Performance: Find commands: do not process members by default

In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-05-19 13:50:38 +02:00
parent 91572afc60
commit 5f42b42bd4
28 changed files with 981 additions and 98 deletions
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1117,7 +1117,7 @@ last, after all sets and adds."""),
                    yield Flag('no_members',
                        doc=_('Suppress processing of membership attributes.'),
                        exclude='webui',
-                        flags=['no_output'],
+                        flags={'no_output'},
                    )
                    break

@@ -1907,6 +1907,11 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):

    def get_options(self):
        for option in super(LDAPSearch, self).get_options():
+            if option.name == 'no_members':
+                # no_members are always true for find commands, do not
+                # show option in CLI but keep API compatibility
+                option = option.clone(
+                    default=True, flags=option.flags | {"no_cli"})
            yield option
        if self.obj.primary_key and \
                'no_output' not in self.obj.primary_key.flags:
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -122,7 +122,7 @@ def _acl_make_rule(principal_type, obj):

 def acl_evaluate(principal_type, principal, ca_ref, profile_id):
    req = _acl_make_request(principal_type, principal, ca_ref, profile_id)
-    acls = api.Command.caacl_find()['result']
+    acls = api.Command.caacl_find(no_members=False)['result']
    rules = [_acl_make_rule(principal_type, obj) for obj in acls]
    return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW

--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -337,7 +337,8 @@ class hbactest(Command):

        hbacset = []
        if len(testrules) == 0:
-            hbacset = self.api.Command.hbacrule_find(sizelimit=sizelimit)['result']
+            hbacset = self.api.Command.hbacrule_find(
+                sizelimit=sizelimit, no_members=False)['result']
        else:
            for rule in testrules:
                try:
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -318,7 +318,8 @@ class otptoken_add(LDAPCreate):
        # If owner was not specified, default to the person adding this token.
        # If managedby was not specified, attempt a sensible default.
        if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs:
-            result = self.api.Command.user_find(whoami=True)['result']
+            result = self.api.Command.user_find(
+                whoami=True, no_members=False)['result']
            if result:
                cur_uid = result[0]['uid'][0]
                prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -210,7 +210,8 @@ class topologysegment(LDAPObject):
            return  # nothing to check

        # check if nodes are IPA servers
-        masters = self.api.Command.server_find('', sizelimit=0)['result']
+        masters = self.api.Command.server_find(
+            '', sizelimit=0, no_members=False)['result']
        m_hostnames = [master['cn'][0].lower() for master in masters]

        if leftnode and leftnode not in m_hostnames:
@@ -472,7 +473,8 @@ Checks done:

        validate_domain_level(self.api)

-        masters = self.api.Command.server_find('', sizelimit=0)['result']
+        masters = self.api.Command.server_find(
+            '', sizelimit=0, no_members=False)['result']
        segments = self.api.Command.topologysegment_find(
            keys[0], sizelimit=0)['result']
        graph = create_topology_graph(masters, segments)
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -710,7 +710,8 @@ class user_del(baseuser_del):
        # Delete all tokens owned and managed by this user.
        # Orphan all tokens owned but not managed by this user.
        owner = self.api.Object.user.get_primary_key_from_dn(dn)
-        results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
+        results = self.api.Command.otptoken_find(
+            ipatokenowner=owner, no_members=False)['result']
        for token in results:
            orphan = not [x for x in token.get('managedby_user', []) if x == owner]
            token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])