Page MenuHomePhabricator

Invalidate the nscd group cache of instances in a project when a user is added or removed
Closed, DeclinedPublic

Description

If a user tries to access a project before they are a member, they'll be stored in the negative nscd cache for group. When the user is added to the project, if they try to access the instance before the negative cache expires, they'll be rejected.

Using salt, we should trigger an nscd group cache invalidation for all instances in a project when a user is added or removed from the project.


Version: unspecified
Severity: normal

Details

Reference
bz43526

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:13 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz43526.

Where should the invalidation be triggered?

Options:

  1. the 'if ( $success ) { .. }' block in addMember(), deleteMember() and possibly setMembers() methods on OpenStackNovaProjectGroup.php
  2. Some wrapper around LdapAuthenticationPlugin::ldap_modify

Thoughts?

Is there any existing integration between salt and OpenStackManager that I could check out?

There's no integration yet. Either you'd need to shell out, or get salt-api working.

salt-api is currently 'pre-alpha'. The code doesn't look like anything substantial yet.

The Salt wire protocol is MessagePack on top of ZeroMQ. Both MessagePack and ZeroMQ have good PHP bindings, so perhaps writing a PHP-based salt client wouldn't be too hard.

Alternately we could implement a simple MediaWiki-Salt bridge, perhaps using UDP / wfDebug.

Both approaches would be overkill if this was an isolated need. If there was better Salt / MediaWiki integration, do you expect to have lots of uses for it?

chasemp subscribed.

closing due to age and activity, I don't think this has been an issue