[Freeipa-devel] user-* commands performance issues

Petr Vobornik pvoborni at redhat.com
Mon Mar 21 10:00:55 UTC 2016 

On 03/17/2016 04:09 PM, Martin Basti wrote:
> Hello all,
>
> I would like to discuss the way how we should improve the speed of
> user-find commands (and other commands too if possible):
>
> 0)
> Do not do extra search for ipasshpubkey. This is clear, patch posted for
> review.
> https://fedorahosted.org/freeipa/ticket/3376
>
> commands: user, stageuser, host, idview
>
> 1)
> make --no-members option visible in CLI
> https://fedorahosted.org/freeipa/ticket/4995

There was a discussion around devconf that --no-members should be a 
default behavior of xxx-find commands and I'm for it.

Reasoning: use case: 'find me all groups which satisfy this filter'. 
Showing members clutters the output(one group with >500 member makes it 
unusable) and makes things slow(both on server and CLI side).

For xxx-show commands it is a question where I don't have a strong opinion.

>
> I don't think we should implement also --no-indirect-members, I think
> that this kind of granularity is not needed.
> If --no-members is used, then indirect members will be ignored too.

+1

>
> commands: all which use members
>
> 2)
> Limit the amount of searches for memberof[indirect] (group, netgroup,
> role, hbacrule, sudorule) and search for each dn only once in find
> commands.
>
> We can have configurable option in default.conf (for example
> memberof_search_limit=100 (0 unlimited)). Find commands will get members
> only for specified amount and if this limit is exceeded a warning
> message is shown.
> I do not like this idea much, I think it should be all or nothing, I
> prefer to not do this.
>
> However I like the idea of temporary caching inside find commands, where
> each memberof DN is resolved just once and results are cached in a map
> and reused in current context of command. This should be improvement
> mainly for indirect searches, but cache should be faster for direct
> members than doing internal calls of framework objects. This part is
> backward compatible, the first part is not.
>
> https://fedorahosted.org/freeipa/ticket/5282

What parts of the ticket can be solved with deref plugin? I guess we can 
get the CNs, but not what is a direct member. Maybe it should be 
discussed separately.

>
> commands: user-find, stageuser-find, possibly all find commands
>
> 3)
> Remove userPassword, krbPrincipalKey from search results
> This change is not backward compatible, can we do this?
>
> https://fedorahosted.org/freeipa/ticket/5281
>
> commands: user-find

I'm for it, would like to hear other opinions.

Note: it should be only in user-find commands. 'show' has to display it.

>
> Martin^2
>
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list