From 3a1ffc8f9849d70739198145ce9f0854171181a4 Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Jul 26 2017 16:26:44 +0000
Subject: Add "SUDO Caching Rules Invalidate" design page


A copy & paste from the old one.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit c34f5ba4914ea339caa4ae3a7c09c4d8418571d8)

---

diff --git a/design_pages/index.rst b/design_pages/index.rst
index 93a474e..10ef32c 100644
--- a/design_pages/index.rst
+++ b/design_pages/index.rst
@@ -47,6 +47,7 @@ Implemented in 1.14.x
    prompting_for_multiple_authentication_types
    secrets_service
    sssctl
+   sudo_caching_rules_invalidate
 
 Implemented in 1.13.x
 ---------------------
diff --git a/design_pages/sudo_caching_rules_invalidate.rst b/design_pages/sudo_caching_rules_invalidate.rst
new file mode 100644
index 0000000..ebe39df
--- /dev/null
+++ b/design_pages/sudo_caching_rules_invalidate.rst
@@ -0,0 +1,122 @@
+Invalidate Cached SUDO Rules
+============================
+
+Related ticket(s):
+
+-  `https://pagure.io/SSSD/sssd/issue/2081 <https://pagure.io/SSSD/sssd/issue/2081>`__
+-  `https://pagure.io/SSSD/sssd/issue/2884 <https://pagure.io/SSSD/sssd/issue/2884>`__
+
+Problem statement
+~~~~~~~~~~~~~~~~~
+
+Currently sss\_cache can't be used to reliably invalidate sudo rules.
+
+Use cases
+~~~~~~~~~
+
+Usually if admin changes sudo rules he would like to see an effect
+immediately.
+
+Overview of the solution
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Sudo rules are stored in sss\_cache. Sometimes *smart* or *full* refresh
+of sudo rules is done, but there is no effective way to invalidate them
+(see
+`https://docs.pagure.org/SSSD.sssd/design_pages/sudo_caching_rules <https://docs.pagure.org/SSSD.sssd/design_pages/sudo_caching_rules.html>`__).
+
+Solution consists of two steps:
+
+#. Invalidate sudo rules by setting expiration time to 0 which can
+   prevent to use old rules.
+#. Trigger full refresh (and maybe even smart refresh) on demand.
+
+Implementation details
+~~~~~~~~~~~~~~~~~~~~~~
+
+Invalidating sudo rules
+^^^^^^^^^^^^^^^^^^^^^^^
+
+SSSD provides tool sss\_cache for invalidating items. ::
+
+    $ sss_cache --help
+    Usage: sss_cache [OPTION...]
+      -E, --everything            Invalidate all cached entries except for sudo rules
+      -u, --user=STRING           Invalidate particular user
+      -U, --users                 Invalidate all users
+      -g, --group=STRING          Invalidate particular group
+      -G, --groups                Invalidate all groups
+      -n, --netgroup=STRING       Invalidate particular netgroup
+      -N, --netgroups             Invalidate all netgroups
+      -s, --service=STRING        Invalidate particular service
+      -S, --services              Invalidate all services
+      -a, --autofs-map=STRING     Invalidate particular autofs map
+      -A, --autofs-maps           Invalidate all autofs maps
+      -h, --ssh-host=STRING       Invalidate particular SSH host
+      -H, --ssh-hosts             Invalidate all SSH hosts
+      -d, --domain=STRING         Only invalidate entries from a particular domain
+
+    Help options:
+      -?, --help                  Show this help message
+          --usage                 Display brief usage message
+
+We need:
+
+-  add option ``--sudo-rule=STRING`` for invalidating only STRING named
+   sudo rule,
+-  add option ``--sudo-rules`` for invalidating all sudo rules,
+-  change option ``--everything`` for invalidating sudo rules too.
+
+For those changes we will provide new function
+``sysdb_search_sudo_rule()`` in ``db/sysdb_sudo.{hc}``. ::
+
+    errno_t
+    sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx,
+                            struct sss_domain_info *domain,
+                            const char *filter,
+                            const char **attrs,
+                            size_t *num_hosts,
+                            struct ldb_message ***hosts)
+    /* Synopsis is inspired by other `sysdb_search_*()` functions. */
+
+This new function be able to find sudo rule by given name (via filter).
+
+On the other hand there is function
+``sudosrv_get_sudorules_query_cache()`` in
+``responder/sudo/sudosrv_get_sudorules.c`` which has very similar
+behavior. Maybe it is candidate for proxy and moving to
+``db/sysdb_sudo.{hc}``.
+
+--------------
+
+To Be Done
+----------
+
+Implementation details
+~~~~~~~~~~~~~~~~~~~~~~
+
+A more technical extension of the previous section. Might include
+low-level details, such as C structures, function synopsis etc. In case
+of very trivial features (e.g a new option), this section can be merged
+with the previous one.
+
+Configuration changes
+~~~~~~~~~~~~~~~~~~~~~
+
+Does your feature involve changes to configuration, like new options or
+options changing values? Summarize them here. There's no need to go into
+too many details, that's what man pages are for.
+
+How To Test
+~~~~~~~~~~~
+
+This section should explain to a person with admin-level of SSSD
+understanding how this change affects run time behaviour of SSSD and how
+can an SSSD user test this change. If the feature is internal-only,
+please list what areas of SSSD are affected so that testers know where
+to focus.
+
+Authors
+~~~~~~~
+
+Give credit to authors of the design in this section.