Bug 772778 – acl cache overflown problem

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 772778 - acl cache overflown problem

Summary:	acl cache overflown problem

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	782414
	Show dependency tree / graph

Reported:	2012-01-09 18:08 EST by Rich Megginson
Modified:	2012-06-20 03:11 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	389-ds-base-1.2.10.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs. Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.
Story Points:	---
Clone Of:
Clones:	782414 (view as bug list)
Environment:
Last Closed:	2012-06-20 03:11:52 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0813	normal	SHIPPED_LIVE	Low: 389-ds-base security, bug fix, and enhancement update	2012-06-19 15:29:15 EDT

Groups: None (edit)

Description Rich Megginson 2012-01-09 18:08:18 EST

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/3

The problem was originally described here: http://lists.fedoraproject.org/pipermail/389-devel/2009-March/001020.html

Shorter description: we noticed that some queries (ldapsearch) to our directory caused a drop in performance, and our log file was filled with the following message:

acl_TestRights - cache overflown

We also noticed that increasing the value ACLPB_MAX_SELECTED_ACLS from 200 to 2000 solved the problem for us. A more permanent solution could be to make this value configurable.

We have made a patch that seems to solve the problem, as far as we have tested. I will upload it as soon as it is ready for review.

Comment 1 Jenny Galipeau 2012-01-13 13:06:23 EST

please add steps to reproduce/verify this issue
Thanks

Comment 2 Nadia Turpin 2012-01-18 15:05:26 EST

(In reply to comment #1)
> please add steps to reproduce/verify this issue
> Thanks

To reproduce this issue we do ldapsearch on an internal database that contains many nodes having acl restrictions. In our case the number of ACIs is 1500++. 
This probably means that the acl plugin needs to check permissions on too many nodes. In any case we managed to reproduce the overflow every time we run ldapsearch.

Unfortunately, we are unable to disclose the data set we have used to test this, but we hope this information can be helpful.

Comment 4 Rich Megginson 2012-04-18 15:34:21 EDT

svn ci -m "added tests for cache overflow and new config attr nsslapd-aclpb-max-selected-acls for bug 772778"
Adding         acl/data/cacheoverflow.ldif
Sending        acl/keywords.sh
Sending        acl/misc.sh
Sending        acl/tet_scen.sh
Transmitting file data ....
Committed revision 6472.

Comment 5 Amita Sharma 2012-05-07 02:13:54 EDT

Acl startup(o=ace industry,c=us) 	100% (1/1) 	  	 
Acl run(o=ace industry,c=us) 	100% (373/373) 	  	 
Acl cleanup 	100% (1/1)

Hence marking as VERIFIED.

Comment 6 Rich Megginson 2012-05-24 18:35:19 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs.
Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown
Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config
Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.

Comment 7 errata-xmlrpc 2012-06-20 03:11:52 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html

Note You need to log in before you can comment on or make changes to this bug.