diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2011-10-16 19:02:55 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-10-17 14:37:22 -0400 |
commit | 707ddc7de4d43a96a372880c50cb20b9672c9cdf (patch) | |
tree | d997fe0659dadfdedfe85efe361c2aa9eeb52882 /src/providers/ldap | |
parent | 95470076a26745f65d087be7cdf79c0373df21ca (diff) | |
download | sssd-707ddc7de4d43a96a372880c50cb20b9672c9cdf.tar.gz sssd-707ddc7de4d43a96a372880c50cb20b9672c9cdf.tar.bz2 sssd-707ddc7de4d43a96a372880c50cb20b9672c9cdf.zip |
Use fewer transactions during IPA initgroups
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 444 |
1 files changed, 273 insertions, 171 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 6df1dcd7..7864835e 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -668,7 +668,8 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) } if (count == 1) { - state->groups[state->groups_cur] = groups[0]; + state->groups[state->groups_cur] = talloc_steal(state->groups, + groups[0]); state->groups_cur++; } else { DEBUG(2, ("Search for group %s, returned %d results. Skipping\n", @@ -676,6 +677,9 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) } state->cur++; + /* note that state->count is the count of original memberOf which might not + * be only groups, but permissions, etc. Use state->groups_cur for + * group index cap */ if (state->cur < state->count) { subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, @@ -696,229 +700,312 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) } } -static int sdap_initgr_nested_store_group(struct sysdb_ctx *sysdb, - struct sdap_options *opts, - struct sss_domain_info *dom, - struct sysdb_attrs *group, - struct sysdb_attrs **groups, - int ngroups); +static errno_t +sdap_initgr_store_groups(struct sdap_initgr_nested_state *state); +static errno_t +sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state); +static errno_t +sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state); static void sdap_initgr_nested_store(struct tevent_req *req) { + errno_t ret; struct sdap_initgr_nested_state *state; + bool in_transaction = false; + errno_t tret; - struct ldb_message_element *el; - errno_t ret; - int i, mi; - struct ldb_message **direct_sysdb_groups = NULL; - size_t direct_sysdb_count = 0; + state = tevent_req_data(req, struct sdap_initgr_nested_state); - const char *orig_dn; - const char *user_dn; - struct ldb_dn *basedn; - static const char *group_attrs[] = { SYSDB_NAME, NULL }; - const char *member_filter; - char **sysdb_grouplist = NULL; - char **ldap_grouplist = NULL; - const char *tmp_str; + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(1, ("Failed to start transaction\n")); + goto fail; + } + in_transaction = true; - int ndirect; - struct sysdb_attrs **direct_groups; + /* save the groups if they are not already */ + ret = sdap_initgr_store_groups(state); + if (ret != EOK) { + DEBUG(3, ("Could not save groups [%d]: %s\n", + ret, strerror(ret))); + goto fail; + } - state = tevent_req_data(req, struct sdap_initgr_nested_state); + /* save the group memberships */ + ret = sdap_initgr_store_group_memberships(state); + if (ret != EOK) { + DEBUG(3, ("Could not save group memberships [%d]: %s\n", + ret, strerror(ret))); + goto fail; + } - /* Get direct LDAP parents */ - ret = sysdb_attrs_get_string(state->user, SYSDB_ORIG_DN, &orig_dn); + /* save the user memberships */ + ret = sdap_initgr_store_user_memberships(state); if (ret != EOK) { - DEBUG(2, ("The user has no original DN\n")); - goto done; + DEBUG(3, ("Could not save user memberships [%d]: %s\n", + ret, strerror(ret))); + goto fail; } - direct_groups = talloc_zero_array(state, struct sysdb_attrs *, - state->count + 1); - if (!direct_groups) { - ret = ENOMEM; - goto done; + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(1, ("Failed to commit transaction\n")); + goto fail; } - ndirect = 0; + in_transaction = false; - for (i=0; i < state->groups_cur ; i++) { - ret = sysdb_attrs_get_el(state->groups[i], SYSDB_MEMBER, &el); + tevent_req_done(req); + return; + +fail: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(1, ("Failed to cancel transaction\n")); + } + } + tevent_req_error(req, ret); + return; +} + +static errno_t +sdap_initgr_store_groups(struct sdap_initgr_nested_state *state) +{ + return sdap_nested_groups_store(state->sysdb, state->dom, + state->opts, state->groups, + state->groups_cur); +} + +static errno_t +sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *group, + struct sysdb_attrs **all_groups, + int groups_count, + struct membership_diff **mdiff); + +static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *attrs, + struct sysdb_attrs **groups, + int ngroups, + struct sysdb_attrs ***_direct_parents, + int *_ndirect); + +static errno_t +sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state) +{ + errno_t ret; + int i, tret; + TALLOC_CTX *tmp_ctx; + struct membership_diff *miter; + struct membership_diff *memberships = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Compute the diffs first in order to keep the transaction as small + * as possible + */ + for (i=0; i < state->groups_cur; i++) { + ret = sdap_initgr_nested_get_membership_diff(tmp_ctx, state->sysdb, + state->opts, state->dom, + state->groups[i], + state->groups, + state->groups_cur, + &miter); if (ret) { - DEBUG(3, ("A group with no members during initgroups?\n")); + DEBUG(3, ("Could not compute memberships for group %d [%d]: %s\n", + i, ret, strerror(ret))); goto done; } - for (mi = 0; mi < el->num_values; mi++) { - if (strcasecmp((const char *) el->values[mi].data, orig_dn) != 0) { - continue; - } + DLIST_ADD(memberships, miter); + } - direct_groups[ndirect] = state->groups[i]; - ndirect++; + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(1, ("Failed to start transaction\n")); + goto done; + } + + DLIST_FOR_EACH(miter, memberships) { + ret = sysdb_update_members(state->sysdb, miter->name, + SYSDB_MEMBER_GROUP, + (const char *const *) miter->add, + (const char *const *) miter->del); + if (ret != EOK) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(1, ("Failed to cancel transaction\n")); + } + goto done; } } - DEBUG(7, ("The user %s is a direct member of %d LDAP groups\n", - state->username, ndirect)); + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(1, ("Failed to commit transaction\n")); + goto done; + } - /* Get direct sysdb parents */ - user_dn = sysdb_user_strdn(state, state->dom->name, state->username); - if (!user_dn) { + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state) +{ + errno_t ret; + int tret; + const char *orig_dn; + + char **sysdb_parent_name_list = NULL; + char **ldap_parent_name_list = NULL; + + int nparents; + struct sysdb_attrs **ldap_parentlist; + struct ldb_message_element *el; + int i, mi; + char **add_groups; + char **del_groups; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { ret = ENOMEM; goto done; } - member_filter = talloc_asprintf(state, "(&(%s=%s)(%s=%s))", - SYSDB_OBJECTCLASS, SYSDB_GROUP_CLASS, - SYSDB_MEMBER, user_dn); - if (!member_filter) { - ret = ENOMEM; + /* Get direct LDAP parents */ + ret = sysdb_attrs_get_string(state->user, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(2, ("The user has no original DN\n")); goto done; } - basedn = ldb_dn_new_fmt(state, sysdb_ctx_get_ldb(state->sysdb), - SYSDB_TMPL_GROUP_BASE, - state->dom->name); - if (!basedn) { + ldap_parentlist = talloc_zero_array(tmp_ctx, struct sysdb_attrs *, + state->groups_cur + 1); + if (!ldap_parentlist) { ret = ENOMEM; goto done; } + nparents = 0; - DEBUG(8, ("searching sysdb with filter [%s]\n", member_filter)); - - ret = sysdb_search_entry(state, state->sysdb, basedn, - LDB_SCOPE_SUBTREE, member_filter, group_attrs, - &direct_sysdb_count, &direct_sysdb_groups); - if (ret == EOK) { - /* Get the list of sysdb groups by name */ - sysdb_grouplist = talloc_array(state, char *, direct_sysdb_count+1); - if (!sysdb_grouplist) { - ret = ENOMEM; + for (i=0; i < state->groups_cur ; i++) { + ret = sysdb_attrs_get_el(state->groups[i], SYSDB_MEMBER, &el); + if (ret) { + DEBUG(3, ("A group with no members during initgroups?\n")); goto done; } - for(i = 0; i < direct_sysdb_count; i++) { - tmp_str = ldb_msg_find_attr_as_string(direct_sysdb_groups[i], - SYSDB_NAME, NULL); - if (!tmp_str) { - /* This should never happen, but if it does, just continue */ + for (mi = 0; mi < el->num_values; mi++) { + if (strcasecmp((const char *) el->values[mi].data, orig_dn) != 0) { continue; } - sysdb_grouplist[i] = talloc_strdup(sysdb_grouplist, tmp_str); - if (!sysdb_grouplist[i]) { - DEBUG(1, ("A group with no name?\n")); - ret = EIO; - goto done; - } + ldap_parentlist[nparents] = state->groups[i]; + nparents++; } - sysdb_grouplist[i] = NULL; - } else if (ret == ENOENT) { - direct_sysdb_groups = NULL; - direct_sysdb_count = 0; + } + + DEBUG(7, ("The user %s is a direct member of %d LDAP groups\n", + state->username, nparents)); + + if (nparents == 0) { + ldap_parent_name_list = NULL; } else { - DEBUG(2, ("sysdb_search_entry failed: [%d]: %s\n", ret, strerror(ret))); - goto done; + ret = sysdb_attrs_primary_name_list(state->sysdb, tmp_ctx, + ldap_parentlist, + nparents, + state->opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_parent_name_list); + if (ret != EOK) { + DEBUG(1, ("sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret))); + goto done; + } } - DEBUG(7, ("The user %s is a member of %d sysdb groups\n", - state->username, direct_sysdb_count)); - /* Store the direct parents with full member/memberof pairs */ - ret = sdap_initgr_common_store(state->sysdb, state->opts, - state->dom, - state->username, + ret = sysdb_get_direct_parents(tmp_ctx, state->sysdb, state->dom, SYSDB_MEMBER_USER, - sysdb_grouplist, - direct_groups, - ndirect, true); - if (ret != EOK) { - DEBUG(1, ("sdap_initgr_common_store failed [%d]: %s\n", - ret, strerror(ret))); + state->username, &sysdb_parent_name_list); + if (ret) { + DEBUG(1, ("Could not get direct sysdb parents for %s: %d [%s]\n", + state->username, ret, strerror(ret))); goto done; } - /* Not all indirect groups may be cached. - * Add fake entries for those that are not */ - ret = sysdb_attrs_primary_name_list( - state->sysdb, state, - state->groups, state->groups_cur, - state->opts->group_map[SDAP_AT_GROUP_NAME].name, - &ldap_grouplist); + ret = diff_string_lists(tmp_ctx, + ldap_parent_name_list, sysdb_parent_name_list, + &add_groups, &del_groups, NULL); if (ret != EOK) { - DEBUG(1, ("sysdb_attrs_primary_name_list failed [%d]: %s\n", - ret, strerror(ret))); goto done; } - ret = sdap_add_incomplete_groups(state->sysdb, state->opts, - state->dom, ldap_grouplist, - state->groups, state->groups_cur); + ret = sysdb_transaction_start(state->sysdb); if (ret != EOK) { - DEBUG(1, ("adding incomplete groups failed [%d]: %s\n", - ret, strerror(ret))); + DEBUG(1, ("Failed to start transaction\n")); goto done; } - /* Set the indirect memberships */ - for (i=0; i < state->groups_cur ; i++) { - ret = sdap_initgr_nested_store_group(state->sysdb, state->opts, - state->dom, state->groups[i], - state->groups, state->groups_cur); - if (ret != EOK) { - DEBUG(2, ("Cannot fix nested group membership\n")); - goto done; + DEBUG(8, ("Updating memberships for %s\n", state->username)); + ret = sysdb_update_members(state->sysdb, state->username, SYSDB_MEMBER_USER, + (const char *const *) add_groups, + (const char *const *) del_groups); + if (ret != EOK) { + DEBUG(1, ("Could not update sysdb memberships for %s: %d [%s]\n", + state->username, ret, strerror(ret))); + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(1, ("Failed to cancel transaction\n")); } + goto done; } -done: + ret = sysdb_transaction_commit(state->sysdb); if (ret != EOK) { - tevent_req_error(req, ret); - return; + goto done; } - tevent_req_done(req); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; } -static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx, - struct sysdb_attrs *attrs, - struct sysdb_attrs **groups, - int ngroups, - struct sysdb_attrs ***_direct_parents, - int *_ndirect); - -static int sdap_initgr_nested_store_group(struct sysdb_ctx *sysdb, - struct sdap_options *opts, - struct sss_domain_info *dom, - struct sysdb_attrs *group, - struct sysdb_attrs **groups, - int ngroups) +static errno_t +sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *group, + struct sysdb_attrs **all_groups, + int groups_count, + struct membership_diff **_mdiff) { - TALLOC_CTX *tmp_ctx; - const char *group_orig_dn; + errno_t ret; + struct membership_diff *mdiff; const char *group_name; - int ret; - struct ldb_dn *basedn; - int ndirect; - struct sysdb_attrs **direct_groups; - char **sysdb_grouplist = NULL; - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) return ENOMEM; + struct sysdb_attrs **ldap_parentlist; + int parents_count; - basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(sysdb), - SYSDB_TMPL_GROUP_BASE, - dom->name); - if (!basedn) { - ret = ENOMEM; - goto done; - } + char **ldap_parent_names_list = NULL; + char **sysdb_parents_names_list = NULL; - ret = sysdb_attrs_get_string(group, SYSDB_ORIG_DN, &group_orig_dn); - if (ret != EOK) { + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; goto done; } + /* Get direct sysdb parents */ ret = sysdb_attrs_primary_name(sysdb, group, opts->group_map[SDAP_AT_GROUP_NAME].name, &group_name); @@ -926,40 +1013,55 @@ static int sdap_initgr_nested_store_group(struct sysdb_ctx *sysdb, goto done; } - /* Get direct sysdb parents */ - ret = sysdb_get_direct_parents(tmp_ctx, sysdb, dom, SYSDB_MEMBER_GROUP, - group_name, &sysdb_grouplist); + ret = sysdb_get_direct_parents(tmp_ctx, sysdb, dom, + SYSDB_MEMBER_GROUP, + group_name, &sysdb_parents_names_list); if (ret) { - DEBUG(1, ("Could not get direct parents for %s: %d [%s]\n", - group_name, ret, strerror(ret))); + DEBUG(1, ("Could not get direct sysdb parents for %s: %d [%s]\n", + group_name, ret, strerror(ret))); goto done; } - /* Filter only parents from full set */ - ret = sdap_initgr_nested_get_direct_parents(tmp_ctx, group, groups, - ngroups, &direct_groups, - &ndirect); + /* For each group, filter only parents from full set */ + ret = sdap_initgr_nested_get_direct_parents(tmp_ctx, + group, + all_groups, + groups_count, + &ldap_parentlist, + &parents_count); if (ret != EOK) { - DEBUG(1, ("Cannot get parent groups [%d]: %s\n", - ret, strerror(ret))); + DEBUG(1, ("Cannot get parent groups for %s [%d]: %s\n", + group_name, ret, strerror(ret))); goto done; } DEBUG(7, ("The group %s is a direct member of %d LDAP groups\n", - group_name, ndirect)); + group_name, parents_count)); - /* Store the direct parents with full member/memberof pairs */ - ret = sdap_initgr_common_store(sysdb, opts, dom, group_name, - SYSDB_MEMBER_GROUP, sysdb_grouplist, - direct_groups, ndirect, false); + if (parents_count > 0) { + ret = sysdb_attrs_primary_name_list(sysdb, tmp_ctx, + ldap_parentlist, + parents_count, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_parent_names_list); + if (ret != EOK) { + DEBUG(1, ("sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret))); + goto done; + } + } + + ret = build_membership_diff(tmp_ctx, group_name, ldap_parent_names_list, + sysdb_parents_names_list, &mdiff); if (ret != EOK) { - DEBUG(1, ("sdap_initgr_common_store failed [%d]: %s\n", - ret, strerror(ret))); + DEBUG(3, ("Could not build membership diff for %s [%d]: %s\n", + group_name, ret, strerror(ret))); goto done; } ret = EOK; + *_mdiff = talloc_steal(mem_ctx, mdiff); done: - talloc_zfree(tmp_ctx); + talloc_free(tmp_ctx); return ret; } |