Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists News SCM Files Mediawiki Hudson/Jenkins

[#660] Rebuild nss_passwd / nss_groups / nss_usergroups

2014-04-22 09:13
Submitted by:
Sylvain Beucler (beuc-inria)
Assigned to:
Nobody (None)
Target release:
Rebuild nss_passwd / nss_groups / nss_usergroups

Detailed description
I find several projects in my 5.1 (and upgraded 5.3) installation where I need to add/remove users from a project to properly rebuild then nss_groups or nss_usergroups tables.

- missing group in nss_groups while it's active and uses SCM
- missing entry for site admin in private projects

So I'm in need of a script to properly rebuild these tables.
Message  ↓
Date: 2015-05-12 13:50
Sender: Sylvain Beucler

Closing for now.
Rebuilding nss_passwd and nss_group not necessary.

Date: 2015-04-03 12:24
Sender: Sylvain Beucler

nss_usergroups regen implemented.

Not sure we need to regen nss_passwd and nss_group right now.

Date: 2015-03-17 15:19
Sender: Sylvain Beucler

New nss-usergroups.sql version
- aimed at regenerating the table rather than convert it as a view
- assumes project group membership mean read-only access
- fixes projname/scm_projname duplicates

See http://lists.fusionforge.org/pipermail/fusionforge-general/2015-March/002847.html for discussion.

Date: 2015-03-16 17:42
Sender: Sylvain Beucler

Cf. [#760] for "Agreed on IRC meeting today about moving to a single default group for all users", which is required to implement this.

Date: 2014-09-12 14:15
Sender: Sylvain Beucler

Additional info:
- "The nss response time is < 2s for InriaForge and then gets cached, which mean we can use it directly as a view." => actually the response time is not consistent and is rather between 1.5s and 4.5s. Four seconds being too annoying for users, let's not use a view, unless we can optimize this some more.
- If we don't use a view, we can rebuild the table on a regular basis. The cron would take < 5s :)
- Agreed on IRC meeting today about moving to a single default group for all users.
- I see that homedirs.php already set the homedirs group owner to "users".

Date: 2014-09-11 10:13
Sender: Sylvain Beucler

You're right.

Date: 2014-09-10 16:25
Sender: Franck Villaume

my first look at the sql pointed me to :
"DELETE FROM nss_groups WHERE group_id=0;"

I assume we need to delete the following php code too:
extract from ~/common/include/system/pgsql.class.php in function sysCreateUser:

$res3 = db_query_params ('INSERT INTO nss_groups
(user_id, group_id,name, gid)
SELECT user_id, 0, user_name, unix_gid
FROM users WHERE user_id=$1',
array ($user_id));

am I right?

Date: 2014-09-04 13:04
Sender: Sylvain Beucler

New version of nss_usergroups.sql
(uses nss_groups instead of groups for proper unix gid)

The nss response time is < 2s for InriaForge and then gets cached, which mean we can use it directly as a view. No more maintenance and desync of nss_usergroups - it's directly mapped to the reference data!

Annoyingly nss_groups is currently buggy: it allows duplicate groups, when a group and a user (default group) have the same name. This breaks the JOINs.

To fix this we need to remove the user default group, e.g. replace it with a global "forge_users" group.
What do you think?

Date: 2014-05-13 17:33
Sender: Sylvain Beucler

src/utils/sync_unix_group.php does rebuild part of nss_usergroups, but doesn't take RBAC into account.

Attached is a pure-SQL reimplementation attempt to rebuild nss_usergroups.

Size Name Date By Download
2 KiBnss_usergroups.sql2014-05-13 17:33beuc-inrianss_usergroups.sql
2 KiBnss_usergroups.sql2014-09-04 13:10beuc-inrianss_usergroups.sql
2 KiBnss_usergroups.sql2015-03-17 15:19beuc-inrianss_usergroups.sql
Field Old Value Date By
status_idOpen2015-05-12 13:50beuc-inria
close_dateNone2015-05-12 13:50beuc-inria
File Added497: nss_usergroups.sql2015-03-17 15:19beuc-inria
File Added495: nss_usergroups.sql2014-09-04 13:10beuc-inria
File Deleted494: nss_usergroups.sql2014-09-04 13:10beuc-inria
File Added494: nss_usergroups.sql2014-09-04 13:04beuc-inria
File Added416: nss_usergroups.sql2014-05-13 17:33beuc-inria