[Freeipa-devel] [PATCH 61] Cache authentication in session

Sun Feb 5 23:56:45 UTC 2012

On 01/25/2012 09:16 AM, Rob Crittenden wrote:
> John Dennis wrote:
>> On 01/23/2012 06:15 PM, John Dennis wrote:
>>> Rebased patch attached (includes contents of previous patch 60).
>>>
>>> The issues with ipa_memcached belonged to patch 59, that patch was
>>> rebased and resubmitted.
>>>
>>> I cannot reproduce the looping problem you saw. The only thing I can
>>> think of is that you were running with SELinux enabled and currently
>>> ipa_memcached requires SELinux to be disabled otherwise the whole
>>> caching mechanism fails.
>>
>> O.K., let's try this again with the patch actually attached :-)
>
> NACK. It doesn't work if ipa_memcached is not configured (-M install
> option).
>
> I tested this last night then picked up testing again this morning and
> was greeted with the attached image. I'm not sure if this is a browser
> issue, the fact that my browser was being redirected from a VM to the
> display on my desktop or the current cosmic rays.
>
> We also need a way to do a logout. The user can do a kdestroy and still
> have an active session. If this isn't covered in the any current tickets
> please open a new one. As far as I can tell you provide a facility for
> invalidating a cache entry, I'm just not sure if that is enough for the
> UI guys to hook in to.
>
> I think you were right about SELinux. When I put it into permissive mode
> then the caching worked. The UI is much more responsive now.

Attached is a modified patch.

The logic concerning how Kerberos auth is acquired was modified, we no 
longer use redirects. Instead we return an error and the javascript code 
in the browser sends a GET to the login page to refresh the session 
credentials. If that succeeds it resubmits the POST that previously was 
denied. This works much better, no longer are there any browser 
glitches, it seems to function very smoothly with good performance.

I also added a config item, session_auth_duration so that admins can 
control how long a session will be valid before credentials need to be 
refreshed. The default.config man page was updated to document the new 
option. It's easy to specify using simple notation such as "1 hour, 30 
minutes" or "1h30m", etc. I added a new utility parse_time_duration() to 
read the duration specification.

I also modified how files were being used to for the Kerberos ccache. 
The previous code allocated one file per session, but there wasn't a 
good way to clean up these files. Now there is just one ccache file per 
process and it only exists for the duration of the request after which 
we remove it. The ccache is stored in the memcached session data. We 
refresh the memcached copy of the ccache at the end of the request to 
make sure any credentials modified/added during the request are preserved.

The submit comments reasonably detailed, you should take a look at those 
for more information.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jdennis-0061-2-add-session-manager-and-cache-krb-auth.patch
Type: text/x-patch
Size: 85632 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120205/eab79390/attachment.bin>