Univention Bugzilla – Full Text Bug Listing |
Summary: | UDM users/user should use memberOf overlay instead of searching for group membership | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC - Users | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Peter Stoll <stoll.extern> |
Severity: | normal | ||
Priority: | P5 | CC: | michael, requate, stoll.extern |
Version: | UCS 5.0 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 5.0-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://git.knut.univention.de/univention/ucs/-/merge_requests/536 | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=52175 https://forge.univention.org/bugzilla/show_bug.cgi?id=57263 |
||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | API change, Cleanup, Debt Technical, Large environments, UCS Performance | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 56253 |
Description
Florian Best
2022-10-14 16:29:49 CEST
Patch available in: https://git.knut.univention.de/univention/ucs/-/merge_requests/536 On a System with 2.000 users this saves 0.88 seconds for a UDM search: Prior: # time curl --unix-socket /var/run/univention-directory-manager-rest-en-us.socket -s "http://Administrator:univention@localhost/udm/users/user/?properties=*" -H "accept: application/json" > /dev/null real 0m4,820s user 0m0,010s sys 0m0,006s Afterwards: # time curl --unix-socket /var/run/univention-directory-manager-rest-en-us.socket -s "http://Administrator:univention@localhost/udm/users/user/?properties=*" -H "accept: application/json" > /dev/null real 0m3,935s user 0m0,011s sys 0m0,004s The comment 2 above was with a System with 2 GB RAM. On a System with 50.000 Users and 40.000 Groups (each user in ~2 groups) with 32 GB RAM the performance difference is: Prior: # time curl --unix-socket /var/run/univention-directory-manager-rest-en-us.socket -s "http://Administrator:univention@localhost/udm/users/user/?foo=bar" -H "accept: application/json" > /dev/null real 6m5,792s user 0m0,064s sys 0m0,038s Afterwards: # time curl --unix-socket /var/run/univention-directory-manager-rest-en-us.socket -s "http://Administrator:univention@localhost/udm/users/user/?foo=bar" -H "accept: application/json" > /dev/null real 1m44,952s user 0m0,031s sys 0m0,055s This needs way more careful considerations: 1. slapo-memberof is deprecated and to be replaced by slapo-dynlist: See also: ITS#9795 - Remove memberof overlay https://bugs.openldap.org/show_bug.cgi?id=9795 ITS#8613 - slapo-memberOf documentation update (Unsafe to use with replication) https://bugs.openldap.org/show_bug.cgi?id=8613 2. 'memberOf' is generated on-the-fly by slapo-dynlist. So it cannot be indexed and some use-cases are way slower with that. 3. The issues are even bigger with nested group membership. (In reply to Michael Ströder from comment #5) > This needs way more careful considerations: Thanks for the points. > 1. slapo-memberof is deprecated and to be replaced by slapo-dynlist: > > See also: > > ITS#9795 - Remove memberof overlay > https://bugs.openldap.org/show_bug.cgi?id=9795 > > ITS#8613 - slapo-memberOf documentation update (Unsafe to use with > replication) > https://bugs.openldap.org/show_bug.cgi?id=8613 Yes, but we need to postpone this. The change to slapo-dynlist needs to be done in a different major or minor UCS release. > 2. 'memberOf' is generated on-the-fly by slapo-dynlist. So it cannot be > indexed and some use-cases are way slower with that. could you elaborate? in my tests for simple receiving memberships I had only performance enhancements. > 3. The issues are even bigger with nested group membership. We don't resolve nested group memberships currently. memberOf doesn't do it as well? Verified: * Code review * Package build * Performace test before vs. after this change * Compared test output before vs. after -> no differences * Changelog and YAML advisory The changed have been merged: univention-directory-manager-modules.yaml c30da519e115 | perf(udm users/user)!: add UCR variable for backwards compatibility Using the group memberships via `memberOf` adds all groups to the user which he is assigned to, even if the reading user cannot read the specific groups of if the memberships are no groups/group objects. As there might be code in the wild which don't do error handling when iterating over group memberships a UCR variable `directory/manager/user/group-memberships-via-memberof` can be used to restore the old behavior. The variable is going to be remove in UCS 5.1. univention-directory-manager-modules (15.0.13-26) c30da519e115 | perf(udm users/user)!: add UCR variable for backwards compatibility 210adfac9101 | perf(udm users/user)!: use "memberOf" instead of searching for group memberships One test failed because it tested that "groups" are not available without open(). Simply changed to "primaryGroup" so the test behvaior is equal: https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestUpgrade/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/59_udm.50_test_udm_api/TestUdmAutoOpen/test_auto_open_false/ ucs-test (10.0.7-28) ae69615e5fab | test(udm): adjust for "groups" availability in "users/user" |