hbacrule: reduce number of LDAP searches during deletion

The `hbacrule` module performs a call to `selinuxusermap-find` during entry deletion. This can be optimized by passing pkey_only=True to the search, skipping the post-callback function. Passing the full DN of the hbacrule and detecting it in the selinuxusermap find also saves one call to hbacrule-show, further reducing the searches. Related: https://pagure.io/freeipa/issue/8784 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-03-31 18:53:44 +02:00 · 2021-03-31 18:53:44 +02:00 · 1a539984c7
commit 1a539984c7
parent d8f246d8e3
2 changed files with 14 additions and 6 deletions
--- a/ipaserver/plugins/hbacrule.py
+++ b/ipaserver/plugins/hbacrule.py
@ -317,7 +317,7 @@ class hbacrule_del(LDAPDelete):

    def pre_callback(self, ldap, dn, *keys, **options):
        assert isinstance(dn, DN)
-        kw = dict(seealso=keys[0])
+        kw = dict(seealso=str(dn), pkey_only=True)
        _entries = api.Command.selinuxusermap_find(None, **kw)
        if _entries['count']:
            raise errors.DependentEntry(key=keys[0], label=self.api.Object['selinuxusermap'].label_singular, dependent=_entries['result'][0]['cn'][0])
--- a/ipaserver/plugins/selinuxusermap.py
+++ b/ipaserver/plugins/selinuxusermap.py
@ -454,12 +454,20 @@ class selinuxusermap_find(LDAPSearch):
        if options.get('seealso'):
            hbacrule = options['seealso']

+            # If a complete DN is passed we can skip calling hbacrule-show
            try:
-                hbac = api.Command['hbacrule_show'](hbacrule,
-all=True)['result']
-                dn = hbac['dn']
-            except errors.NotFound:
-                return dict(count=0, result=[], truncated=False)
+                tmpdn = DN(hbacrule)
+            except ValueError:
+                tmpdn = DN()
+            if DN(api.env.container_hbac, api.env.basedn) not in tmpdn:
+                try:
+                    hbac = api.Command['hbacrule_show'](hbacrule,
+                                                        all=True)['result']
+                    dn = hbac['dn']
+                except errors.NotFound:
+                    return dict(count=0, result=[], truncated=False)
+            else:
+                dn = tmpdn
            options['seealso'] = dn

        return super(selinuxusermap_find, self).execute(*args, **options)