kcm: replace old credentials when storing a new one #5775
Assignees
Labels
Comments
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Sep 7, 2021
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775
|
You can use this code to test. Each call will add a new #include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <krb5.h>
int main(int argc, const char **argv)
{
krb5_data data = {0, strlen("hello"), strdup("hello")};
krb5_context context;
krb5_error_code ret;
krb5_ccache cc;
ret = krb5_init_context(&context);
if (ret != 0) {
printf("krb5_init_context Error %d\n", ret);
return 1;
}
ret = krb5_cc_default(context, &cc);
if (ret != 0) {
printf("krb5_cc_default Error %d\n", ret);
return 1;
}
ret = krb5_cc_set_config(context, cc, NULL, "test", &data);
if (ret != 0) {
printf("krb5_cc_set_config Error %d\n", ret);
return 1;
}
return 0;
}$ gcc -ggdb3 -o main src/main.c -lkrb5 |
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Sep 7, 2021
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775 :fixes: KCM now replace the old credential with new one when storing an update credential that is however already present in the ccache to avoid unnecessary grow of the ccache.
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Sep 7, 2021
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775 :fixes: KCM now replace the old credential with new one when storing an update credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Sep 7, 2021
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775 :fixes: KCM now replace the old credential with new one when storing an update credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Sep 13, 2021
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775 :fixes: KCM now replace the old credential with new one when storing an update credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
shridhargadekar
pushed a commit
to shridhargadekar/sssd
that referenced
this issue
Apr 1, 2022
Currently, we just append input credential to the ccache. This however make the ccache grow over time as credentials expires and more control credentials are stored. Now we remove or credentials that are the same and overwrite them with the input credential. Resolves: SSSD#5775 :fixes: KCM now replace the old credential with new one when storing an update credential that is however already present in the ccache to avoid unnecessary growth of the ccache. Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, when KCM stores a new credential it just blindly appends it to the existing credential cache. This make the ccache grow overtime when it stores a credential that already is in the ccache - such as
refresh_timecontrol credential which is stored when GSSAPI tries to refresh a particular ticket.Instead of appending, we should replace the old credential. Even though we have improved KCM performance dramatically, this will help further as the ccache will stay as small as needed.
The text was updated successfully, but these errors were encountered: