Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2164349
When a user is browsing the WebUI and navigates to Authentication > Certificates, the webui performs a command equivalent to "ipa cert-find" without any size or time limit.
The IPA framework handles this operation in /ipaserver/plugins/cert.py, class cert_find, method execute() https://github.com/freeipa/freeipa/blob/7d1d91fc86c49fcaaec05c772add13af36fc0209/ipaserver/plugins/cert.py#L1817
The execute method launches _ca_search, which in turn call ra.find() https://github.com/freeipa/freeipa/blob/7d1d91fc86c49fcaaec05c772add13af36fc0209/ipaserver/plugins/cert.py#L1701
This method is defined in ipaserver/plugins/dogtag.py, class ra https://github.com/freeipa/freeipa/blob/7d1d91fc86c49fcaaec05c772add13af36fc0209/ipaserver/plugins/dogtag.py#L1727
The method is doing an http request to PKI: POST /ca/rest/certs/search?size=2147483647 (the size is the default one, 0x7fffffff, used because no options.sizelimit was provided) https://github.com/freeipa/freeipa/blob/7d1d91fc86c49fcaaec05c772add13af36fc0209/ipaserver/plugins/dogtag.py#L1828
Note: even if the user defines a sizelimit with ipa cert-find --sizelimit=xx, the limit passed to PKI is the default one 0x7fffffff. The limit is not forwarded from IPA framework to PKI.
The limit is only used when all the certs have been retrieved in order to truncate the returned entries: https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/cert.py#L1917
if (len(result) > sizelimit > 0): if not truncated: self.add_message(messages.SearchResultTruncated( reason=errors.SizeLimitExceeded())) result = result[:sizelimit] truncated = True
On PKI side: PKI server seems to properly honor the size parameter. If it receives POST /ca/rest/certs/search?size=0x00000001 it sends only the requested number of certificates, ie one.
In summary: - IPA framework should be enhanced and make a better use of the size limit provided through ipa cert-find --sizelimit=xxx - When no sizelimit is provided, the best would be to do a paged size when querying PKI. Not sure if PKI implements this functionality.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2164349
PR https://github.com/freeipa/freeipa/pull/6698
master:
ipa-4-9:
ipa-4-10:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @rcritten: - Custom field changelog adjusted to cert-find performance was improved dramatically when a large number of certificates are returned by changing the method IPA uses internally to parse results from the CA.
Login to comment on this ticket.