[Freeipa-devel] [PATCH 61] Cache authentication in session

Mon Feb 6 12:35:52 UTC 2012

On 02/05/2012 06:56 PM, John Dennis wrote:
> On 01/25/2012 09:16 AM, Rob Crittenden wrote:
>> John Dennis wrote:
>>> On 01/23/2012 06:15 PM, John Dennis wrote:
>>>> Rebased patch attached (includes contents of previous patch 60).
>>>>
>>>> The issues with ipa_memcached belonged to patch 59, that patch was
>>>> rebased and resubmitted.
>>>>
>>>> I cannot reproduce the looping problem you saw. The only thing I can
>>>> think of is that you were running with SELinux enabled and currently
>>>> ipa_memcached requires SELinux to be disabled otherwise the whole
>>>> caching mechanism fails.
>>>
>>> O.K., let's try this again with the patch actually attached :-)
>>
>> NACK. It doesn't work if ipa_memcached is not configured (-M install
>> option).
>>
>> I tested this last night then picked up testing again this morning and
>> was greeted with the attached image. I'm not sure if this is a browser
>> issue, the fact that my browser was being redirected from a VM to the
>> display on my desktop or the current cosmic rays.
>>
>> We also need a way to do a logout. The user can do a kdestroy and still
>> have an active session. If this isn't covered in the any current tickets
>> please open a new one. As far as I can tell you provide a facility for
>> invalidating a cache entry, I'm just not sure if that is enough for the
>> UI guys to hook in to.
>>
>> I think you were right about SELinux. When I put it into permissive mode
>> then the caching worked. The UI is much more responsive now.
>
> Attached is a modified patch.
>
> The logic concerning how Kerberos auth is acquired was modified, we no
> longer use redirects. Instead we return an error and the javascript code
> in the browser sends a GET to the login page to refresh the session
> credentials. If that succeeds it resubmits the POST that previously was
> denied. This works much better, no longer are there any browser
> glitches, it seems to function very smoothly with good performance.
>
> I also added a config item, session_auth_duration so that admins can
> control how long a session will be valid before credentials need to be
> refreshed. The default.config man page was updated to document the new
> option. It's easy to specify using simple notation such as "1 hour, 30
> minutes" or "1h30m", etc. I added a new utility parse_time_duration() to
> read the duration specification.
>
> I also modified how files were being used to for the Kerberos ccache.
> The previous code allocated one file per session, but there wasn't a
> good way to clean up these files. Now there is just one ccache file per
> process and it only exists for the duration of the request after which
> we remove it. The ccache is stored in the memcached session data. We
> refresh the memcached copy of the ccache at the end of the request to
> make sure any credentials modified/added during the request are preserved.
>
> The submit comments reasonably detailed, you should take a look at those
> for more information.

Forgot two things:

The server install and run must be done with SELinux in permissive mode, 
we still don't have an updated policy for ipa_memcached.

I also modified how I was validating the ticket. Now I check either the 
TGT or the ldap service ticket, formerly it had just been the TGT. This 
was changed to accommodate s4u2proxy, which I tried to test with but I'm 
not sure it was in effect despite having what I believe was updated 
packages installed.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/