[PATCH] [HBAC]: Better libhbac debuging
by Petr Cech
Hi,
according to
https://fedorahosted.org/sssd/ticket/2703
I tried to add logging to the library HBAC.
A)
Logging is performed using an external function, which you can set by:
# hbac_enable_debug(...)
B)
The specific implementation of such a function, you can see
# hbac_debug_messages(...)
C)
You can specify debug level:
'...' stands for
sssd_cygnus.dev.log:(Fri Jul 24 10:29:36 2015) [sssd[be[cygnus.dev]]]
[hbac] (0x0080): [../src/providers/ipa/
* SSSDBG_MINOR_FAILURE produces:
Question: What kind of information could I add for request into this level?
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:180] ALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
* SSSDBG_TRACE_ALL produces:
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:410] REQUEST:
...hbac_evaluator.c:391] service [sshd]
...hbac_evaluator.c:400] service_group (none)
...hbac_evaluator.c:391] user [csikos]
...hbac_evaluator.c:395] user_group:
...hbac_evaluator.c:397] [ipausers]
...hbac_evaluator.c:391] targethost [albireo.cygnus.dev]
...hbac_evaluator.c:400] targethost_group (none)
...hbac_evaluator.c:391] srchost [192.168.122.106]
...hbac_evaluator.c:400] srchost_group (none)
...hbac_evaluator.c:417] request time Fri Jul 24 14:29:36 2015
...hbac_evaluator.c:454] RULE [szabo_allowed] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:435] services_names (none)
...hbac_evaluator.c:440] services_groups:
...hbac_evaluator.c:442] [Sudo]
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:435] users_names (none)
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:454] RULE [Test_rule] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] services_names:
...hbac_evaluator.c:432] [login]
...hbac_evaluator.c:432] [sshd]
...hbac_evaluator.c:432] [su]
...hbac_evaluator.c:445] services_groups (none)
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] users_names:
...hbac_evaluator.c:432] [csikos]
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:180] ALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:410] REQUEST:
...hbac_evaluator.c:391] service [systemd-user]
...hbac_evaluator.c:400] service_group (none)
...hbac_evaluator.c:391] user [csikos]
...hbac_evaluator.c:395] user_group:
...hbac_evaluator.c:397] [ipausers]
...hbac_evaluator.c:391] targethost [albireo.cygnus.dev]
...hbac_evaluator.c:400] targethost_group (none)
...hbac_evaluator.c:400] srchost_group (none)
...hbac_evaluator.c:417] request time Fri Jul 24 14:29:36 2015
...hbac_evaluator.c:454] RULE [szabo_allowed] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:435] services_names (none)
...hbac_evaluator.c:440] services_groups:
...hbac_evaluator.c:442] [Sudo]
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:435] users_names (none)
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:454] RULE [Test_rule] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] services_names:
...hbac_evaluator.c:432] [login]
...hbac_evaluator.c:432] [sshd]
...hbac_evaluator.c:432] [su]
...hbac_evaluator.c:445] services_groups (none)
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] users_names:
...hbac_evaluator.c:432] [csikos]
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:410] REQUEST:
...hbac_evaluator.c:391] service [sshd]
...hbac_evaluator.c:400] service_group (none)
...hbac_evaluator.c:391] user [szabo]
...hbac_evaluator.c:395] user_group:
...hbac_evaluator.c:397] [ipausers]
...hbac_evaluator.c:391] targethost [albireo.cygnus.dev]
...hbac_evaluator.c:400] targethost_group (none)
...hbac_evaluator.c:391] srchost [192.168.122.106]
...hbac_evaluator.c:400] srchost_group (none)
...hbac_evaluator.c:417] request time Fri Jul 24 14:29:46 2015
...hbac_evaluator.c:454] RULE [szabo_allowed] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:435] services_names (none)
...hbac_evaluator.c:440] services_groups:
...hbac_evaluator.c:442] [Sudo]
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] users_names:
...hbac_evaluator.c:432] [szabo]
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:454] RULE [Test_rule] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] services_names:
...hbac_evaluator.c:432] [login]
...hbac_evaluator.c:432] [sshd]
...hbac_evaluator.c:432] [su]
...hbac_evaluator.c:445] services_groups (none)
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] users_names:
...hbac_evaluator.c:432] [csikos]
...hbac_evaluator.c:445] users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427] category [0] [NONE]
...hbac_evaluator.c:430] targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445] targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427] category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() >]
Thanks.
Petr
8 years, 7 months
RFC: Talloc reports
by Pavel Březina
Hi,
due to recent memory leak issues, I think it would be good to provide a
built-in way to store talloc full report in a file. It proved to be very
helpful in detection of the location where memory leak occurs, but we
always obtained it from custom built.
I would very much like to write a patch, but I'd like to hear your
opinion on how it should be obtains. I have few ideas:
1) Periodic task -- periodically (1 hour?) store talloc full report into
a file.
2) Generate report on signal.
3) Generate report on D-Bus method.
4) Provide a tool that would do 2) or 3).
I personally favor 1).
8 years, 7 months
RFC: Improving the debug messages
by Jakub Hrozek
Hi,
I spent many hours debugging SSSD in different scenarios last week and I
admit it wasn't always easy -- and I have the source code knowledge I
can use. I imagine it's considerably harder for users and admins..
So this is a brainstorm request on how can we make debugging with SSSD
easier. Maybe there are some low-hanging fruits that can be fixed
easily. Off the top of my head:
- it should be easier to see start and end of a request in the back end.
Instead of:
[be_get_account_info] (0x0200): Got request for [0x1001][1][name=admin]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
We could make the debug messages more explicit:
[be_get_account_info] (0x0200): Received request for [object=user][key=name][value=admin]
[acctinfo_callback] (0x0200): Finished request for [object=user][key=name][value=admin]. Returned 0,0,Success
Then we could document the messages in our troubleshooting document.
Please note I'm not proposing to turn debug messages into any kind of
API and keep them the same forever, but decorate the usual flow with
messages that make sense without source level knowledge.
- same for authentication
- same for responder cache requests. We seem to have gotten better with
the new cache_req code there, so this is mostly about using the new
code in all responders. But also the commands we receive from sockets
should be printed in human-readable form.
- Running sssd in environment where all actions complete successfully
should emit no debug messages. Default log level should be moved to
SSSDBG_OP_FAILURE or CRIT_FAILURE. (This basically amounts to checking
all OP, FATAL and CRIT failure messages..)
The reason is that sometimes sssd fails, but because logging is
totally silent, we don't know what happened at all. Currently we have
a couple of small bugs where we might print a loud DEBUG message just
because we search for an entry which is not there etc.
- anything that causes SSSD to fail to start should also emit a syslog
message. Admins don't really know about sssd debug logs.
- our man pages are not structured well, especially the LDAP man page is
too big and contains too many options.
One reason I'm bringing this up now is that we'll have a new SSSD developer
starting soon and these might be nice tasks to start with AND they're
also needed.
8 years, 7 months
CI: Already fixed bug for TODO
by Lukas Slebodnik
ehlo,
I touched the CI script and I found an interesting todo
distro.sh-52-{
distro.sh-53- declare prompt=$'Need root permissions to install packages.\n'
distro.sh-54- prompt+="Enter sudo password for $USER: "
distro.sh-55- if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
distro.sh-56- [ $# != 0 ] && sudo -p "$prompt" yum --assumeyes install -- "$@" |&
distro.sh-57- # Pass input to output, fail if a missing package is reported
distro.sh-58- # TODO Remove and switch to DNF once
distro.sh:59: # https://bugzilla.redhat.com/show_bug.cgi?id=1128139 is fixed
distro.sh-60- awk 'BEGIN {s=0}
distro.sh-61- /^No package .* available.$/ {s=1}
distro.sh-62- {print}
distro.sh-63- END {exit s}'
distro.sh-64- elif [[ "$DISTRO_BRANCH" == -debian-* ]]; then
distro.sh-65- [ $# != 0 ] && sudo -p "$prompt" apt-get --yes install -- "$@"
distro.sh-66- else
The BZ1128139 was closed as duplicate of BZ1107737.
The BZ1107737 was fixed 7 months ago and is available in
dnf >= 0.6.4-2. The Fedora 21 currently have dnf-0.6.4-7.
I think it's the best time for removing this todo.
LS
8 years, 7 months
[PATCH] CI: Run integration tests on debian testing
by Lukas Slebodnik
ehlo,
Integration tests are enabled on debian with the last patch.
I just changed DEPS_INTGCHECK_SATISFIED to true for debian
because in future we might introduce new dependencies
which will not be in debian (su_wrapper).
The 1st patch is prequisity for the last patch because
installation of slapd requires user interaction.
The ticket #2433 is finally fixed after 13 months.
If we do not want to introduce new dependency /usr/bin/libtool
for debian then there is alternative solution of bug fixed
in the 2nd patch. We can run libtool from CWD generated by autotools.
In both cases it's a oneliner :-)
Here is an alternative version:
diff --git a/contrib/ci/run b/contrib/ci/run
index 5f668ff..1f64e67 100755
--- a/contrib/ci/run
+++ b/contrib/ci/run
@@ -204,7 +204,7 @@ function build_debug()
CK_FORK=no \
stage make-check-valgrind \
make-check-wrap -j $CPU_NUM check -- \
- libtool --mode=execute \
+ ./libtool --mode=execute \
valgrind-condense 99 \
'!(*.py|*dlopen-tests)' -- \
--trace-children=yes \
LS
8 years, 7 months
[PATCH] [sssd-1.11] pysss_nss_idmap: Use wrapper for older python
by Lukas Slebodnik
ehlo,
we dropped support for old version of python (<2.6)
in recent version of sssd. It should work in 1.11 branch
but there was a small issue in pysss_nss_idmap bindings.
Attached is a simple patch wich reuse our internal python wrappers.
LS
8 years, 7 months
