From 940002ca21abde53ad81df622d1f4dd3b5e8e014 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Fri, 30 Nov 2018 13:34:22 +0100

Subject: [PATCH 20/23] SECRETS: Don't limit the global number of ccaches

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Related:

https://pagure.io/SSSD/sssd/issue/3386

In the KCM context, the global number of ccaches would limit the number

of users who can store their ccaches in the KCM deamon.

In more detail, the options have the following semantics with KCM:

    - DEFAULT_SEC_KCM_MAX_SECRETS - global number of secrets, would

    cover both how many ccaches can a user store, but this is better

    served with DEFAULT_SEC_KCM_MAX_UID_SECRETS

    - DEFAULT_SEC_KCM_MAX_UID_SECRETS - how many 'principals' can a user

    kinit with

    - DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE - the payload size of service

    tickets

With the above in mind, I think the most important limits are

max_uid_secrets to limit and the payload size to constraint how much

space can a user occupy and it doesn't make much sense to limit the

global quota.

Reviewed-by: Michal Židek <mzidek@redhat.com>

---

 src/util/secrets/secrets.h | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h

index 31164bd86..9cf397516 100644

--- a/src/util/secrets/secrets.h

+++ b/src/util/secrets/secrets.h

@@ -39,7 +39,7 @@

  * but the secret size must be large because one secret in the /kcm

  * hive holds the whole ccache which consists of several credentials

  */

-#define DEFAULT_SEC_KCM_MAX_SECRETS      256

+#define DEFAULT_SEC_KCM_MAX_SECRETS      0          /* unlimited */

 #define DEFAULT_SEC_KCM_MAX_UID_SECRETS  64

 #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536

-- 

2.20.1