[Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration
Simo Sorce
simo at redhat.com
Tue Mar 11 15:09:59 UTC 2014
On Tue, 2014-03-11 at 16:05 +0200, Alexander Bokovoy wrote:
> On Tue, 11 Mar 2014, Jan Pazdziora wrote:
> >On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
> >> Before this patch, ipa-kdb would load global configuration on startup
> >> and never update it. This means that if global configuration is changed,
> >> the KDC never receives the new configuration until it is restarted.
> >>
> >> This patch enables caching of the global configuration with a timeout of
> >> 60 seconds.
> >>
> >> https://fedorahosted.org/freeipa/ticket/4153
> >
> >> >From 7daeae56671d7b3049b0341aad66c96877431bbe Mon Sep 17 00:00:00 2001
> >> From: Nathaniel McCallum <npmccallum at redhat.com>
> >> Date: Mon, 24 Feb 2014 14:19:13 -0500
> >> Subject: [PATCH] Periodically refresh global ipa-kdb configuration
> >>
> >> Before this patch, ipa-kdb would load global configuration on startup and
> >> never update it. This means that if global configuration is changed, the
> >> KDC never receives the new configuration until it is restarted.
> >>
> >> This patch enables caching of the global configuration with a timeout of
> >> 60 seconds.
> >>
> >> https://fedorahosted.org/freeipa/ticket/4153
> >
> >I have only read the code and it looks sane, so depending on how much
> >you consider my word about code-reading worth, ack.
> >
> >However, my gut feeling is that my preferred way of handling the issue
> >(without knowing much about the background of the ticket) would
> >probably be a HUP signal handler or something similar, rather than
> >polling for current values with the value timeout. This patch
> >introduces small nondeterminism to the behaviour when the usage of the
> >new values cannot really be enfoced by the admin (without the daemon
> >restart).
> Thing is, we need the update to happen when other, non-root process
> makes the changes -- in our case when IPA server running under httpd
> privileges performs series of MS-RPC calls towards smbd which lead to
> creating certain LDAP objects. httpd couldn't send SIGHUP to a process
> not owned by httpd's effective user (non-root).
Yes but this is not really the way to go.
The proper fix is to use syncrepl/persistent search to get a
notification of when we need to reload the configuration.
On the patch itself I have a NACK due to this syntax used in various
places: function()->attribute
don't. do. that. ever.
assign whatever come from the function to a local variable and *check*
it is not null, *then* use it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list