New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove search limit for aci group evaluation #1038
Comments
Comment from mreynolds (@mreynolds389) at 2015-06-19 21:37:09 Strange, ticket 47702 apparently does not exist - not sure how that is possible. Anyway, continuing investigation. |
Comment from mreynolds (@mreynolds389) at 2015-08-07 19:31:02 William wrote: Why was the search limit added initially into the aci plugin? By deleting this Reply: It was old code, and it was probably there to keep aci evaluation from taking too long. However, acis should always be fully evaluated. William wrote:
Reply: Are you binding as Directory Manager? The "Directory Manager" is not processed by acls. You should binding as a "regular user" from the database if you want to test this fix. Verification Steps: [1] Add 10000 users (with passwords) |
Comment from firstyear (@Firstyear) at 2015-08-07 19:48:00 My test sets the sizelimit low (set to N), creates N+1 users, then re-binds with a user and sees if the aci works. I think the issue is that I'm not testing as the last user in the group. I'll rework the test. I've attached the work in progress to the ticket. |
Comment from firstyear (@Firstyear) at 2015-08-07 19:52:30 example test |
Comment from firstyear (@Firstyear) at 2015-08-07 19:55:45 Still can't produce this error. I have attached a tweaked version of the test that attempts to bind every possible user to try and fail the aci. I've now also tested with: MAX_USERS = 10000 Is there some specifics around the aci needed to cause the failure or is: (targetattr ="uniqueMember")(targetfilter ="(cn=target)")(version 3.0;acl "Test ACI";allow (write)(groupdn = "ldap:///cn=testgroup,dc=example,dc=com");) Followed by a test user in testgroup, writing to cn=target sufficient? |
Comment from mreynolds (@mreynolds389) at 2015-08-08 00:11:46 Yeah I'm not sure how to reproduce this. I've cc'ed Ludwig who worked on this initially and discovered the problem. Ludwig, how do you reproduce this problem? Seems to work fine without any changes to the acl code. Thanks, |
Comment from nhosoi (@nhosoi) at 2015-08-13 03:10:51 The patch 0001-Ticket-47703-remove-search-limit-for-aci-group-evalu.patch looks good to me. I'm confused at this note:
Was 47702 removed? If I try to open the ticket, I get: If "47702" is a typo of some other ticket, was the original issue already fixed by that and that's why we could not reproduce the problem??? |
Comment from mreynolds (@mreynolds389) at 2015-08-13 03:24:58 Replying to [comment:12 nhosoi]:
I know and I can't find it either. Ludwig said it was deleted somehow. There was a bugzilla about this on the IPA side, but I can't find it.
|
Comment from nhosoi (@nhosoi) at 2015-08-25 04:36:52 Hi Mark, Hi Ludwig, Do you think the patch 0001-Ticket-47703-remove-search-limit-for-aci-group-evalu.patch should not be pushed until the bug is successfully reproduced? If so, can we push this bug to 1.3.5? Thanks, |
Comment from lkrispen (@elkris) at 2015-08-25 18:46:46 I will look into it and try to reproduce |
Comment from mreynolds (@mreynolds389) at 2015-08-25 21:47:16 Ludwig told me that this only applies to search operations, not "modify" operations. I had previously only tested delete operations. I will be testing searches later today... |
Comment from mreynolds (@mreynolds389) at 2015-08-26 20:26:53 Replying to [comment:16 mreynolds389]:
I still can not reprocuce the problem using searches(or modifies). Here is exactly what I did:
Ludwig can you look into this and see if you can figure out how to reproduce the issue? |
Comment from nhosoi (@nhosoi) at 2016-05-13 00:18:00 Per triage, push the target milestone to 1.3.6. |
Comment from nhosoi (@nhosoi) at 2016-10-14 00:55:50 There was an error case reported in which sizelimit was set to 1 by some application. |
Comment from mreynolds (@mreynolds389) at 2016-10-14 02:55:36 Replying to [comment:20 nhosoi]:
Its my patch, but I couldn't reproduce the issue. So I can't verify if the fix did anything. This simply needs to be revisited to see if there is an issue. |
Comment from nhosoi (@nhosoi) at 2016-10-15 02:28:12 Note: a customer is hoping to have this fix backported to 1.2.11 if it solves their problem. |
Comment from nhosoi (@nhosoi) at 2016-10-19 00:10:56 Input from Hiroko-san. On 10/13/2016 10:35 AM, Hiroko Miura wrote:
|
Comment from mreynolds (@mreynolds389) at 2016-10-20 01:50:42 attachment |
Comment from mreynolds (@mreynolds389) at 2016-10-20 01:54:20 1e1f6fe..3151648 master -> master |
Comment from nhosoi (@nhosoi) at 2016-10-20 08:01:24 Set the target milestone to 1.2.11.x. Mark, could it be possible to backport to the branch? 1.3.5 is likely to have the fix, too. |
Comment from mreynolds (@mreynolds389) at 2016-10-20 14:14:23 9982033..99a34b4 389-ds-base-1.3.5 -> 389-ds-base-1.3.5 48ed4c8..68cc036 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 c55e708..3fd372e 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 |
Comment from mreynolds (@mreynolds389) at 2017-02-11 22:50:57 Metadata Update from @mreynolds389:
|
Comment from gparente (@germanparente) at 2017-06-14 17:54:20 Hi, this ticket has been commit in 1.3.5 branch but it's not delivered into RHEL7.3 from what I have checked. |
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47703
This is the more general solution for ticket47702. If groups are used in acis they should always be fully evaluated.
The text was updated successfully, but these errors were encountered: