached entries except for sudo
rules
-u, --user=STRING Invalidate particular user
-U, --users Invalidate all users
-g, --group=STRING Invalidate particular group
-G, --groups Invalidate all groups
-n, --netgroup=STRING Invalidate particular netgroup
-N, --netgroups Invalidate all netgroups
-s, --service=STRING Invalidate particular service
-S, --services Invalidate all services
-a, --autofs-map=STRING Invalidate particular autofs map
-A, --autofs-maps Invalidate all autofs maps
-h, --ssh-host=STRING Invalidate particular SSH host
-H, --ssh-hosts Invalidate all SSH hosts
-d, --domain=STRING Only invalidate entries from a particular
domain
Help options:
-?, --help Show this help message
--usage Display brief usage message
}}}
We need:
* add option `--sudo-rules=STRING` for invalidating only STRING named sudo
rule,
I assume you meant --sudo-rule (singular) here?
Right :-) I fixed it.
* add option `--sudo-rules` for invalidating all sudo rules,
* change option `--everything` for invalidating sudo rules too.
For those changes we will provide new function `sysdb_search_sudo_rule()` in
`db/sysdb_sudo.{hc}`.
{{{
#!C
errno_t
sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *filter,
const char **attrs,
size_t *num_hosts,
struct ldb_message ***hosts)
/* Synopsis is inspired by other `sysdb_search_*()` functions. */
}}}
This new function be able to find sudo rule by given name (via filter).
On the other hand there is function `sudosrv_get_sudorules_query_cache()` in
`responder/sudo/sudosrv_get_sudorules.c` which has very similar behavior.
Maybe it is candidate for proxy and moving to `db/sysdb_sudo.{hc}`.
I'm all for consolidating functions in one place.
Well. I need sysdb_search_sudo_rules() very soon. And I would like to
have similar synopsis to other sysdb_search_* functions. So I start
writing test_sysdb_sudo.c. Not for all functions in sysdb_sudo.c, only
for store and sysdb_search_sudo_rules(). So we could be sure that
consolidation will be right. Other tests could come in future.
--
Petr^4 Cech
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
