From 3c6e0d06aa648d40577d321c1d52b604b27530cf Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Dec 05 2013 21:49:45 +0000 Subject: Ticket #342 - better error message when cache overflows (phase 2) Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc only logs detailed cache overflow message on the allow ACIs. This patch logs the same message when the cache overflow occurs on the deny ACIs. https://fedorahosted.org/389/ticket/342 Reviewed by rmeggins (Thank you, Rich!!) (cherry picked from commit 24d1817f75daad3b45f13e38935c14d0b55c9af9) --- diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index ce0fb92..bd7547d 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -2807,16 +2807,16 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char ** if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) { - /* We can not reused results obtained on a other entry */ - if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) { - aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP; - } + /* We can not reused results obtained on a other entry */ + if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) { + aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP; + } /* * aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is * a cache of info about whether applicable acis * allowed, did_not_allow or denied access - */ + */ for (j =0; j < aclpb->aclpb_last_cache_result; j++) { if (index == aclpb->aclpb_cache_result[j].aci_index) { short result; @@ -2919,15 +2919,28 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char ** if ( j < aclpb->aclpb_last_cache_result) { /* already in cache */ + aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED; } else if ( j < aclpb_max_cache_results ) { /* j == aclpb->aclpb_last_cache_result && j < ACLPB_MAX_CACHE_RESULTS */ aclpb->aclpb_last_cache_result++; aclpb->aclpb_cache_result[j].aci_index = index; aclpb->aclpb_cache_result[j].aci_ruleType = aci->aci_ruleType; - + aclpb->aclpb_cache_result[j].result &= ~ACLPB_CACHE_ERROR_REPORTED; } else { /* cache overflow */ - if ( rights_rv == ACL_RES_DENY) { + if (!(aclpb->aclpb_cache_result[j].result & + ACLPB_CACHE_ERROR_REPORTED)) { + slapi_log_error (SLAPI_LOG_FATAL, "acl__TestRights", + "Your ACL cache of %d slots has overflowed. " + "This can happen when you have many ACIs. " + "This ACI evaluation requires %d slots to cache. " + "You can increase your max value by setting the attribute " + "%s in cn=ACL Plugin,cn=plugins,cn=config to a value higher. " + "A server restart is required.\n", + j, aclpb_max_cache_results, ATTR_ACLPB_MAX_SELECTED_ACLS); + aclpb->aclpb_cache_result[j].result |= ACLPB_CACHE_ERROR_REPORTED; + } + if (rights_rv == ACL_RES_DENY) { result_reason->deciding_aci = aci; result_reason->reason = ACL_REASON_EVALUATED_DENY; TNF_PROBE_1_DEBUG(acl__TestRights_end,"ACL","", @@ -2986,8 +2999,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char ** return ACL_RES_DENY; } } - } - + } /* for (i=0, k=0; i < numHandles && k < aclpb->aclpb_num_deny_handles; ++i) */ /* ** START PROCESSING ALLOW HANDLES. @@ -3023,10 +3035,10 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char ** if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) { - /* We can not reused results obtained on a other entry */ - if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) { - aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP; - } + /* We can not reused results obtained on a other entry */ + if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) { + aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP; + } /* * aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is * a cache of info about whether applicable acis @@ -3198,7 +3210,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char ** return ACL_RES_ALLOW; } } - }/* for */ + } /* for (i=0, k=0; i < numHandles && k < aclpb->aclpb_num_allow_handles ; ++i) { */ result_reason->deciding_aci = aci; result_reason->reason = ACL_REASON_NO_MATCHED_SUBJECT_ALLOWS;