Bug 1925505

Summary: [RFE] improve the sssd refresh timers for SUDO queries
Product: Red Hat Enterprise Linux 8 Reporter: Antonio Romito <aromito>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.4CC: atikhono, daniele, dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, thalman, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.5.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:47:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antonio Romito 2021-02-05 11:46:25 UTC 
Description of problem:

There are 3 different methods to update sudo rules into sssd:

- full refresh (default: 15 minutes)
- smart refresh (default: 60 minutes) 
- rules refresh (default: 90 minutes) -- which can trigger a full refresh if several rules must be refreshed

Anyway, each of these refresh will NOT reset the internal counter of the other refresh methods.
Any of this refresh will change anyway the USN (if supported) or modifyTimestamp.

This lead to:
- a contemporary smart refresh and full refresh at minute 60, while only the full refresh is needed
- unneeded full refresh query once rules refresh triggers a "full refresh" (timeout to 60 minutes of the previous full refresh NOT triggered by a rules refresh)

The enhancement would consist in:
- a full refresh will always reset the smart refresh timer;
- a full refresh will always reset the rules refresh timer;
- a full refresh will always reset the full refresh timer, even if triggered by a rules refresh timer.

Version-Release number of selected component (if applicable):
Any

How reproducible:
Install sssd, observe the logs

Steps to Reproduce:
1. Enable the debug in sssd
2. Observe the SUDO queries performed by sssd
3.

Actual results:
smart refresh executed at minute 60, while unneeded
rules refresh executed at minute 90, while unneeded


Expected results:
smart refresh to be executed 15 minutes after the previous smart refresh OR full refresh (even if triggered by rules refresh)
rules refresh to be executed 90 minutes after the previous full refresh
 

Additional info:
Comment 3 Alexey Tikhonov 2021-02-05 12:19:37 UTC 
(In reply to Antonio Romito from comment #0)
> 
> There are 3 different methods to update sudo rules into sssd:
> 
> - full refresh (default: 15 minutes)
> - smart refresh (default: 60 minutes) 
> - rules refresh (default: 90 minutes) -- which can trigger a full refresh if
> several rules must be refreshed

JFTR: default values are a little bit different:

ldap_sudo_full_refresh_interval: Default: 21600 (6 hours)
ldap_sudo_smart_refresh_interval: Default: 900 (15 minutes)

"rules refresh": "It is triggered each time the user runs sudo. Rules refresh will find all rules that apply to this user, check their expiration time and redownload them if expired."  --  so no explicit timeout
Comment 12 Pavel Březina 2021-04-26 13:50:44 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5604
Comment 13 Pavel Březina 2021-04-27 11:23:39 UTC 
Upstream PR:
https://github.com/SSSD/sssd/pull/5610
Comment 14 Pavel Březina 2021-05-07 11:03:06 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5610

* `master`
    * d9d5c291fe68003c31061cfb7d32676c98726560 - sudo: reschedule periodic tasks when full refresh is finished
    * c0204c063cef32999db996b21dd7bda401643c57 - be: add be_ptask_postpone
Comment 20 shridhar 2021-06-14 16:54:00 UTC 
[root@ci-vm-10-0-102-4 ~]# rpm -q sssd 
sssd-2.5.0-1.el8.x86_64
[root@ci-vm-10-0-102-4 ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldap://ci-vm-10-0-103-193.hosted.upshift.rdu2.redhat.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
ldap_sudo_search_base = ou=sudoers,dc=example,dc=test
sudo_provider = ldap
ldap_sudo_full_refresh_interval = 30
ldap_sudo_smart_refresh_interval = 20


[foo1@example1@ci-vm-10-0-102-4 /]$ sudo -l
Matching Defaults entries for foo1@example1 on ci-vm-10-0-102-4:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User foo1@example1 may run the following commands on ci-vm-10-0-102-4:
    (root) NOTBEFORE=20210613160000Z NOPASSWD: /usr/bin/head



# egrep -i "SUDO .* refresh" /var/log/sssd/sssd_example1.log
<snip>
(2021-06-14 12:48:28): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 36 seconds from last execution time [1623689344]
(2021-06-14 12:49:03): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Full Refresh]: executing task, timeout 30 seconds
(2021-06-14 12:49:04): [be[example1]] [be_ptask_postpone] (0x0400): Task [SUDO Smart Refresh]: rescheduling task
(2021-06-14 12:49:04): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 31 seconds from now [1623689375]
(2021-06-14 12:49:04): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully
(2021-06-14 12:49:04): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 37 seconds from last execution time [1623689381]
(2021-06-14 12:49:35): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 20 seconds
(2021-06-14 12:49:35): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully
(2021-06-14 12:49:35): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 30 seconds from last execution time [1623689405]
(2021-06-14 12:49:41): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Full Refresh]: executing task, timeout 30 seconds
(2021-06-14 12:49:41): [be[example1]] [be_ptask_postpone] (0x0400): Task [SUDO Smart Refresh]: rescheduling task
(2021-06-14 12:49:41): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 26 seconds from now [1623689407]
(2021-06-14 12:49:41): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully
(2021-06-14 12:49:41): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 41 seconds from last execution time [1623689422]
(2021-06-14 12:50:07): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 20 seconds
(2021-06-14 12:50:07): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully
(2021-06-14 12:50:07): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 20 seconds from last execution time [1623689427]
(2021-06-14 12:50:22): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Full Refresh]: executing task, timeout 30 seconds
(2021-06-14 12:50:22): [be[example1]] [be_ptask_postpone] (0x0400): Task [SUDO Smart Refresh]: rescheduling task
(2021-06-14 12:50:22): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 40 seconds from now [1623689462]
(2021-06-14 12:50:22): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully
(2021-06-14 12:50:22): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 59 seconds from last execution time [1623689481]
(2021-06-14 12:51:02): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 20 seconds
(2021-06-14 12:51:02): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully
(2021-06-14 12:51:02): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 29 seconds from last execution time [1623689491]
(2021-06-14 12:51:21): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Full Refresh]: executing task, timeout 30 seconds
(2021-06-14 12:51:21): [be[example1]] [be_ptask_postpone] (0x0400): Task [SUDO Smart Refresh]: rescheduling task
(2021-06-14 12:51:21): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 23 seconds from now [1623689504]
(2021-06-14 12:51:21): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully
(2021-06-14 12:51:21): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 51 seconds from last execution time [1623689532]
(2021-06-14 12:51:44): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 20 seconds
(2021-06-14 12:51:44): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully
(2021-06-14 12:51:44): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 44 seconds from last execution time [1623689548]
(2021-06-14 12:52:12): [be[example1]] [be_ptask_execute] (0x0400): Task [SUDO Full Refresh]: executing task, timeout 30 seconds
(2021-06-14 12:52:12): [be[example1]] [be_ptask_postpone] (0x0400): Task [SUDO Smart Refresh]: rescheduling task
(2021-06-14 12:52:12): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 33 seconds from now [1623689565]
(2021-06-14 12:52:12): [be[example1]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully
(2021-06-14 12:52:12): [be[example1]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 40 seconds from last execution time [1623689572]
[root@ci-vm-10-0-102-4 ~]# 
</snip>

Marking verified.
Comment 22 errata-xmlrpc 2021-11-09 19:47:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4435