Bug 1031074
Summary: | [RFE] sss_cache does not povide options to invalidate sudo rules from cache | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ron van der Wees <rvdwees> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | medium | ||
Version: | 7.0 | CC: | gagriogi, grajaiya, jgalipea, jhrozek, ksiddiqu, ldelouw, lslebodn, mkosek, mmuehlfe, pbrezina, sgadekar, sgoveas, sssd-maint, tscherf |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.14.0-0.1.alpha.el7 | Doc Type: | Enhancement |
Doc Text: |
New sss_cache option to mark sudo rules as expired
This update enhances the "sss_cache" command from the System Security Services Daemon (SSSD). The options "-r" and "-R" have been added to mark one or all *sudo* rules as expired. This enables the administrator to force a refresh of new rules on the next *sudo* lookup. Please note that the *sudo* rules are refreshed using a different algorithm than the user and group entities. For more information about the mechanism, see the sssd-sudo(5) man page.
|
Story Points: | --- |
Clone Of: | 1031073 | Environment: | |
Last Closed: | 2016-11-04 07:09:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1031073 | ||
Bug Blocks: | 1113520, 1203710, 1205796, 1296125, 1313485 |
Description
Ron van der Wees
2013-11-15 14:53:44 UTC
Cloned for RHEL-7 Hi, we are aware of this shortcoming but it's not as easy as it sounds due to the way the sudo rules are cached and refreshed. I'm going to link this bug to the upstream ticket. It's very unlikely the RFE is going to happen before 7.1 Upstream ticket: https://fedorahosted.org/sssd/ticket/2081 *** Bug 1031073 has been marked as a duplicate of this bug. *** Hello, Do we know if this can be implemented in 7.3? Yes, some prep work already started. master: * fd3cbf6bfe86a245d7e90d2a355794eb9c70d525 * be6d25ea38ddda232175aab5e297d8c6cb223551 * 27a7dedb0ee4d4b51ca4c196aa894ad30cb3e821 * e2d26e97d62f06f65e8228b28746471cc5f73fe5 Verified with ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 Beta (Maipo) ~]# rpm -qa|grep sss libsss_sudo-1.14.0-27.el7.x86_64 libsss_autofs-1.14.0-27.el7.x86_64 libsss_simpleifp-1.14.0-27.el7.x86_64 libsss_nss_idmap-1.14.0-27.el7.x86_64 sssd-krb5-common-1.14.0-27.el7.x86_64 sssd-ad-1.14.0-27.el7.x86_64 python-sssdconfig-1.14.0-27.el7.noarch sssd-client-1.14.0-27.el7.x86_64 sssd-common-1.14.0-27.el7.x86_64 sssd-ldap-1.14.0-27.el7.x86_64 python-sss-1.14.0-27.el7.x86_64 libsss_idmap-1.14.0-27.el7.x86_64 sssd-krb5-1.14.0-27.el7.x86_64 sssd-1.14.0-27.el7.x86_64 sssd-libwbclient-1.14.0-27.el7.x86_64 sssd-tools-1.14.0-27.el7.x86_64 sssd-dbus-1.14.0-27.el7.x86_64 sssd-common-pac-1.14.0-27.el7.x86_64 sssd-ipa-1.14.0-27.el7.x86_64 python-sss-murmur-1.14.0-27.el7.x86_64 sssd-proxy-1.14.0-27.el7.x86_64 Tests: ====================================================== 1. Invalidate particular sudo rule cache * Check sssd sudo cache: # ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' 'name=testuser' dataExpireTimestamp # record 1 dn: name=testuser,cn=sudorules,cn=custom,cn=default,cn=sysdb dataExpireTimestamp: 1472807723 # returned 1 records # 1 entries # 0 referrals *. Invalidate the sudo cache of single sudo rule: # sss_cache -r testuser *. Check the sssd_sudo cache of invalidated particular rule ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' 'name=testuser' dataExpireTimestamp asq: Unable to register control with rootdse! # record 1 dn: name=testuser,cn=sudorules,cn=custom,cn=default,cn=sysdb dataExpireTimestamp: 1 # returned 1 records # 1 entries # 0 referrals ====================================================== Test 2: Invalidate all sudo rule entries from cache * Check existing valid sudo rules from cache ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(!(dataExpireTimestamp=1))' name dataExpireTimestamp # record 1 dn: name=testuser322028,cn=sudorules,cn=custom,cn=default,cn=sysdb dataExpireTimestamp: 1473159626 name: testuser322028 . . . # record 5000 dn: name=testuser459,cn=sudorules,cn=custom,cn=default,cn=sysdb dataExpireTimestamp: 1473153336 name: testuser459 # returned 5000 records # 5000 entries # 0 referrals * Invalidate all sudo rules from cache ~]# sss_cache -R ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(!(dataExpireTimestamp=1))' name dataExpireTimestamp asq: Unable to register control with rootdse! # record 1 dn: cn=sudorules,cn=custom,cn=default,cn=sysdb # returned 1 records # 1 entries # 0 referrals Or ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(dataExpireTimestamp=1)' name dataExpireTimestamp # record 1 dn: name=testuser316041,cn=sudorules,cn=custom,cn=default,cn=sysdb name: testuser316041 dataExpireTimestamp: 1 . . # record 5000 dn: name=root,cn=sudorules,cn=custom,cn=default,cn=sysdb name: root dataExpireTimestamp: 1 # returned 5000 records # 5000 entries # 0 referrals ================================================================== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |