1031074 – [RFE] sss_cache does not povide options to invalidate sudo rules from cache

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1031074 - [RFE] sss_cache does not povide options to invalidate sudo rules from cache

Summary: [RFE] sss_cache does not povide options to invalidate sudo rules from cache

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Duplicates (1):	1031073 (view as bug list)
Depends On:	1031073
Blocks:	1113520 1203710 1205796 1296125 1313485
TreeView+	depends on / blocked

Reported:	2013-11-15 14:53 UTC by Ron van der Wees
Modified:	2020-05-02 17:28 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd-1.14.0-0.1.alpha.el7
Doc Type:	Enhancement
Doc Text:	New sss_cache option to mark sudo rules as expired This update enhances the "sss_cache" command from the System Security Services Daemon (SSSD). The options "-r" and "-R" have been added to mark one or all sudo rules as expired. This enables the administrator to force a refresh of new rules on the next sudo lookup. Please note that the sudo rules are refreshed using a different algorithm than the user and group entities. For more information about the mechanism, see the sssd-sudo(5) man page.
Clone Of:	1031073
Environment:
Last Closed:	2016-11-04 07:09:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3123	None	closed	[RFE] sss_cache: invalidate sudo rules	2020-12-29 16:41:35 UTC
Red Hat Knowledge Base (Solution)	542803	None	None	None	2020-04-15 14:06:20 UTC
Red Hat Product Errata	RHEA-2016:2476	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-11-03 14:08:11 UTC

Description Ron van der Wees 2013-11-15 14:53:44 UTC

+++ This bug was initially created as a clone of Bug #1031073 +++

Description of problem:
The sss_cache utility performs cleanups of the SSSD cache. Currently there is no option to clear the cached sudo rules.


Version-Release number of selected component (if applicable):
sssd-1.9.2-82


How reproducible:
Always


Steps to Reproduce:
1. Configure IPA server and add sudo rules
2. Configure SSSD client and enable sudo caching as per the RHEL-6 Identity
   Management guide as found at:
   https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#sudo
3. Use sudo to cache some rules
4. Check the cache with
~~~
ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb \
  -b cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
~~~
5. Invalidate the cached sudo rules with sss_cache


Actual results:
The sss_cache utility does not have options to invalidate the sudo rules.


Expected results:
Same as with for example users and groups, be able to invalidate the cached
sudo rules with sss_cache.


Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2081

Comment 1 Ron van der Wees 2013-11-15 14:54:28 UTC

Cloned for RHEL-7

Comment 2 Jakub Hrozek 2013-11-15 15:06:30 UTC

Hi, we are aware of this shortcoming but it's not as easy as it sounds due to the way the sudo rules are cached and refreshed. I'm going to link this bug to the upstream ticket. It's very unlikely the RFE is going to happen before 7.1

Comment 3 Jakub Hrozek 2013-11-15 15:06:55 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2081

Comment 4 Jakub Hrozek 2013-12-03 13:23:29 UTC

*** Bug 1031073 has been marked as a duplicate of this bug. ***

Comment 6 gagriogi 2016-02-09 08:18:34 UTC

Hello,

Do we know if this can be implemented in 7.3?

Comment 7 Jakub Hrozek 2016-02-09 08:39:52 UTC

Yes, some prep work already started.

Comment 9 Lukas Slebodnik 2016-04-20 18:30:05 UTC

master:
* fd3cbf6bfe86a245d7e90d2a355794eb9c70d525
* be6d25ea38ddda232175aab5e297d8c6cb223551
* 27a7dedb0ee4d4b51ca4c196aa894ad30cb3e821
* e2d26e97d62f06f65e8228b28746471cc5f73fe5

Comment 13 shridhar 2016-09-06 09:55:44 UTC

Verified with  
~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 Beta (Maipo)

~]# rpm -qa|grep sss
libsss_sudo-1.14.0-27.el7.x86_64
libsss_autofs-1.14.0-27.el7.x86_64
libsss_simpleifp-1.14.0-27.el7.x86_64
libsss_nss_idmap-1.14.0-27.el7.x86_64
sssd-krb5-common-1.14.0-27.el7.x86_64
sssd-ad-1.14.0-27.el7.x86_64
python-sssdconfig-1.14.0-27.el7.noarch
sssd-client-1.14.0-27.el7.x86_64
sssd-common-1.14.0-27.el7.x86_64
sssd-ldap-1.14.0-27.el7.x86_64
python-sss-1.14.0-27.el7.x86_64
libsss_idmap-1.14.0-27.el7.x86_64
sssd-krb5-1.14.0-27.el7.x86_64
sssd-1.14.0-27.el7.x86_64
sssd-libwbclient-1.14.0-27.el7.x86_64
sssd-tools-1.14.0-27.el7.x86_64
sssd-dbus-1.14.0-27.el7.x86_64
sssd-common-pac-1.14.0-27.el7.x86_64
sssd-ipa-1.14.0-27.el7.x86_64
python-sss-murmur-1.14.0-27.el7.x86_64
sssd-proxy-1.14.0-27.el7.x86_64


Tests:
======================================================
1. Invalidate particular sudo rule cache
* Check sssd sudo cache:
   # ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' 'name=testuser' dataExpireTimestamp
        # record 1
	dn: name=testuser,cn=sudorules,cn=custom,cn=default,cn=sysdb
	dataExpireTimestamp: 1472807723

	# returned 1 records
	# 1 entries
	# 0 referrals
*. Invalidate the sudo cache of single sudo rule:
   # sss_cache -r testuser
*. Check the sssd_sudo cache of invalidated particular rule
	~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' 'name=testuser' dataExpireTimestamp
	asq: Unable to register control with rootdse!
	# record 1
	dn: name=testuser,cn=sudorules,cn=custom,cn=default,cn=sysdb
	dataExpireTimestamp: 1

	# returned 1 records
	# 1 entries
	# 0 referrals
======================================================

Test 2: Invalidate all sudo rule entries from cache

* Check existing valid sudo rules from cache
~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(!(dataExpireTimestamp=1))' name dataExpireTimestamp
# record 1
dn: name=testuser322028,cn=sudorules,cn=custom,cn=default,cn=sysdb
dataExpireTimestamp: 1473159626
name: testuser322028
.
.
.
# record 5000
dn: name=testuser459,cn=sudorules,cn=custom,cn=default,cn=sysdb
dataExpireTimestamp: 1473153336
name: testuser459

# returned 5000 records
# 5000 entries
# 0 referrals


* Invalidate all sudo rules from cache
~]# sss_cache -R
 ~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(!(dataExpireTimestamp=1))' name dataExpireTimestamp
asq: Unable to register control with rootdse!
# record 1
dn: cn=sudorules,cn=custom,cn=default,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

Or

~]# ldbsearch -H /var/lib/sss/db/cache_default.ldb -b 'cn=sudorules,cn=custom,cn=default,cn=sysdb' '(dataExpireTimestamp=1)' name dataExpireTimestamp

# record 1
dn: name=testuser316041,cn=sudorules,cn=custom,cn=default,cn=sysdb
name: testuser316041
dataExpireTimestamp: 1
.
.
# record 5000
dn: name=root,cn=sudorules,cn=custom,cn=default,cn=sysdb
name: root
dataExpireTimestamp: 1

# returned 5000 records
# 5000 entries
# 0 referrals
==================================================================

Comment 15 errata-xmlrpc 2016-11-04 07:09:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.