Re: Wishes for set ACLs

[Pierangelo Masarati <ando@sys-net.it>]

Howard Chu wrote:

> Kurt D. Zeilenga wrote:
>
> > I believe problem stems (or stemed) from bdb_entry_get not
> > realizing that it needs to pass up the DB_DEADLOCK error
> > instead of retrying.  That is, there were cases where the
> > higher level transaction (boi->boi_txn) was masked or
> > otherwise hidden from bdb_entry_get.
> >
> > If we fixed all of that, great.
> >  
> Pretty sure all of that has worked for quite a while. Otherwise static 
> groups would be triggering deadlocks all the time.
>
> I don't think Ando's test would trigger any problems. More likely you 
> would need at least two ACLs that create circular references, and 
> attempt to modify both target entries.
>
> e.g.
>   access to uid=foo by group=bar write
>   access to group=bar by uid=foo write
>
> But I haven't tried it, so no guesses whether it's safe or broken.

working pretty fine:

access to dn.exact="cn=Bjorn Jensen,ou=Information Technology 
Division,ou=People,dc=example,dc=com"
   by set="[cn=all staff,ou=groups,dc=example,dc=com]/member/uid & 
[cn=barbara jensen,ou=information technology 
division,ou=people,dc=example,dc=com]/uid" write
   by * auth

access to dn.exact="cn=Barbara Jensen,ou=Information Technology 
Division,ou=People,dc=example,dc=com"
   by set="[cn=all staff,ou=groups,dc=example,dc=com]/member/uid & 
[cn=bjorn jensen,ou=information technology 
division,ou=people,dc=example,dc=com]/uid" write
   by * auth

I'm running a cycle of ~20000 sequences of concurrent writes on each of 
bjorn/bjensen, plus some concurrent reads and no problem is occurring.  
I'll let you know.

I was considering the opportunity of adding very specialized tests in a 
dedicated namespace (666-testXXX?) to be run manually only occasionally 
(maybe including some that currently fail but are meant to be fixed at 
some point).  This could be one of them.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497