-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP: Allow autogenerating user-private groups #402
Conversation
A few nitpicks:
|
So, @jhrozek, I didn't clearly/easily understand the changes done in the tests currently avaiable. Would you mind adding some details in the commit messages why those changes were needed? Also, did you run any downstream test with your patches in order to track down whether we may introduce a regression as we're breaking the backward-compat? |
And, last but not least, I really would feel more comfortable if we can have another reviewer working on this patch set instead of just me. |
I can chime in as well. |
@fidencio thanks, I fixed the nitpicks and added some more content to the commit message about tests. Let me know if more details need clarifying.. |
About the downstream tests, no, but thanks for the reminder, I will run some now. |
btw some downstream tests failed and some didn't pick up the correct sssd version and I'm not sure why. I will investigate further. But please don't add the accepted label or push the patches before the test issues are solved. |
I have just one question -- what happens when gidNumber is present in the user entry and gidNumber == uidNumber and mpg is true? |
Good question, let's add a test! |
btw I restarted all the downstram tests because a) in some tests I added the repo to the server, not the client and b) there was a mismatch between ldb used for build and for runtime, which was causing crashes |
The case @pbrezina mentioned works fine, but I found another issue resolving the automatic groups in case the user wasn't resolved first. Additionally, some of the downstream tests are failing, so I'm setting Changes Requested until I can figure out both issues. |
New patches are pushed:
|
btw downstream tests were rescheduled with the new code and I'll post the results (job IDs) here later, when the tests finish. |
OK, first downstream tests passed. I'll just post job IDs here:
|
The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872
Since this confdb definition was completely unused across the codebase, this patch just removes the definition.
This commit allows saving the users in the MPG domain in the SDAP layer. The commit contains the following changes: - abstracts the change where if the primary GID exists in the original object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute, which will allow the original primary GID to be exposed as a secondary group - if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM is added. This will allow to handle LDAP objects that only contain the UID but no GID. Since this is a new use-case, a test is added later - a branch that handles the above is added to sdap_save_user() also for joined domains that set the MPG flag. Previously, only subdomains were handled. - to allow passing GID=0 to the sysdb layer, the range check is relaxed. Related: https://pagure.io/SSSD/sssd/issue/1872
If the primary group GID or the group name is requested before the user is, we need to also search the user space to save the user in the back end which then allows the responder to generate the group from the user entry. Related: https://pagure.io/SSSD/sssd/issue/1872
…r id_provider=local This commit makes the check when adding an object in a MPG domain stricter in the sense that not only same names are allowed in a MPG domain, but also the same groups are not allowed either. This commit is a backwards-incompatible change, but one that is needed, otherwise requesting the duplicate group first and then requesting the user entry would yield two object when searching by GID. In order to keep backwards-compatibility, this uniqueness is NOT enforced with id_provider=local. This constraint can be removed in the future (or the local provider can be dropped altogether)
OK, so one of the test failures was a bug in my patches, actually. This version passed all the tests I ran so far:
|
I will be running some more tests, but these are the ones that should cover the majority of what I've changed. Please review the patches again, thank you. |
@jhrozek, although this version looks quite fine by me, I'd still like to have an ack from @pbrezina on this one before adding the "Accepted" label. @pbrezina, can you review this as well? (if you're too overloaded with another tasks, let me know and I'll add the "Accepted" label without your review) |
Ack. |
Thanks both for review. I also ran job 2110250 which tested these patches with the AD provider and it PASS-ed. |
This PR exposes the already existing feature that generates private groups
for user objects for the generic LDAP provider. Most of the work in the
PR is tests and different corner cases, but there is also one commit that is
technically backwards incompatible:
SYSDB: Prevent users and groups ID collision in MPG domains
Without checks for the collision, if an LDAP domain contains both a user
entry and a group with the same gidNumber and the group is cached first,
then the user is requested and cached, at that point the responder search
by ID would return two objects. Therefore we need to guard against the
duplicate IDs.
Instead of the backwards incompatible change, we could also enable the
check if the domain is neither subdomain nor a id_provider=local domain or
we could prefer the user object if a group-by-GID search returns two results.
But both alternatives seem like quite a hack to me and at the same time I
wasn't able to find a way where the change matters except for the local
domain -- and in that case I think the local domain doesn't matter as
a whole.
I've also sent a design page to the
sssd-devel mailing list, my WIP version is at
https://pagure.io/fork/jhrozek/SSSD/docs/blob/mpg/f/design_pages/auto_private_groups.rst