Ticket #1049 (closed defect: wontfix)

Opened 3 years ago

Last modified 2 years ago

Check id ranges when returning entries from cache

Reported by: jhrozek Owned by: somebody
Priority: major Milestone: SSSD Deferred
Component: SSSD Version: 1.6.2
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 741210
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

SSSD only performs ID range checks when the entry is saved into the cache. The NSS responder returns entry when it's cached and not expires without ID checks.

This can be confusing when a user changes ID ranges but still sees entries returned from cache with IDs out of range.

This is even bigger problem for the local provider because the local backend is essentially a cache that never expires.

Change History

comment:1 Changed 3 years ago by jhrozek

  • Red Hat Bugzilla set to 741210

comment:2 Changed 3 years ago by simo

I think it is reasonable to expect the user to run the command to clean the caches when fundamental configuration is changed.

The local case is harder, but then if you really want to change the range you should also really check and remove/change users that fall off the range.

The reason why I am not so hot in enforcing the range in the responder is that we will not really be able to do that when we will have the read-only mmap cache shared with the clients. We would have to have code that regularly scans and remove out of range entries to maintain similar behaviour, which is costly and not sure really in scope.

Another way though is to store the range into the cache in the base entry and check if it matches the current configuration at startup. And if it doesn't either autoremoves all the caches or at least removes the offending entries.

This means the change of ranges must have effect only if you restart SSSD though.

HTH

comment:3 Changed 3 years ago by jhrozek

The above comment sounds reasonable and would turn this ticket into a documentation issue.

comment:4 Changed 2 years ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD Deferred

Expire the cache if configuration changes.

comment:5 Changed 2 years ago by dpal

comment:6 Changed 2 years ago by mkosek

  • Red Hat Bugzilla changed from 741210 to [https://bugzilla.redhat.com/show_bug.cgi?id=741210 741210]

comment:7 Changed 2 years ago by sgallagh

  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.