Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10774

Long query time for AD groups

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 7.1.0, PUP 6.20.0
    • Component/s: None
    • Labels:
    • Template:
    • Agent OS:
      RHEL 6 (i386, x86_64)
    • Acceptance Criteria:
      Hide

      1. Recreate the environment with Puppet and CentrifyDC’s provided NSS module installed.
      2. Observe time difference of before and after fix.

      Show
      1. Recreate the environment with Puppet and CentrifyDC’s provided NSS module installed. 2. Observe time difference of before and after fix.
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2020-11-25, NW - 2020-12-09
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Time spent on querying the groups of a system user has been significantly improved on Linux operating systems with FFI and the `getgrouplist` method available.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to puppet/lib/puppet/util/posix.rb:

      # Returns an array of all the groups that the user's a member of.
      def groups_of(user)
        groups = []
        Puppet::Etc.group do |group|
          groups << group.name if group.mem.include?(user)
         end
       
        uniq_groups = groups.uniq
        if uniq_groups != groups
          Puppet.debug(_('Removing any duplicate group entries'))
        end
        uniq_groups
      end
      

       

      This needs to be replaced by the C API implementation getgrouplist(3) using FFI calls to lookup the groups of a single user instead of getent(1) which is first retrieving all available groups and then determines which ones the user belongs to.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              luchian.nemes Luchian Nemes
              Reporter:
              luchian.nemes Luchian Nemes
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support