#1016 Separate Cache Timeouts for SSSD
Closed: Fixed None Opened 12 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=742510

+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data.  users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions.  But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=742510

{{{
+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data. users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions. But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=742510

{{{
+++ This bug was initially created as a clone of Bug #741981 +++

Description of problem:
Currently SSSD has 1 monolithic timeout for nss data. users / groups / netgroups.

This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions. But can only acquire data from the (default 90 minute) cache.

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.

Actual results:
Cached data is not updated

Expected results:
Cached data is individually timed out, or refreshed for actions such as sudo lookups.

Additional info:
}}}

milestone: NEEDS_TRIAGE => SSSD 1.8.0
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

rhbz: => 741981

Fields changed

type: defect => enhancement

This ticket should consider special cache timeout for every map type we support.

There is a related ticket to deal with the timeout for netgroups #946

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.8.0 => SSSD 1.7.91 (1.8.0 beta 1)

Fields changed

component: SysDB => NSS
owner: somebody => jhrozek

Fields changed

owner: jhrozek => sgallagh
status: new => assigned

Fixed by bd92e8e

feature_milestone: =>
resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8 beta

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2058

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata