Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
None
-
-
Night's Watch
-
3
-
NW - 2020-11-25, NW - 2020-12-09
-
Bug Fix
-
Time spent on querying the groups of a system user has been significantly improved on Linux operating systems with FFI and the `getgrouplist` method available.
-
Needs Assessment
Description
Using CentrifyDC’s provided NSS module to access user and group information from Active Directory through LDAP has surfaced some PE installations timeouts. This seems to happen due Puppet’s internal user group lookup implementation which queries AD for all available groups at every run and taking too long to process a high amount of data. Said implementation points us to puppet/lib/puppet/util/posix.rb:
# Returns an array of all the groups that the user's a member of.
|
def groups_of(user) |
groups = []
|
Puppet::Etc.group do |group| |
groups << group.name if group.mem.include?(user) |
end |
|
uniq_groups = groups.uniq
|
if uniq_groups != groups |
Puppet.debug(_('Removing any duplicate group entries')) |
end |
uniq_groups
|
end |
This needs to be replaced by the C API implementation getgrouplist(3) using FFI calls to lookup the groups of a single user instead of getent(1) which is first retrieving all available groups and then determines which ones the user belongs to.