#3169 secrets: add a quota on the number of objects/size of the objects a user can create
Closed: Fixed None Opened 3 years ago by fidencio.

Simo has suggested to create a quota on the number of objects (and/or their size) an user can create.
Simo's suggestion is that both size and number of present objects can be enforced at store time.

From a conversation on #sssd:

09:23 <fidencio> simo: hey/morning/afternoon! I'm taking care of that bugs I opened for secrets about depth limit and quota. do you have some suggestion about what could be reasonable default value for those options?

10:15 <simo> for number of objects (including container folders) something like 1024

10:15 <simo> with a max size per object of maybe 4k?

10:15 <simo> that would make it a maximum of 4MB per person if they stuff them full

10:22 <crys> Are 4k enough for client auth certs with some intermediates?

10:24 <simo> Crys: uhmm do we think we'd store public certs as a secret ?

10:24 <simo> I would think we store only the private key?

10:25 <crys> You may argue that private + public + chain are your full credentials. I would store all these information in a single place.

10:25 <crys> because it makes it much easier to update them in one place, too.

10:26 <crys> PEM bloats the key and cert size.

10:26 <crys> (sorry for the bike shedding)

10:27 <simo> fidencio: ok maybe let's make the default min. size 16k

10:27 <simo> 16k should be could for everyone (cit.)

So, in the end, the default min. size per object will be 16k per object and the default number of objects (including container folders) will be 1024 (of course, everything configurable in the [secrets] session).

Simo also mentioned:
10:20 <simo> if you are extrabrave you can also use those as defaults but allow to override per user by storing defaults per user in the user's uid named container

Which will be decided later whether it will be implemented as part of this ticket or in a separate one,

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15 Beta

Fields changed

rhbz: => todo

Fields changed

owner: somebody => fidencio
patch: 0 => 1
status: new => assigned

A partial patch (implementing the quota on the number of secrets) has been submitted to the ML (PR36).

Second patch (implementing the quota on the secrets' payload) has been submitted to the ML (PR75).

resolution: => fixed
status: assigned => closed

Fields changed

milestone: SSSD 1.15 Beta => SSSD 1.15 Alpha

The 1st patch is already in sssd-1-14.
Therefore it would be better to have secrets related code in sync with 1.14


milestone: SSSD 1.15 Alpha => SSSD 1.14.3

Metadata Update from @fidencio:
- Issue assigned to fidencio
- Issue set to the milestone: SSSD 1.14.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4202

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.