|
 |
d6181b |
From f74b97860ec7c66df01ed2b719d29a138c958081 Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
Date: Mon, 26 Nov 2018 13:44:08 +0100
|
|
|
d6181b |
Subject: [PATCH 19/23] SECRETS: Use different option names from secrets and
|
|
|
d6181b |
KCM for quota options
|
|
|
d6181b |
MIME-Version: 1.0
|
|
|
d6181b |
Content-Type: text/plain; charset=UTF-8
|
|
|
d6181b |
Content-Transfer-Encoding: 8bit
|
|
|
d6181b |
|
|
|
d6181b |
Related:
|
|
|
d6181b |
https://pagure.io/SSSD/sssd/issue/3386
|
|
|
d6181b |
|
|
|
d6181b |
With the separate secrets responder, the quotas for the /secrets and
|
|
|
d6181b |
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
|
|
|
d6181b |
section using the same option -- the /secrets vs. /kcm distinction was
|
|
|
d6181b |
made using the subsection name.
|
|
|
d6181b |
|
|
|
d6181b |
With the standalone KCM responder writing directly to the database, it
|
|
|
d6181b |
makes sense to have options with more descriptive names better suitable
|
|
|
d6181b |
for the KCM usage. For that we need the options for secrets quotas and
|
|
|
d6181b |
kcm quotas to be named differently.
|
|
|
d6181b |
|
|
|
d6181b |
For now, the patch only passes the option name to sss_sec_get_quota()
|
|
|
d6181b |
and sss_sec_get_hive_config() together with the default value in an
|
|
|
d6181b |
instance of a new structure sss_sec_quota_opt. The secrets responder
|
|
|
d6181b |
still uses the same option names for backwards compatibility.
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/responder/secrets/secsrv.c | 70 ++++++++++++++++++++++++++--------
|
|
|
d6181b |
src/util/secrets/config.c | 40 +++++++++----------
|
|
|
d6181b |
src/util/secrets/secrets.h | 21 ++++++----
|
|
|
d6181b |
3 files changed, 88 insertions(+), 43 deletions(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
|
|
|
d6181b |
index 2de93dedc..e783e231d 100644
|
|
|
d6181b |
--- a/src/responder/secrets/secsrv.c
|
|
|
d6181b |
+++ b/src/responder/secrets/secsrv.c
|
|
|
d6181b |
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
|
|
|
d6181b |
static int sec_get_config(struct sec_ctx *sctx)
|
|
|
d6181b |
{
|
|
|
d6181b |
int ret;
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_sec_nest_level = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_sec_max_secrets = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_SECRETS,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_MAX_SECRETS,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_sec_max_uid_secrets = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_UID_SECRETS,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_MAX_UID_SECRETS,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_sec_max_payload_size = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_kcm_nest_level = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_kcm_max_secrets = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_SECRETS,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_KCM_MAX_SECRETS,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_kcm_max_uid_secrets = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_UID_SECRETS,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_KCM_MAX_UID_SECRETS,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
+ struct sss_sec_quota_opt dfl_kcm_max_payload_size = {
|
|
|
d6181b |
+ .opt_name = CONFDB_SEC_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ .default_value = DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ };
|
|
|
d6181b |
|
|
|
d6181b |
ret = confdb_get_int(sctx->rctx->cdb,
|
|
|
d6181b |
sctx->rctx->confdb_service_path,
|
|
|
d6181b |
@@ -65,15 +98,12 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
|
d6181b |
sctx->max_payload_size = 1;
|
|
|
d6181b |
|
|
|
d6181b |
/* Read the global quota first -- this should be removed in a future release */
|
|
|
d6181b |
- /* Note that this sets the defaults for the sec_config quota to be used
|
|
|
d6181b |
- * in sec_get_hive_config()
|
|
|
d6181b |
- */
|
|
|
d6181b |
ret = sss_sec_get_quota(sctx->rctx->cdb,
|
|
|
d6181b |
sctx->rctx->confdb_service_path,
|
|
|
d6181b |
- DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
- DEFAULT_SEC_MAX_SECRETS,
|
|
|
d6181b |
- DEFAULT_SEC_MAX_UID_SECRETS,
|
|
|
d6181b |
- DEFAULT_SEC_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ &dfl_sec_nest_level,
|
|
|
d6181b |
+ &dfl_sec_max_secrets,
|
|
|
d6181b |
+ &dfl_sec_max_uid_secrets,
|
|
|
d6181b |
+ &dfl_sec_max_payload_size,
|
|
|
d6181b |
&sctx->sec_config.quota);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
d6181b |
@@ -81,13 +111,23 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
|
d6181b |
goto fail;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
+ /* Use the global quota values as defaults for the secrets/secrets section */
|
|
|
d6181b |
+ dfl_sec_nest_level.default_value = \
|
|
|
d6181b |
+ sctx->sec_config.quota.containers_nest_level;
|
|
|
d6181b |
+ dfl_sec_max_secrets.default_value = \
|
|
|
d6181b |
+ sctx->sec_config.quota.max_secrets;
|
|
|
d6181b |
+ dfl_sec_max_uid_secrets.default_value = \
|
|
|
d6181b |
+ sctx->sec_config.quota.max_uid_secrets;
|
|
|
d6181b |
+ dfl_sec_max_payload_size.default_value = \
|
|
|
d6181b |
+ sctx->sec_config.quota.max_payload_size;
|
|
|
d6181b |
+
|
|
|
d6181b |
/* Read the per-hive configuration */
|
|
|
d6181b |
ret = sss_sec_get_hive_config(sctx->rctx->cdb,
|
|
|
d6181b |
"secrets",
|
|
|
d6181b |
- sctx->sec_config.quota.containers_nest_level,
|
|
|
d6181b |
- sctx->sec_config.quota.max_secrets,
|
|
|
d6181b |
- sctx->sec_config.quota.max_uid_secrets,
|
|
|
d6181b |
- sctx->sec_config.quota.max_payload_size,
|
|
|
d6181b |
+ &dfl_sec_nest_level,
|
|
|
d6181b |
+ &dfl_sec_max_secrets,
|
|
|
d6181b |
+ &dfl_sec_max_uid_secrets,
|
|
|
d6181b |
+ &dfl_sec_max_payload_size,
|
|
|
d6181b |
&sctx->sec_config);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
d6181b |
@@ -98,10 +138,10 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
|
d6181b |
|
|
|
d6181b |
ret = sss_sec_get_hive_config(sctx->rctx->cdb,
|
|
|
d6181b |
"kcm",
|
|
|
d6181b |
- DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
- DEFAULT_SEC_KCM_MAX_SECRETS,
|
|
|
d6181b |
- DEFAULT_SEC_KCM_MAX_UID_SECRETS,
|
|
|
d6181b |
- DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
+ &dfl_kcm_nest_level,
|
|
|
d6181b |
+ &dfl_kcm_max_secrets,
|
|
|
d6181b |
+ &dfl_kcm_max_uid_secrets,
|
|
|
d6181b |
+ &dfl_kcm_max_payload_size,
|
|
|
d6181b |
&sctx->kcm_config);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
d6181b |
diff --git a/src/util/secrets/config.c b/src/util/secrets/config.c
|
|
|
d6181b |
index cb286121f..f5dac0b21 100644
|
|
|
d6181b |
--- a/src/util/secrets/config.c
|
|
|
d6181b |
+++ b/src/util/secrets/config.c
|
|
|
d6181b |
@@ -24,10 +24,10 @@
|
|
|
d6181b |
|
|
|
d6181b |
errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
const char *section_config_path,
|
|
|
d6181b |
- int default_max_containers_nest_level,
|
|
|
d6181b |
- int default_max_num_secrets,
|
|
|
d6181b |
- int default_max_num_uid_secrets,
|
|
|
d6181b |
- int default_max_payload,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_containers_nest_level,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_payload,
|
|
|
d6181b |
struct sss_sec_quota *quota)
|
|
|
d6181b |
{
|
|
|
d6181b |
int ret;
|
|
|
d6181b |
@@ -38,8 +38,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
ret = confdb_get_int(cdb,
|
|
|
d6181b |
section_config_path,
|
|
|
d6181b |
- CONFDB_SEC_CONTAINERS_NEST_LEVEL,
|
|
|
d6181b |
- default_max_containers_nest_level,
|
|
|
d6181b |
+ dfl_max_containers_nest_level->opt_name,
|
|
|
d6181b |
+ dfl_max_containers_nest_level->default_value,
|
|
|
d6181b |
"a->containers_nest_level);
|
|
|
d6181b |
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
@@ -51,8 +51,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
ret = confdb_get_int(cdb,
|
|
|
d6181b |
section_config_path,
|
|
|
d6181b |
- CONFDB_SEC_MAX_SECRETS,
|
|
|
d6181b |
- default_max_num_secrets,
|
|
|
d6181b |
+ dfl_max_num_secrets->opt_name,
|
|
|
d6181b |
+ dfl_max_num_secrets->default_value,
|
|
|
d6181b |
"a->max_secrets);
|
|
|
d6181b |
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
@@ -64,8 +64,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
ret = confdb_get_int(cdb,
|
|
|
d6181b |
section_config_path,
|
|
|
d6181b |
- CONFDB_SEC_MAX_UID_SECRETS,
|
|
|
d6181b |
- default_max_num_uid_secrets,
|
|
|
d6181b |
+ dfl_max_num_uid_secrets->opt_name,
|
|
|
d6181b |
+ dfl_max_num_uid_secrets->default_value,
|
|
|
d6181b |
"a->max_uid_secrets);
|
|
|
d6181b |
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
@@ -77,8 +77,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
ret = confdb_get_int(cdb,
|
|
|
d6181b |
section_config_path,
|
|
|
d6181b |
- CONFDB_SEC_MAX_PAYLOAD_SIZE,
|
|
|
d6181b |
- default_max_payload,
|
|
|
d6181b |
+ dfl_max_payload->opt_name,
|
|
|
d6181b |
+ dfl_max_payload->default_value,
|
|
|
d6181b |
"a->max_payload_size);
|
|
|
d6181b |
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
@@ -93,10 +93,10 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
|
|
|
d6181b |
const char *hive_name,
|
|
|
d6181b |
- int default_max_containers_nest_level,
|
|
|
d6181b |
- int default_max_num_secrets,
|
|
|
d6181b |
- int default_max_num_uid_secrets,
|
|
|
d6181b |
- int default_max_payload,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_containers_nest_level,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_payload,
|
|
|
d6181b |
struct sss_sec_hive_config *hive_config)
|
|
|
d6181b |
{
|
|
|
d6181b |
int ret;
|
|
|
d6181b |
@@ -122,10 +122,10 @@ errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
ret = sss_sec_get_quota(cdb,
|
|
|
d6181b |
confdb_section,
|
|
|
d6181b |
- default_max_containers_nest_level,
|
|
|
d6181b |
- default_max_num_secrets,
|
|
|
d6181b |
- default_max_num_uid_secrets,
|
|
|
d6181b |
- default_max_payload,
|
|
|
d6181b |
+ dfl_max_containers_nest_level,
|
|
|
d6181b |
+ dfl_max_num_secrets,
|
|
|
d6181b |
+ dfl_max_num_uid_secrets,
|
|
|
d6181b |
+ dfl_max_payload,
|
|
|
d6181b |
&hive_config->quota);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h
|
|
|
d6181b |
index 01abfe542..31164bd86 100644
|
|
|
d6181b |
--- a/src/util/secrets/secrets.h
|
|
|
d6181b |
+++ b/src/util/secrets/secrets.h
|
|
|
d6181b |
@@ -47,6 +47,11 @@ struct sss_sec_ctx;
|
|
|
d6181b |
|
|
|
d6181b |
struct sss_sec_req;
|
|
|
d6181b |
|
|
|
d6181b |
+struct sss_sec_quota_opt {
|
|
|
d6181b |
+ const char *opt_name;
|
|
|
d6181b |
+ int default_value;
|
|
|
d6181b |
+};
|
|
|
d6181b |
+
|
|
|
d6181b |
struct sss_sec_quota {
|
|
|
d6181b |
int max_secrets;
|
|
|
d6181b |
int max_uid_secrets;
|
|
|
d6181b |
@@ -98,18 +103,18 @@ bool sss_sec_req_is_list(struct sss_sec_req *req);
|
|
|
d6181b |
|
|
|
d6181b |
errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
|
|
|
d6181b |
const char *section_config_path,
|
|
|
d6181b |
- int default_max_containers_nest_level,
|
|
|
d6181b |
- int default_max_num_secrets,
|
|
|
d6181b |
- int default_max_num_uid_secrets,
|
|
|
d6181b |
- int default_max_payload,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_containers_nest_level,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_payload,
|
|
|
d6181b |
struct sss_sec_quota *quota);
|
|
|
d6181b |
|
|
|
d6181b |
errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
|
|
|
d6181b |
const char *hive_name,
|
|
|
d6181b |
- int default_max_containers_nest_level,
|
|
|
d6181b |
- int default_max_num_secrets,
|
|
|
d6181b |
- int default_max_num_uid_secrets,
|
|
|
d6181b |
- int default_max_payload,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_containers_nest_level,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
|
|
|
d6181b |
+ struct sss_sec_quota_opt *dfl_max_payload,
|
|
|
d6181b |
struct sss_sec_hive_config *hive_config);
|
|
|
d6181b |
|
|
|
d6181b |
#endif /* __SECRETS_H_ */
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|