[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-devel
Subject: Re: [SSSD] [PATCH] skip rule on error instead of failing completely
From: Pavel Březina <pbrezina () redhat ! com>
Date: 2013-07-26 11:46:04
Message-ID: 51F2617C.30503 () redhat ! com
[Download RAW message or body]
On 07/26/2013 01:31 PM, Jakub Hrozek wrote:
> On Fri, Jul 26, 2013 at 12:34:47PM +0200, Pavel Březina wrote:
>> https://fedorahosted.org/sssd/ticket/2031
>
>> From fecd2799c21dc78fcb098e786b1c7e879e943c5b Mon Sep 17 00:00:00 2001
>> From: =?UTF-8?q?Pavel Březina?= <pbrezina@redhat.com>
>> Date: Fri, 26 Jul 2013 12:25:01 +0200
>> Subject: [PATCH 1/2] sudo: skip rule on error instead of failing completely
>>
>> https://fedorahosted.org/sssd/ticket/2031
>> ---
>> src/providers/ldap/sdap_sudo_cache.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/providers/ldap/sdap_sudo_cache.c b/src/providers/ldap/sdap_sudo_cache.c
>> index 3c438b9307c310cd4eec030ad628ce28a66ba726..9a2d326e0e11cf90279d8327afaf6a0ab76cac85 100644
>> --- a/src/providers/ldap/sdap_sudo_cache.c
>> +++ b/src/providers/ldap/sdap_sudo_cache.c
>> @@ -135,7 +135,9 @@ sdap_save_native_sudorule_list(TALLOC_CTX *mem_ctx,
>> domain, map, replies[i],
>> cache_timeout, now, &usn_value);
>> if (ret != EOK) {
>> - goto fail;
>> + DEBUG(SSSDBG_OP_FAILURE, ("Failed to save sudo rule, "
>> + "will continue with next...\n"));
>> + continue;
>> }
>>
>> /* find highest usn */
>> --
>> 1.7.11.7
>>
>
>> From 09546d945e2b4932550c9d267c2146ac4c901e59 Mon Sep 17 00:00:00 2001
>> From: =?UTF-8?q?Pavel Březina?= <pbrezina@redhat.com>
>> Date: Fri, 26 Jul 2013 12:29:37 +0200
>> Subject: [PATCH 2/2] sudo: print better debug message when a rule has
>> multiple cn values
>>
>> ---
>> src/providers/ldap/sdap_sudo_cache.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/providers/ldap/sdap_sudo_cache.c b/src/providers/ldap/sdap_sudo_cache.c
>> index 9a2d326e0e11cf90279d8327afaf6a0ab76cac85..aaaa1e2aa545864c01acd160c211ecfffce874e2 100644
>> --- a/src/providers/ldap/sdap_sudo_cache.c
>> +++ b/src/providers/ldap/sdap_sudo_cache.c
>> @@ -69,7 +69,11 @@ sdap_save_native_sudorule(TALLOC_CTX *mem_ctx,
>>
>> ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_NAME].sys_name,
>> &rule_name);
>> - if (ret != EOK) {
>> + if (ret == ERANGE) {
>> + DEBUG(SSSDBG_OP_FAILURE, ("Warning: found rule that contains none "
>> + "or multiple CN values. It will be skipped.\n"));
>> + return ret;
>> + } else if (ret != EOK) {
>> DEBUG(SSSDBG_OP_FAILURE, ("Could not get rule name [%d]: %s\n",
>> ret, strerror(ret)));
>> return ret;
>> --
>> 1.7.11.7
>>
>
> Can you make either of those DEBUG messages more verbose? I think we
> should make it clear that we have not processed all the rules.
New patches are attached.
> Also I wonder if we should support multiple names by looking at RDN
> value and picking the one that matches the RDN? That's what we do for
> users and groups anyway.
Yes, ctrianta will file a bug/rfe and we'll do that as separate patch.
> What is the sudo rule name used for (except for cnÞfaults) ?
Only administrative purpose.
["0001-sudo-skip-rule-on-error-instead-of-failing-completel.patch" (text/x-patch)]
From 403eec109fabab189811f375e913733490150a0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel Březina?= <pbrezina@redhat.com>
Date: Fri, 26 Jul 2013 12:25:01 +0200
Subject: [PATCH 1/2] sudo: skip rule on error instead of failing completely
https://fedorahosted.org/sssd/ticket/2031
---
src/providers/ldap/sdap_sudo_cache.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_sudo_cache.c b/src/providers/ldap/sdap_sudo_cache.c
index 3c438b9307c310cd4eec030ad628ce28a66ba726..db51d1c37794ab33d2d0c6c85a0c1bc0f08fa308 100644
--- a/src/providers/ldap/sdap_sudo_cache.c
+++ b/src/providers/ldap/sdap_sudo_cache.c
@@ -135,7 +135,9 @@ sdap_save_native_sudorule_list(TALLOC_CTX *mem_ctx,
domain, map, replies[i],
cache_timeout, now, &usn_value);
if (ret != EOK) {
- goto fail;
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to save sudo rule, "
+ "will continue with next...\n"));
+ continue;
}
/* find highest usn */
--
1.7.11.7
["0002-sudo-print-better-debug-message-when-a-rule-has-mult.patch" (text/x-patch)]
From 40a826fe05ed22210f779d5f7f30cbed1ca59e44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel Březina?= <pbrezina@redhat.com>
Date: Fri, 26 Jul 2013 12:29:37 +0200
Subject: [PATCH 2/2] sudo: print better debug message when a rule has
multiple cn values
---
src/providers/ldap/sdap_sudo_cache.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_sudo_cache.c b/src/providers/ldap/sdap_sudo_cache.c
index db51d1c37794ab33d2d0c6c85a0c1bc0f08fa308..50bb0bd52ee18bca8ae02e87029a8475bf220616 100644
--- a/src/providers/ldap/sdap_sudo_cache.c
+++ b/src/providers/ldap/sdap_sudo_cache.c
@@ -69,7 +69,11 @@ sdap_save_native_sudorule(TALLOC_CTX *mem_ctx,
ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_NAME].sys_name,
&rule_name);
- if (ret != EOK) {
+ if (ret == ERANGE) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Warning: found rule that contains none "
+ "or multiple CN values. It will be skipped.\n"));
+ return ret;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Could not get rule name [%d]: %s\n",
ret, strerror(ret)));
return ret;
--
1.7.11.7
[Attachment #5 (text/plain)]
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic