#7835 Cert revokation for services and hosts is inefficient
Opened 7 months ago by cheimes. Modified 4 months ago

Issue

The cert revokation logic for service and host certificates is inefficient and slow. When IPA deletes a host, it revokes all certs for the host as well as all certificates for all services of the removed host. For each service and host revokation, the command retrieves all from Dogtag. This can take very long in a setup with a couple of hundred thousand certs and a couple of services on each host. See https://bugzilla.redhat.com/show_bug.cgi?id=1658280

Internally service_del uses cert_find(service=principal) to find all certificates that are associated with the service. cert_find runs three different queries: cert_search, ca_search, and ldap_search.

For cert_find() of services, only ldap_search is relevant. It uses an efficient query with an LDAP filter "(&(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbticketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuser))(krbPrincipalName=...)(userCertificate=*))" attrs="userCertificate" to find the service certs.

However the cert_find() executes the ca_search subquery first. It uses ra.find() method fetches information for all certs from Dogtag. There is no filtering by hostname or service. For example an ipa service-del call Dogtag's XML-RCP endpoint /ca/rest/certs/search?size=2147483647 with POST request

<CertSearchRequest>
  <serialNumberRangeInUse>true</serialNumberRangeInUse>
  <subjectInUse>false</subjectInUse>
  <matchExactly>false</matchExactly>
  <revokedByInUse>false</revokedByInUse>
  <revokedOnInUse>false</revokedOnInUse>
  <revocationReasonInUse>false</revocationReasonInUse>
  <issuedByInUse>false</issuedByInUse>
  <issuedOnInUse>false</issuedOnInUse>
  <validNotBeforeInUse>false</validNotBeforeInUse>
  <validNotAfterInUse>false</validNotAfterInUse>
  <validityLengthInUse>false</validityLengthInUse>
  <certTypeInUse>false</certTypeInUse>
</CertSearchRequest>

Steps to Reproduce

  1. create a host with host cert and a couple of services with a service cert
  2. watch Dogtag's access log
  3. delete host

Actual behavior

IPA runs /ca/rest/certs/search for each service entry and the host

Expected behavior

The service and host revokation cases should be optimized and not require a cert search

Version/Release/Distribution

4.7.2

Additional info:

The host and service certs are stored in LDAP inside the host and service entry. There is no need to search CA. A more efficient implementation could look like this:

  • fetch usercertificate for the service / host principal
  • for each cert, get cacn for cert.
  • if cacn references the CA or a LWCA subca, revoke the certificate

Metadata Update from @cheimes:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1658280

7 months ago

@gparente proposed another optimization. He suggested to filter out revoked certs. However cert-find does not yet support filtering for non-revoked certs, e.g. ipa cert-find --revoked=false.

master:

  • ae74d34 Add workaround for slow host/service del
  • 6cd3754 Optimize cert remove case

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.6 (was: 0.0 NEEDS_TRIAGE)

7 months ago

ipa-4-6:

  • 1e842f0 Add workaround for slow host/service del
  • 9a0783f Optimize cert remove case

ipa-4-7:

  • a243bd5 Add workaround for slow host/service del
  • 2ccd4da Optimize cert remove case

The workaround has landed in 4.6, 4.7, and master. Since it's a workaround, I'm leaving this ticket open.

ipa-4-7:

  • 11907ed Adapt cert-find performance workaround for users

ipa-4-6:

  • b480a8a Adapt cert-find performance workaround for users

Login to comment on this ticket.

Metadata