#1016 Separate Cache Timeouts for SSSD

Created 5 years ago by sgallagh
Modified a day ago

https://bugzilla.redhat.com/show_bug.cgi?id=742510

+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data.  users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions.  But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=742510

{{{
+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data. users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions. But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=742510

{{{
+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data. users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions. But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:
}}}

milestone: NEEDS_TRIAGE => SSSD 1.8.0
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

rhbz: => 741981

Fields changed

type: defect => enhancement

This ticket should consider special cache timeout for every map type we support.

There is a related ticket to deal with the timeout for netgroups #946

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.8.0 => SSSD 1.7.91 (1.8.0 beta 1)

Fields changed

component: SysDB => NSS
owner: somebody => jhrozek

Fields changed

owner: jhrozek => sgallagh
status: new => assigned

Fixed by bd92e8ee315d4da9350b9ef0358c88a7b54aeebe

feature_milestone: =>
resolution: => fixed
status: assigned => closed

a day ago

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8 beta

Login to comment on this ticket.

enhancement

NSS

1.6.1

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=741981

cancel