Bug 772778 - acl cache overflown problem
Summary: acl cache overflown problem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 782414
TreeView+ depends on / blocked
 
Reported: 2012-01-09 23:08 UTC by Rich Megginson
Modified: 2012-06-20 07:11 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.2.10.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs. Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.
Clone Of:
: 782414 (view as bug list)
Environment:
Last Closed: 2012-06-20 07:11:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0813 normal SHIPPED_LIVE Low: 389-ds-base security, bug fix, and enhancement update 2012-06-19 19:29:15 UTC

Description Rich Megginson 2012-01-09 23:08:18 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/3

The problem was originally described here: http://lists.fedoraproject.org/pipermail/389-devel/2009-March/001020.html

Shorter description: we noticed that some queries (ldapsearch) to our directory caused a drop in performance, and our log file was filled with the following message:

acl_TestRights - cache overflown

We also noticed that increasing the value ACLPB_MAX_SELECTED_ACLS from 200 to 2000 solved the problem for us. A more permanent solution could be to make this value configurable.

We have made a patch that seems to solve the problem, as far as we have tested. I will upload it as soon as it is ready for review.

Comment 1 Jenny Severance 2012-01-13 18:06:23 UTC
please add steps to reproduce/verify this issue
Thanks

Comment 2 Nadia Turpin 2012-01-18 20:05:26 UTC
(In reply to comment #1)
> please add steps to reproduce/verify this issue
> Thanks

To reproduce this issue we do ldapsearch on an internal database that contains many nodes having acl restrictions. In our case the number of ACIs is 1500++. 
This probably means that the acl plugin needs to check permissions on too many nodes. In any case we managed to reproduce the overflow every time we run ldapsearch.

Unfortunately, we are unable to disclose the data set we have used to test this, but we hope this information can be helpful.

Comment 4 Rich Megginson 2012-04-18 19:34:21 UTC
svn ci -m "added tests for cache overflow and new config attr nsslapd-aclpb-max-selected-acls for bug 772778"
Adding         acl/data/cacheoverflow.ldif
Sending        acl/keywords.sh
Sending        acl/misc.sh
Sending        acl/tet_scen.sh
Transmitting file data ....
Committed revision 6472.

Comment 5 Amita Sharma 2012-05-07 06:13:54 UTC
Acl startup(o=ace industry,c=us) 	100% (1/1) 	  	 
Acl run(o=ace industry,c=us) 	100% (373/373) 	  	 
Acl cleanup 	100% (1/1)

Hence marking as VERIFIED.

Comment 6 Rich Megginson 2012-05-24 22:35:19 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs.
Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown
Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config
Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.

Comment 7 errata-xmlrpc 2012-06-20 07:11:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html


Note You need to log in before you can comment on or make changes to this bug.