Bug 832104 - [RFE] Add support for suppressing group members
[RFE] Add support for suppressing group members
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: 7.0
Assigned To: Jakub Hrozek
Kaushik Banerjee
: FutureFeature
Depends On:
Blocks: 970519
  Show dependency treegraph
 
Reported: 2012-06-14 10:10 EDT by Dmitri Pal
Modified: 2014-06-17 23:59 EDT (History)
8 users (show)

See Also:
Fixed In Version: sssd-1.10.0-1.el7.alpha1
Doc Type: Enhancement
Doc Text:
Feature: A new option, ignore_group_members was added. Reason: In environments with very large groups (consider a group 'students' in university setup) it is too costly to download and store the whole groups. The only data needed is the group name and ID. Result (if any): When the new ignore_group_members option is set, the groups appear effectively empty, speeding up the group download and store time dramatically.
Story Points: ---
Clone Of:
: 970519 (view as bug list)
Environment:
Last Closed: 2014-06-13 08:19:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-06-14 10:10:05 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1376

In many cases, actually being able to list the members of a group is unnecessary. For the most part, access-control schemes will rely on whether a user's environment includes them as a member of a group (via initgroups() or getgroups()), and NOT by looking up the group to see if the username happens to be present.

This provides us with an opportunity to increase our performance on such systems. We should add a new per-domain option: {{{ignore_group_members}}}.

This would have the following effects:
1. When populating the results to send back to the client, we would suppress the membership list. In other words, the groups would appear to be empty.
1. When doing LDAP lookups for the groups (for any schema), we would filter out the 'member' and 'memberuid' attributes, so that our direct lookups would skip downloading large memberships or processing nested groups.

One side-effect to this would be significantly-increased performance when running {{{id <username>}}}.

The trickiest piece of this functionality would be ensuring that we don't delete existing member/memberOf linkages from the cache during group lookups that were put there by previous initgroups() requests. Thus, when this option is in play, member/memberOf should only be managed by initgroups() calls.

As one last data point, this is apparently the default behavior for winbind, which explains the visible performance disparity between these two projects when performing {{{id <username>}}}
Comment 1 RHEL Product and Program Management 2012-07-10 02:12:28 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Product and Program Management 2012-07-10 22:06:35 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 henson 2012-11-15 15:25:34 EST
The new feature was added to upstream sssd git head today:

http://git.fedorahosted.org/cgit/sssd.git/commit/?id=59f136cd254d1acf2991c97221eb08803784777d

It should be fairly trivial to backport to 1.9 (I haven't tested it, but the diff applies as-is to 1.9.2 with only a few offsets).

While for the sssd project this was considered an RFE, for the purposes of RHEL 6 I'd like it considered a bug. This functionality was possible in RHEL 5 with nss_ldap, and lost in RHEL 6 with sssd, which is a regression. I have an open support case 00727783 requesting this feature for RHEL 6.

Thanks...
Comment 8 Jakub Hrozek 2013-03-26 14:03:51 EDT
Fixed upstream.
Comment 13 Jakub Hrozek 2013-10-04 09:24:43 EDT
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 15 Nikolai Kondrashov 2013-11-13 11:17:00 EST
Verified by sssd ldap_provider/ignore_group_members suite.
Comment 16 Ludek Smid 2014-06-13 08:19:08 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.