NAS-131178 / 24.10.0 / Fix recursion in getting SID info (by anodos325) #14517
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Early in electric eel development, the SID values associated with local users and groups were changed to be deterministic based on their respective datastore table primary keys. A subsequent commit changed how this SID information was retrieved in user.get_user_obj and group.get_group_obj to ensure that we stopped relying on a winbind client connection (to robustize against edge case of user not having winbindd running). This SID information was obtained via user.query and group.query. Unfortunately, the developer neglected to set an additional ['local', '=', True] filter for the query request (which limits to local users only), which resulted in call to directoryservices.cache.query when AD or LDAP is enabled. If the account is a local account then the cache lookup failure results in call back into user.get_user_obj or group.get_group_obj resulting in loop. This commit correctly limits the lookup to local users and groups. (cherry picked from commit 932615e)
anodos325
approved these changes
Sep 13, 2024
|
This PR has been merged and conversations have been locked. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Early in electric eel development, the SID values associated with local users and groups were changed to be deterministic based on their respective datastore table primary keys. A subsequent commit changed how this SID information was retrieved in user.get_user_obj and group.get_group_obj to ensure that we stopped relying on a winbind client connection (to robustize against edge case of user not having winbindd running). This SID information was obtained via user.query and group.query.
Unfortunately, the developer neglected to set an additional ['local', '=', True] filter for the query request (which limits to local users only), which resulted in call to directoryservices.cache.query when AD or LDAP is enabled. If the account is a local account then the cache lookup failure results in call back into user.get_user_obj or group.get_group_obj resulting in loop.
This commit correctly limits the lookup to local users and groups.
Original PR: #14514
Jira URL: https://ixsystems.atlassian.net/browse/NAS-131178