On Wed, Sep 07, 2016 at 01:42:32PM +0300, Nikolai Kondrashov wrote:
> Hi Simo,
>
> On 08/29/2016 11:47 PM, Sumit Bose wrote:
> > Then you do a normal user lookup but if there are groups configured in
> > the session_recording section you always do a SSS_DP_INITGROUPS instead
> > of a SSS_DP_USER if the entry is expired. I think here you can add some
> > improvement to reduce the number of SSS_DP_INITGROUPS calls which are
> > more expensive than SSS_DP_USER. User entries in the cache have two
> > timeout values SYSDB_CACHE_EXPIRE and SYSDB_INITGR_EXPIRE. The first is
> > the expiration time for the general user data (name, home directory,
> > shell etc) and is checked during the normal user lookup. The second is
> > the expiration time of the group-membership data. To make sure that
> > SSS_DP_INITGROUPS is only used when needed I would recommend to
> > additionally check if SYSDB_INITGR_EXPIRE is expired and only do a
> > SSS_DP_INITGROUPS in this case and a SSS_DP_USER in all other cases.
> > Currently both timestamps might not differ often but future enhancements
> > to the backends might change this.
>
> I'm looking at this and am getting confused (old news, I know :).
>
> Two cases where I use SSS_DP_INITGROUPS are invocations of check_cache, which
> has this code:
>
> /* if we have any reply let's check cache validity */
> if (res->count > 0) {
> /* ... */
> if (req_type == SSS_DP_INITGROUPS) {
> cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
> SYSDB_INITGR_EXPIRE,
> 0);
> } else {
> cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
> SYSDB_CACHE_EXPIRE,
> 0);
> }
> /* ... */
> }
>
> It seems to me that it already checks the cache as you suggested. Is that so?
>
> The only other case is in nss_cmd_setpwent_step, which fetches users for
> getpwent using sss_dp_get_account_send and it doesn't seem that I could/should
> do anything there. Is that right?
Yes and no. The idea was to not unconditionally replace SSS_DP_USER with
SSS_DP_INITGROUPS if there are groups in the session recording
configuration. If we then add a new option to configure the
SYSDB_INITGR_EXPIRE independently of SYSDB_CACHE_EXPIRE (currently both
use the entry_cache_user_timeout config option) it would be possible to
reduce the number of SSS_DP_INITGROUPS to the backend while have the
user entry itself updated on the default rate with a plain SSS_DP_USER
call.
But all this might not be needed if a session recording attribute is
used as suggested by Simo. See my reply to Simo's email in this thread
for details about how this can be implemented.
bye,
Sumit
>
> Thank you.
>
> Nick
> _______________________________________________
> sssd-devel mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
