From 046012ecfa9731bc98ef2103645ad99cfd0baa32 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Wed, 31 Mar 2021 18:53:44 +0200 Subject: [PATCH] hbacrule: reduce number of LDAP searches during deletion The `hbacrule` module performs a call to `selinuxusermap-find` during entry deletion. This can be optimized by passing pkey_only=True to the search, skipping the post-callback function. Passing the full DN of the hbacrule and detecting it in the selinuxusermap find also saves one call to hbacrule-show, further reducing the searches. Related: https://pagure.io/freeipa/issue/8784 Signed-off-by: Antonio Torres Reviewed-By: Rob Crittenden --- ipaserver/plugins/hbacrule.py | 2 +- ipaserver/plugins/selinuxusermap.py | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ipaserver/plugins/hbacrule.py b/ipaserver/plugins/hbacrule.py index 2601ebe037c..95bef1eae70 100644 --- a/ipaserver/plugins/hbacrule.py +++ b/ipaserver/plugins/hbacrule.py @@ -317,7 +317,7 @@ class hbacrule_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): assert isinstance(dn, DN) - kw = dict(seealso=keys[0]) + kw = dict(seealso=str(dn), pkey_only=True) _entries = api.Command.selinuxusermap_find(None, **kw) if _entries['count']: raise errors.DependentEntry(key=keys[0], label=self.api.Object['selinuxusermap'].label_singular, dependent=_entries['result'][0]['cn'][0]) diff --git a/ipaserver/plugins/selinuxusermap.py b/ipaserver/plugins/selinuxusermap.py index 1a3afb51f4c..999c253bc30 100644 --- a/ipaserver/plugins/selinuxusermap.py +++ b/ipaserver/plugins/selinuxusermap.py @@ -454,12 +454,20 @@ def execute(self, *args, **options): if options.get('seealso'): hbacrule = options['seealso'] + # If a complete DN is passed we can skip calling hbacrule-show try: - hbac = api.Command['hbacrule_show'](hbacrule, -all=True)['result'] - dn = hbac['dn'] - except errors.NotFound: - return dict(count=0, result=[], truncated=False) + tmpdn = DN(hbacrule) + except ValueError: + tmpdn = DN() + if DN(api.env.container_hbac, api.env.basedn) not in tmpdn: + try: + hbac = api.Command['hbacrule_show'](hbacrule, + all=True)['result'] + dn = hbac['dn'] + except errors.NotFound: + return dict(count=0, result=[], truncated=False) + else: + dn = tmpdn options['seealso'] = dn return super(selinuxusermap_find, self).execute(*args, **options)